When you are onsite to collect evidence of a network intrusion for analysis it is better to collect more than what might be initially needed. The scope of the investigation could easily expand, and it is much harder to obtain network logs or computer artifacts that might have been overwritten. This is a challenge for those in the law enforcement community who have to deal with the scope of the investigation or search warrants. Below is a list of data sources that could potentially contain evidence of an intrusion.

• Logs: All logs from networking systems should be collected. This list should comprise the previously referenced list of logs. Unless the intrusion occurred as the result of physical access to the machine, traffic at some point passed through a network device going from one system to another carrying intrusion artifacts.
• RAM: The memory from any computer system suspected of being involved in the intrusion should be collected before shutting down the system to image. The benefit of analyzing RAM far outweighs the potential to overwrite data during the acquisition phase. If the computer has already been shutdown the RAM can still be collected using tools like Virtual Forensic Computing.
• Hard Drive Images: Images from any devices that are suspected of being involved in the intrusion. This includes the mail server that might have propagated the malware to an end user, or the Web server that was compromised allowing backend access to the database residing behind a firewall. If the complete physical image is not possible of a certain system, a logical copy should be obtained. If DCHC is in use at the victim site the logs from a DHCP server should also always be collected or at least queried to determine if the correct systems are being imaged and analyzed.

From: Scoping an Intrusion by Mark Wade