Are evidence preservation procedures documented (snapshots, log exports, custody chain) so forensics is possible afterwards?
Demonstrate that documented procedures exist and are operational for preserving digital evidence—including system snapshots, log exports, and chain-of-custody records—such that forensic investigation remains viable after security incidents.
Description
What this control does
This control ensures the organization has documented, repeatable procedures for preserving digital evidence during and after security incidents. It covers creating forensic images or snapshots of affected systems, exporting and securing relevant logs before rotation or deletion, and maintaining a documented chain of custody for all collected evidence. These procedures enable post-incident forensic analysis, regulatory compliance, potential legal proceedings, and lessons-learned activities by preventing evidence spoliation or contamination.
Control objective
What auditing this proves
Demonstrate that documented procedures exist and are operational for preserving digital evidence—including system snapshots, log exports, and chain-of-custody records—such that forensic investigation remains viable after security incidents.
Associated risks
Risks this control addresses
- Evidence destruction or overwriting due to system operation, log rotation, or remediation activities performed before forensic capture
- Inadmissibility of digital evidence in legal proceedings due to broken or undocumented chain of custody
- Inability to determine root cause, attacker tactics, or scope of compromise when forensic artifacts are not preserved
- Regulatory or contractual non-compliance when incident response obligations require forensic evidence retention
- Contamination of evidence through improper handling, modification of timestamps, or use of non-forensically-sound collection methods
- Loss of ephemeral data such as memory contents, volatile system state, or short-retention logs that cannot be reconstructed
- Insufficient evidence to support insurance claims, breach notification determinations, or third-party liability assessments
Testing procedure
How an auditor verifies this control
- Obtain and review the organization's documented evidence preservation procedures, including policies, runbooks, or incident response playbooks addressing forensic collection.
- Verify the procedures explicitly cover system snapshots or forensic imaging, log export and archival, and chain-of-custody documentation requirements.
- Identify the tools and technologies referenced in the procedures for creating forensic images (e.g., disk imaging utilities, VM snapshot capabilities, memory capture tools).
- Review log export and retention configurations to confirm logs identified as forensically relevant are exported and preserved outside production systems prior to rotation.
- Examine chain-of-custody templates or forms to confirm they capture date/time, custodian identity, handling actions, storage location, and transfer records.
- Select a sample of past security incidents and request evidence preservation records, including snapshots, log exports, and completed chain-of-custody logs for each.
- Interview incident response or forensics personnel to confirm they are trained on and have access to the documented procedures and required tools.
- Test a simulated evidence preservation scenario by requesting a snapshot of a test system and log export, then verify chain-of-custody documentation is completed as prescribed.