Book a Clarity Call

Preserving Evidence During a Breach: A Do-Not-Break-This Checklist for Executives

Your phone rings. Someone says, “We think we’ve been breached.” In the next ten minutes, you’ll feel the pull to

A team preserving evidence during a breach

Your phone rings. Someone says, “We think we’ve been breached.” In the next ten minutes, you’ll feel the pull to “fix it fast,” to secure your systems. Reset passwords. Rebuild a server. Ask a vendor to clean things up.

That instinct is human. It’s also how organizations accidentally erase the very proof they’ll need to understand the data breach, meet insurance and legal requirements, and protect clients and partners.

Preserving evidence is not about slowing down response. It’s about keeping options open while you contain harm. This memo gives you a practical, do-not-break-this checklist for preserving evidence during a breach you can use even if you don’t have a full-time security leader on staff.

Executives reviewing incident response notes in a calm conference room setting
Leaders coordinating an incident response review in a focused, practical setting so they can learn about preserving evidence during a breach (created with AI).

Key takeaways: the do-not-break-this rules (read this first)

Follow these rules first to protect your digital evidence.

  • Do contain first, but choose containment that changes as little as possible (isolate, block, disable).
  • Do not rebuild or re-image servers until you’ve ensured evidence preservation by capturing what you need (images, logs, cloud trails).
  • Do not wipe or “clean” machines with antivirus or removal tools if you suspect malware attacks, that can destroy timelines.
  • Do start a single, time-stamped incident log and require every action to be recorded.
  • Do limit hands on keyboards, name an incident response team, lock everyone else out.
  • Do preserve originals, then work from copies (forensic images, exported logs, read-only snapshots).
  • Do not let vendors rotate logs or “fix” systems without a capture plan and written approval.
  • Do track every handoff to maintain the chain of custody; untracked USB copies, emailed files, and shared folders with no audit trail are evidence killers.

First 60 minutes: contain the damage without destroying evidence

In the first hour, your job isn’t to solve the whole breach. It’s to keep the patient stable while preserving evidence for digital forensics.

A strong first hour has four beats: contain, preserve, document, escalate. Executives decide priorities, risk tolerance, and who has authority. Technical staff carry out the steps, but only inside clear guardrails.

If you’ve lived through fragile systems and messy ownership (common in justice work), you already know why this matters. The same confusion that makes reporting hard can also make incident response chaotic. (If that’s familiar, start with a plain-language view of technology challenges faced by legal nonprofits.)

Threat Containment: Decide actions that keep systems intact

Containment can be gentle and still effective:

  • Use network segmentation or device isolation instead of powering off a server.
  • Disable a compromised user account instead of mass-resetting every account at once.
  • Block outbound traffic to suspicious destinations while you investigate.
  • Pause risky integrations (file sync, API tokens) rather than ripping out core tools.

Avoid “helpful” actions that ruin evidence: powering off devices (which destroys volatile data), wiping endpoints, re-imaging servers, patching blindly, restoring over the top of affected systems, or running cleanup utilities that delete artifacts.

A simple decision rule: If you must disconnect to stop active harm, document the reason, time, and method, then preserve that device or system for imaging. Think “quarantine,” not “demolition.”

For a practical foundation, NIST’s incident-handling guidance is still a solid reference point for leadership expectations (see NIST SP 800-86 on forensic techniques in incident response).

Start a time-stamped incident log and lock down access

Start an incident log immediately. One owner. One place. Time-stamped entries.

Record:

  • Who found the issue and what they saw (exact message, alert name, screenshot photo if needed)
  • The first known time of suspicious activity (even if it’s a guess, label it)
  • Every action taken, by whom, and which systems were touched
  • Tickets opened, vendors contacted, and approvals given
  • Decisions you made and why

Then lock things down. Limit access to affected systems to a short list. If laptops might be involved, collect them and store them safely. If a server closet or shared workspace is in play, treat it like a controlled area. Appoint one executive as the traffic cop for approvals so staff aren’t getting mixed signals.

Evidence preservation checklist: what to save, how to save it, and chain of custody

The goal of evidence preservation is simple: capture the story of what happened, without rewriting it. This checklist supports effective digital evidence management.

Even if you outsource forensics, you still own the decisions that protect forensic preservation. And in mission-driven orgs, those decisions often sit with the executive team because the stakes are human, not just technical.

For deeper response and recovery structure, NIST’s breach-focused playbook is a useful companion (see NIST SP 1800-29 on responding to data breaches).

