An incident is any event occurring in an information system or network where the results are abnormal [1]. This can also be considered a different situation from normal routine operations. Many reasons can lead to an incident. However, depending on their significance, the findings can generally be classified into three classes: low impact incidents, moderate risk incidents and high risk exposure incidents. When incidents occur, certain measures will be taken by an organization to deal with the abnormal results. These steps are also known as the incident response process. Say no to plagiarism. Get a tailor-made essay on “Why Violent Video Games Should Not Be Banned”? Get an original essay The level of response is determined primarily by the criticality of the information and the business decision. The objectives of an incident response process can be summarized as follows: confirm and resolve the incident; protect and secure evidence; mitigate its influence; to provide reports or recommendations, etc. How incident response will be carried out in practice will be linked to hardware/software architectures, budget, manpower, resources and commitment, etc. When a suspected incident is discovered and characterized, the initial response comes into play. As a cyber first responder, it is your responsibility to do everything possible to mitigate damage or loss of evidence, as evidence can be tampered with or destroyed over time. and all evidence must be collected forensically and protected properly. As an essential step in the initial response to an incident, protecting and securing evidence plays an important role in the incident response process. First, the suspect must be removed from the company's email domain and network domain. The system administrator will revoke all access to all systems and resources. Disable and reset all passwords this suspect has used before. Its access to data storage is also revoked. Secondly, a full backup should be taken of each disk configured on the laptop in case of any security issues. The backup must be encrypted. All emails and internet browser history should also be encrypted and backed up, so that unwanted people do not have access to this information. Next, turn off all wired and wireless Internet connections to avoid remote control. Access to the local network is allowed. Recovery is also required to restore destroyed or lost data. And run antivirus software to remove any potential malware. Booting from a CD or USB stick will be disabled, preventing damage to boot evidence. Meanwhile, the laptop hardware should be encrypted to prevent unwanted access and data damage. The laptop should be investigated thoroughly. After all security checks and implementation of protective actions, the evidence will be transported to the organization, where physical security of the evidence laptop is also required. It is important to protect evidence from tampering and extreme temperatures, humidity, magnetic fields and vibration. Practically, place the laptop in an anti-static bag with foam packing material, then store it in a cardboard box. All evidence must be properly stored in a.