Preserving evidence helps law enforcement identify the perpetrators.
Inform system administrator
If you find a virus or Trojan on your company computer, you should immediately inform your system administrator and disconnect the device from the network.
If you do not report the incident internally, your company is at risk of further damage, which you are usually unable to assess.
Viruses and Trojans can spread from your device to other devices and, for example, forward company data to third parties.
Check system, determine damage
Businesses and individuals should perform a detailed system scan after a virus and Trojan detection on your network and determine if other devices are also affected.
If you do not have the appropriate know-how internally, get external help, e.g. via specialized experts from your anti-virus vendor or a provider specializing in computer forensics.
Pay particular attention to whether the viruses or Trojans have infected systems with sensitive data or services. This includes business and customer data, possible patents or control systems in production.
Do not remove viruses and Trojans on your own!
Do not make any independent attempts to remove the malware at first. Only in this way is it possible for the police to secure evidence and initiate investigations.
The police experts will give you further recommendations for action and advise you whether additional external experts need or should be involved.
Secure evidence
Depending on the facts of the case, such as online fraud, other measures are necessary to preserve evidence.
– Make printouts of the order correspondence.
– Save possible chat logs, e.g. via screenshot or take a picture of the screen.
– Back up existing log files, e.g. from the server or browsing history.
– Consult with the police if you are unsure or need general assistance!
NOTE: Please be aware that if you back up child or youth pornographic material, you may be liable to prosecution yourself. In principle, the mere storage of evidence material for the sole purpose of handing it over to the police is not questionable. However, in any case, consult with the police and, if necessary, with a lawyer beforehand.
Preservation of evidence by the police
Law enforcement agencies are able to preserve evidence in a way that has little or no impact on ongoing business operations at companies. In addition, there is also the possibility of real-time analysis in operational mode.
Law enforcement agencies can also secure on-site evidence that is only accessible on the Internet (email servers, cloud storage, web servers).
Confiscation of servers or computers does not usually take place. The focus is always on ensuring the company’s ability to operate.
Law enforcement agencies are instructed to investigate on a case-by-case basis and only preserve evidence that is directly related to the online crime.
Compliance with data protection principles in data processing, such as data economy, purpose limitation and necessity, applies.
Disclosure of company data does not usually result in seized evidence, e.g. to the tax office or customs, or video or music collections being checked for copyright infringements.
After consultation with the injured parties, external IT experts often also help with the preservation of evidence.
Related links
BSI für Bürger: BSI Leitfaden IT-Forensik
TeleTrust.de Informationstag “IT-Forensik mit hilfreichen PDFs
Polizei-praevention.de: Informationen zur Online-Strafanzeige
Computerstrafrecht.info: Was ist IT-Forensik?