Preservation of Evidence
What is Preservation of Evidence?
Preservation of EvidenceThe forensic discipline of protecting digital evidence from alteration, loss, or contamination so it remains admissible and reliable throughout an investigation.
Preservation of evidence ensures that data identified as potentially relevant retains its original state from collection to courtroom. Practitioners isolate sources, halt destructive processes, suspend log rotation, place legal holds, and use write blockers when imaging storage. Each item is hashed (MD5, SHA-256) at acquisition and re-verified later to prove integrity, while a chain of custody documents handlers, locations, and access times. Volatile evidence such as RAM, ARP caches, and active network connections is captured first because it disappears at shutdown. NIST SP 800-86, ISO/IEC 27037, and ACPO Good Practice Guidelines codify these procedures and emphasize minimizing changes to source media.
● Examples
- 01
Issuing a legal hold to stop the rotation of mailbox audit logs while an insider investigation begins.
- 02
Capturing volatile memory with WinPmem before powering down a suspected ransomware-infected server.
● Frequently asked questions
What is Preservation of Evidence?
The forensic discipline of protecting digital evidence from alteration, loss, or contamination so it remains admissible and reliable throughout an investigation. It belongs to the Forensics & IR category of cybersecurity.
What does Preservation of Evidence mean?
The forensic discipline of protecting digital evidence from alteration, loss, or contamination so it remains admissible and reliable throughout an investigation.
How do you defend against Preservation of Evidence?
Defences for Preservation of Evidence typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Preservation of Evidence?
Common alternative names include: Evidence preservation, Forensic preservation.