< 24 hours
critical window for volatile evidence capture before memory is lost on shutdown and log retention policies begin overwriting events
SHA-256
hash algorithm used to verify forensic image integrity, proving a disk image is a bit-for-bit copy with no post-collection modification
7 days
default Entra ID free tier sign-in log retention, after which logs are permanently deleted without a legal hold or export in place
90 days
default AWS CloudTrail event history retention before logs expire, requiring immediate archival to WORM storage during legal hold

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

Security incidents increasingly become legal matters. Ransomware triggers cyber insurance claims that underwriters may dispute. Data breaches trigger regulatory investigations and class action litigation. Insider threats result in civil termination disputes or criminal prosecution. In each scenario, the security team's incident response activities become a source of evidence — and evidence that is collected improperly, modified during analysis, or destroyed by normal retention policies can be challenged, excluded, or used against the organization.

Most security teams are not forensic examiners or attorneys, but they are often the first to touch evidence that will later matter in legal proceedings. This guide covers what to do in the first 24 hours to protect evidence integrity, how to implement legal holds that suspend retention policies, and how to coordinate with legal counsel in ways that preserve attorney-client privilege over the investigation findings.

First-hour evidence preservation workflow

The first hour of an incident determines what evidence survives for later legal or regulatory review. Volatile data — running memory, active network connections, and short-lived log buffers — disappears permanently on system reboot or within hours as retention windows roll over. Responders must work in a strict priority order: capture live memory with tools like Magnet RAM Capture or winpmem before touching anything else, then triage live system state using Velociraptor or KAPE, and finally export cloud and SIEM logs before automated deletion policies fire. Each step must be documented with timestamps and hash values to establish the chain of custody that makes the evidence usable in litigation.

Volatile memory capture: do this before anything else

Running process memory contains artifacts not on disk: decrypted encryption keys, injected code, command-and-control traffic in transit, and credentials loaded from LSASS. Capture with a memory acquisition tool: on Windows, use Magnet RAM Capture (free), winpmem (free), or FTK Imager (free); on Linux, use LiME (Linux Memory Extractor) as a loadable kernel module. Run from a USB-attached tool to avoid contaminating the suspect system with tool artifacts. Calculate and document the SHA-256 hash of the memory image immediately after capture. Time and analyst name go on the chain of custody form at collection.

Live system triage: capture state before shutdown or imaging

Before taking the system offline for imaging, capture live state that changes on shutdown. Using a trusted live response tool (Velociraptor agent, Kroll Artifact Parser and Extractor, or CyLR): collect running processes with command lines and parent PIDs, all network connections (netstat -ano on Windows, ss -antp on Linux), logged-in users (query session /server:localhost, last, who), DNS cache (ipconfig /displaydns on Windows, nscd -g on Linux), ARP cache (arp -a), and Windows prefetch files (execution evidence). Store all output in a timestamped evidence folder. If time allows, collect Windows Event Logs (Security, System, Application, PowerShell Operational) as EVTX exports before the rolling buffer overwrites.

Log archiving: export before retention deletion

Cloud audit logs with default retention: AWS CloudTrail (90 days for trail logs, 7 days for event history), Entra ID sign-in logs (30 days P1/P2, 7 days free), Okta system log API (90 days). Export relevant logs immediately to a separate archive: for AWS, use athena queries against CloudTrail Lake or S3-based trail, export as Parquet or JSON. For Entra ID, use the Graph API to export sign-in logs: GET /auditLogs/signIns?$filter=createdDateTime ge 2026-07-09. For Okta: GET /api/v1/logs?since=2026-07-09T00:00:00Z&until=2026-07-10T23:59:59Z with pagination. Store exports in a WORM-enabled S3 bucket or immutable Azure Blob container to prevent modification. Calculate file hashes for all exports.

Legal hold implementation

A legal hold is the formal process of suspending automated retention and deletion policies so that potentially relevant evidence is not destroyed while litigation or regulatory investigation is pending. The hold must be initiated by or in coordination with legal counsel to preserve attorney-client privilege over subsequent investigation activities. Practitioners must act quickly across three fronts: notifying legal counsel before taking significant IR actions, issuing written hold notices to custodians and IT administrators, and technically implementing immutable storage for cloud logs using S3 Object Lock, Microsoft Purview eDiscovery holds, or Google Vault. Each action must be documented with delivery confirmation and timestamps.

