Evidence preservation is the practice of protecting logs, files, system state, and other artifacts so they remain available and trustworthy for investigation. It matters because important evidence can disappear quickly during live incidents.
What is Evidence Preservation?
Evidence preservation involves capturing and protecting relevant artifacts before they are overwritten, deleted, rotated, or changed by normal operations or attacker behavior. This often includes volatile data, system logs, memory, account activity, and cloud audit trails.
What Evidence Preservation Commonly Includes
Common actions include isolating affected systems carefully, exporting logs, capturing memory where needed, preserving timestamps, copying artifacts safely, and controlling access to collected data.
Evidence Preservation vs. Remediation
Remediation fixes the problem. Evidence preservation protects the information needed to understand what happened before cleanup destroys that context.
Frequently Asked Questions
Why is evidence preservation important?
Because once key artifacts are lost, teams may never fully understand attacker access, scope, or impact.
Should teams preserve everything?
Not blindly. They should preserve what is relevant and important while balancing business urgency, legal needs, and operational constraints.