What to preserve (systems, logs, cloud trails, and communications)

Make sure someone is capturing, exporting, or imaging these buckets, before major changes:

  • Endpoint and server images (or snapshots) of likely affected machines
  • Network, firewall, VPN, and DNS logs
  • Identity logs: SSO sign-ins, MFA events, account changes, admin actions on sensitive information
  • Email and phishing data: message headers, quarantine events, mail gateway logs with personal information
  • Cloud audit trails (for example, admin consoles, storage access, key changes)
  • Backups and snapshots (keep a known-good copy, and protect it from overwrite)
  • Security alerts, tickets, and monitoring outputs
  • Photos/screenshots of error messages (use a phone camera if screens must stay untouched)
  • Incident-related communications (emails, chat threads, call notes, vendor instructions)

Executive framing that helps: copy over move. Preserve originals where possible, work from exports and images, and keep a clean record of what came from where.

Chain of custody, made simple: keep evidence trustworthy

Chain of custody sounds legal because it is. It’s how you prove evidence wasn’t altered, even by well-meaning staff. That matters for legal admissibility with regulators, cyber insurance, contract disputes, and client notification decisions.

Mini-checklist:

  1. Assign an evidence owner for each item (one person accountable).
  2. Label clearly (system name, date/time collected, collector, location).
  3. Record every transfer (who, when, why, how it was transported or shared).
  4. Store originals securely, restrict access, document who can enter.
  5. Work from copies, and keep a basic integrity check record (hash values are common, but forensic investigators can handle the mechanics).

Do-not list:

  • No untracked USB copies passed around between staff.
  • No shared folders without access logs and a clear owner.
  • No editing files “in place,” export or duplicate first.

Executive coordination: legal, vendors, insurance, and what staff should hear

An incident response fails in the handoffs. Not the tools.

This is where leadership earns its keep: tightening decision rights, keeping the circle small, and making sure outside parties don’t “fix” your evidence away.

For cyber incident reporting to law enforcement and victim response expectations, the DOJ’s guidance is a practical reality check (see DOJ best practices for victim response and reporting cyber incidents (PDF)).

Bring in counsel and forensics early, and protect sensitive work

Call legal counsel early so you can align on notification duties, timelines, and privilege strategy. Bring in qualified forensics early if the incident is material, involves sensitive client data such as social security numbers that could lead to identity theft, or could trigger insurance claims.

A simple rule: don’t let internal teams “investigate” on production systems if it changes data. No poking around live servers. No ad hoc scripts. Leadership should confirm that forensic experts are authorized to direct the investigation and approve disruptive actions.

If you need a steady way to build this into normal operations, a phased plan helps, including data loss prevention. (A clear starting point is our approach to justice-focused technology roadmaps.)

Control communications and preserve “human evidence” too

Pick one spokesperson. Tell staff three things in plain language:

  1. Stop changing systems unless assigned to the response team.
  2. Report odd activity immediately, with screenshots or details.
  3. Don’t discuss the incident externally or in informal channels.

Also preserve human evidence: incident channel notes, email threads, vendor instructions, and call notes. And if you have cyber insurance, contact the insurer early, then confirm in writing that vendors will not rotate logs or rebuild systems before capture.

FAQs: preserving evidence during breach

Should we power off the infected computer?
Not by default. Powering off can destroy volatile clues and break timelines. If it’s actively harming clients (exfiltration, ransomware spreading), isolate it from the network first, then preserve it for imaging.

Can we just restore from backup and move on?
Restoring may get you running, but it can erase proof of how the attacker got in during the data breach and whether they’re still present. Preserve evidence first, then plan restoration with forensics and counsel.

What logs matter most if we are in the cloud?
Identity and admin activity logs are often the core story, plus cloud audit trails and storage access logs. Also preserve any SaaS security logs (email, file sharing, endpoint tools) through log mapping.

How long should we retain evidence?
Follow counsel and insurer guidance, but assume months, not days. Keep evidence through claim resolution, notification windows (including for credit monitoring), and any contractual or regulatory follow-up. This supports post-incident analysis and long-term forensic benefits.

Who should be the evidence custodian?
Choose one accountable person, often an operations or IT lead with strong process habits. They don’t need to be deeply technical, they need to be consistent and trusted.

What if a vendor controls the system?
Put requests in writing: preserve logs, suspend rotation, export audit trails, and document who collected what. Require time-stamped exports and a clear handoff record.

Conclusion

In a breach, speed matters, but careful speed matters more. Contain without smashing the scene. Preserve digital evidence before you change. Document every action. Control access and track every handoff.

If your team is already stretched thin, don’t wait for the next incident to discover you don’t have a clean process. Build a simple evidence-handling playbook focused on evidence preservation now, assign decision rights, and run one short tabletop to make it real. Ready for calm, board-defensible readiness? Schedule a clarity call at https://ctoinput.com/schedule-a-call. Which single chokepoint to secure your systems, if fixed this quarter, would unlock the most capacity and trust?

Search Leadership Insights

Type a keyword or question to scan our library of CEO-level articles and guides so you can movefaster on your next technology or security decision.

Request Personalized Insights

Share with us the decision, risk, or growth challenge you are facing, and we will use it to shape upcoming articles and, where possible, point you to existing resources that speak directly to your situation.