If the chain of custody has not been preserved for the evidence,
            or the evidence has been altered in any improper manner, the
            evidence may not be trusted or admissible in the investigation.
            First-hand evidence that has been collected by the investigator is
            always preferable to secondary evidence such as copies of
            evidence or oral reports. Evidence that cannot be directly
            verified by the investigator may be rejected as hearsay. The
            incident manager should keep a record of any identifiable attack
            vectors (IP addresses, user accounts) that were used in the
            attack.

            Some evidence - such as advanced digital forensics may require
            the expertise of an outside agency to process, analyze, and
            report on the evidence. When dealing with external agencies,
            care must be taken to protect the privacy of data, the standards
            for reporting the data, and the handling and transportation of
            evidence. Provisions must also be in place for how to handle the
            situation if criminal activity is found during the evidence
            processing activity.



            Eradication and Recovery
            Eradication is the removal of the incident - such as in the case of
            a virus, the removal of the virus. Any damage done by the
            incident should be corrected, including backdoors or fake
            accounts set up by an attacker. Any vulnerability that allowed
            the attack to succeed should be patched, and the system returned
            to normal operations. Afterward, the system should be tested for
            any other weaknesses before being restored to operation.