Notify legal counsel immediately

The legal hold workflow starts with legal counsel notification, not with IT action. Contact your in-house counsel or external incident response legal counsel immediately when the incident threshold is crossed. Legal counsel determines whether a legal hold is warranted, which preserves attorney-client privilege over subsequent communications. Do not send emails about incident details to the executive team, communications team, or board before consulting legal counsel — broad distribution of incident details before legal involvement can waive privilege. Use a separate, restricted email distribution for incident communications.

Issue hold notices to custodians and IT systems

A legal hold notice instructs identified custodians (employees with relevant data) and IT administrators (managing relevant systems) to preserve all potentially relevant information and suspend normal retention or deletion processes. Custodian notices: inform affected employees that they must preserve all emails, documents, and communications related to the incident and may not delete, destroy, or alter any potentially relevant records. IT notices: inform administrators managing email, cloud storage, SIEM, EDR, and network infrastructure to disable any automated deletion rules for data relevant to the hold period. Document all notices with delivery confirmation and receipt acknowledgment.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Forensic imaging and chain of custody

Forensic disk images and the chain of custody records that accompany them are the foundation of legally admissible digital evidence. A forensically sound image is created using a write blocker to prevent any modification to the source drive, then verified with MD5 and SHA-256 hashes that prove the image is a bit-for-bit copy. Tools commonly used include FTK Imager for Windows physical drives, dc3dd for Linux environments, and AWS EBS snapshots for cloud instances. Every action taken with the evidence after collection must be recorded: who accessed the image, when, for what purpose, and where it was stored. A break in chain of custody documentation can make otherwise solid evidence inadmissible.

Disk imaging with write blocker and hash verification

For physical systems: connect a hardware write blocker between the evidence drive and your imaging workstation. Image to E01 format with FTK Imager: File > Create Disk Image > Physical Drive > E01 format, enable MD5 and SHA-1 verification. The imager calculates source hash before imaging and image hash after, and records both in the case summary. For virtual machines in AWS: create an EBS snapshot before any analysis: aws ec2 create-snapshot --volume-id vol-xxxx --description 'Incident evidence - legal hold - 2026-07-10'. Tag the snapshot with IncidentID and LegalHold:true. Do not terminate or modify the original instance until the snapshot is confirmed complete.

Chain of custody documentation template

For each evidence item, document: unique evidence ID (e.g., INC-2026-0710-E001), description (e.g., 'Forensic image of server01 C: drive'), collection date and time, collector name and role, collection method and tool version, MD5 and SHA-256 hashes of the original and image, storage location (locked cabinet, WORM bucket ARN, or evidence locker ID), and every person who subsequently accessed the evidence with date, purpose, and their signature. Use an evidence management system (Magnet Automate, X-Ways Case Management, or a controlled spreadsheet with access logging) to centralize all chain of custody records for the incident.

The bottom line

Evidence preservation is time-critical and sequence-dependent: volatile memory first, log archiving before retention deletes, then forensic imaging of affected systems. Establish attorney-client privilege by involving legal counsel before significant investigation activity and before broad internal communication. Implement legal holds immediately when the incident threshold is crossed, suspending automated retention and deletion before evidence is lost. Document chain of custody for every artifact from first collection through final disposition. The investment in proper evidence preservation pays off when cyber insurance claims are processed, regulatory investigators review your incident response, or criminal prosecution proceeds against an insider threat — in each scenario, properly preserved evidence is your most powerful asset.

Frequently asked questions

When should I implement a legal hold for a security incident?

Implement a legal hold immediately when: you discover evidence of deliberate unauthorized access (insider threat, external attacker with specific targeting), the incident likely triggers mandatory regulatory reporting (HIPAA breach, GDPR breach, SEC 8-K), you receive a litigation hold letter from opposing counsel in an ongoing legal matter, or you receive a law enforcement request or subpoena. For incidents that are clearly accidental (misconfigured storage bucket briefly public with no evidence of access, employee error with no downstream harm), a legal hold may not be required but consult with legal counsel before deciding. When in doubt, preserve first and scope down later — spoliation sanctions for destroying evidence that should have been preserved are severe.

What logs and artifacts should I preserve immediately in the first hour?

