Investigating a cyber attack, or even just maintaining IT assets, may uncover evidence against an individual or group. Gathering this evidence can contribute toward criminal charges, and/or dismissal or further investigation. In order to maintain the value of the evidence, investigators must be careful to gather, process, and store evidence appropriately.
The best evidence is the original copy, closely followed by a physical copy which has an identical hash to the best evidence. In the absence of these, logical copies may still be useful.
Evidence that relates directly to the incident can be supported by other evidence. This evidence might demonstrate a threat actor's capabilities or motive, or that tools or assets were owned by them. This can all help attribute an incident with that individual.