Identification

One principle that is often discussed in forensic science is the Locard's exchange principle. This principle postulates that when two objects come into contact, they leave a trace on each other. For example, if you walk into a house with carpeting, dirt from your shoes is left on the carpet and the carpet leaves fibers on the soles of your shoes. These traces that are exchanged form the bases of the science of trace evidence in the physical forensics world. In the digital world, we often have very similar trace evidence when two systems come into contact with each other. For example, if an individual browses to a website, the web server or web application firewall may record the individual's IP address within a collection log. The website may also deposit a cookie on the individual's laptop. Just as in the physical world, evidence exchanged in this manner may be temporary and our ability to observe it may be limited to the tools and knowledge we currently have.

This principle can guide the identification of potential sources of evidence during an incident. For example, if a CSIRT is attempting to determine the root cause of a malware infection on a system, they would start by analyzing the infected system. As some malware requires access to a C2 server, analysts can search firewall connection or proxy logs for any outbound traffic from the infected system to external IP addresses. A review of those connection IP addresses may reveal the C2 server, and potentially more details about the particular malware that has infected the system.