The IT industry’s crimes are rapidly growing today, so IT security experts must clearly understand that and why an attack on his network / service / resource has taken place. Also, special attention should be given to all these incidents, in order to prevent them as quickly as possible, and to protect the organization so that they no longer appear. It is very important to observe all the legal requirements for the investigation of IT crimes. It is necessary that after the crime investigation they can safely serve in court for full evidence. Consequently, any loophole or lack of information may be an obstacle for them not to be tried by a court or other law enforcement authority. The IT security specialist should understand that it could be used not only in hard disk data but also from network connection for journal entries, human (user) audit trails, IS connections. In addition, IT should be mentioned here, in its investigation and evidence collection, systems developers or service providers, as they often have access to real IS data (which would not be the principles of good practice). Also, as an example the OS Administrator would not be able to perform, without audit trails, any past operations with the database, for example, to make changes to the tables, also to copy, delete or migrate the database.