Volatile data (lost on shutdown or within hours): running process list, network connections, logged-in users, ARP cache, routing tables, clipboard contents. Collect via memory dump and live response tools (Velociraptor, FTK Imager, winpmem) before anything else. Log data (deleted by retention policies): Security Event Log on affected Windows systems (default 20MB rolling buffer, can be overwritten in hours on busy DCs), EDR telemetry (varies by vendor retention tier), SIEM events, cloud provider logs (AWS CloudTrail default 90-day retention, Entra ID sign-in logs 30 days on premium, 7 days free). VPN, proxy, firewall, and DNS logs often have shorter retention than you expect. Collect and archive externally immediately.

How do I create a forensic disk image that is legally defensible?

Use a write blocker (hardware: Tableau T35u or Wiebetech Forensic UltraDock; software: Linux write-protect mount or FTK Imager) to prevent modification of the original evidence during imaging. Image to a forensic container format: E01 (EnCase Expert Witness), AFF4, or raw DD with MD5 and SHA-256 hash verification. Command for raw image with hashing: dc3dd if=/dev/sda hash=md5 hash=sha256 hlog=hashes.txt | dc3dd of=image.dd. Calculate the hash of the source before imaging and the resulting image after, and document both in the chain of custody form. The hash match proves the image is a bit-for-bit copy with no modification. Store the original evidence separately from the working copy.

What is chain of custody and how do I document it properly?

Chain of custody is an unbroken record of who handled evidence, when, and what they did with it. For each piece of evidence (system, disk image, log file export, memory dump): create an evidence label with a unique identifier, date/time of collection, collector name, and MD5/SHA-256 hash. Log every transfer: when evidence moves from one person to another or one location to another, both parties sign the chain of custody form with timestamps. Store evidence in a secure, access-controlled location with a sign-out log. Digital evidence: use a write-once evidence repository (evidence management system or WORM storage) to store all artifacts. The chain of custody form must be maintained even for digital evidence: who copied the image to the repository, who accessed it for analysis, and when.

How does attorney-client privilege apply to security incident investigations?

Communications between a company and its attorneys are privileged from compelled disclosure in litigation. For incident response, attorney-client privilege can protect investigation findings if the investigation is conducted at the attorney's direction, for the purpose of providing legal advice. To establish privilege: involve legal counsel immediately when the incident may lead to litigation, have legal counsel formally retain the forensic firm or IR team (not IT), and label all investigative communications 'Privileged and Confidential - Attorney-Client Communication.' Work product doctrine can additionally protect the IR report itself if created in anticipation of litigation. Privilege is not absolute and can be waived by disclosure to non-privileged parties, so control the distribution of incident findings carefully.

How do I implement a legal hold on cloud service logs that would otherwise be deleted by retention policies?

Each cloud provider has a different mechanism. AWS: use S3 Object Lock (WORM) on the S3 bucket where CloudTrail logs are stored — enable Compliance mode to prevent deletion by anyone including root user, set retention for the expected litigation hold period. Entra ID: use the Microsoft Purview Compliance portal's eDiscovery legal hold to preserve content in Exchange, SharePoint, and Teams for specific custodians or queries. Google Workspace: use Google Vault to place a legal hold on specific users' data across Gmail, Drive, and Chat. For SIEM logs: export to a separate immutable storage location before the SIEM's rolling retention window deletes them. Document all holds with the specific retention period, custodian list, and the triggering event, reviewed and renewed if the hold duration exceeds the initial estimate.

When do I need to call law enforcement and how does it affect evidence handling?

Contact law enforcement (FBI Cyber Division, local USSS Electronic Crimes Task Force) when: you have evidence of federal crimes (CFAA violations, financial fraud with interstate commerce), the attacker may be a nation-state actor (significant targeting indicators, sector-specific TTPs), or your industry has mandatory law enforcement reporting requirements. Law enforcement involvement changes your evidence handling: law enforcement may request that you not take remediation steps on affected systems (they prefer to observe the attacker in real time to build a criminal case), which may conflict with your obligation to stop the breach. Coordinate with legal counsel before committing to any law enforcement requests that would delay remediation. Law enforcement can also issue a 2703(f) preservation letter to cloud providers to preserve data that the company itself cannot access.

Sources & references

  1. NIST SP 800-86: Guide to Integrating Forensic Techniques into Incident Response
  2. SANS Digital Forensics and Incident Response
  3. DOJ Cybercrime Prosecutorial Guidelines
  4. FRE Rule 902: Self-Authentication of Electronic Records

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.