This guide, written with law enforcement officers in mind, is a great introductory guide to incident response. It’s chock full of information and suggestions regarding securing a potential crime scene and preserving digital evidence.
I don’t specialize in security, but I’ve participated in more than a few investigations, including one with the FBI. This is a great primer on what actions to take before the security specialists arrive on the scene.
The guide stresses four primary principals:
No action taken by law enforcement agencies or their
agents should change data held on a computer or storage
media which may subsequently be relied upon in court.
In circumstances where a person finds it necessary
to access original data held on a computer or on storage
media, that person must be competent to do so and be
able to give evidence explaining the relevance and the
implications of their actions.
An audit trail or other record of all processes applied
to computer-based electronic evidence should be created
and preserved. An independent third party should be able
to examine those processes and achieve the same result.
The person in charge of the investigation (the case
officer) has overall responsibility for ensuring that the
law and these principles are adhered to.
Other good information on incident response can be found at
Organizational Models for Computer Security Incident Response Teams (CSIRTS) and the FIRST Security Reference Index.