- Evidence preservation must be considered from the very first minute. Mistakes in the first hours after an incident can destroy evidence irretrievably.
- The chain of custody documents without gaps who had access to evidence, when, and in what state. Without it, evidence is worthless in court.
- Forensic copies (bit-for-bit images) never replace the original. The original remains untouched; all work is done exclusively on copies.
- Three common mistakes destroy evidence: shutting down systems (erases volatile memory), cleaning up systems (overwrites traces), and acting without documentation.
- Collaboration with law enforcement and the cyber insurer must be planned early because both have their own requirements for evidence preservation.
Why the First Hours Are Decisive
A cyberattack has been discovered. Systems are behaving abnormally, data is encrypted, a ransom note has appeared. In the first hours after discovery, the most consequential mistakes are typically made — not in defending against the attack, but in preserving evidence.
The IT department shuts down affected servers to stop the attack. In doing so, volatile memory (RAM) is erased, which contains critical information: running processes, network connections, encryption keys, traces of the attacker. A well-meaning administrator installs updates or runs an antivirus scanner that removes the malware — but also destroys the forensic traces. Logs are not preserved before they are overwritten by automatic rotation. And nobody documents who did what and when.
Each of these actions can destroy evidence you will need later: for criminal prosecution, for the insurance claim, for regulatory reporting, for communication with customers and partners, and for your own post-incident review.
Cyber forensics is the discipline that addresses exactly this. It ensures that digital evidence is preserved, analyzed, and documented in a way that is admissible in court, defensible to insurers, and meaningful for internal review.
What Is Cyber Forensics?
Cyber forensics (also: digital forensics, IT forensics, computer forensics) is the methodical examination of IT systems to identify, preserve, analyze, and present digital evidence. It follows scientific principles and recognized procedures to ensure that results are reproducible, traceable, and admissible in court.
Distinction from Incident Response
Incident response and forensics are related but distinct disciplines. Incident response aims at containing and remediating the incident: locking out the attacker, restoring systems, and resuming normal operations. Forensics aims at evidence preservation and analysis: what happened, how did it happen, who was responsible, and what data was affected?
In practice, both processes run in parallel and can conflict. Incident response wants to stop the attack quickly; forensics wants to preserve the traces. A good incident response plan therefore accounts for forensic requirements from the start.
When You Need Forensics
Not every security incident requires a full forensic investigation. But in the following situations, it is strongly recommended or even necessary:
Criminal prosecution: If you intend to file a criminal complaint or if law enforcement is investigating, you need court-admissible evidence. Without forensically correct preservation, prosecutors will have little to work with.
Insurance claims: Your cyber insurer will require a forensic report before paying out. The report must document the scope of damage, the attack vector, and the measures taken.
Regulatory reporting obligations: DSGVO (GDPR) (Articles 33/34) and NIS2 require detailed information about the incident — and the tight NIS2 reporting deadlines of 24 hours for the initial notification make prepared forensic readiness indispensable. What data is affected? How many individuals? Which systems? This information comes from the forensic analysis.
Liability questions: If third parties (customers, partners) are harmed by the incident and demand damages, you need forensic documentation showing that you had implemented appropriate security measures and handled the incident professionally.
Internal review: Even without external requirements, forensic analysis helps you understand the attack, identify root causes, and derive measures to prevent recurrence.
The Four Phases of a Forensic Investigation
Phase 1: Identification and Preservation
The first phase begins with identifying relevant data sources: which systems are affected? Where might traces exist? Typical data sources include hard drives and SSDs of affected systems, volatile memory (RAM) of running systems, network logs (firewall, IDS/IPS, proxy, DNS), system logs (event logs, syslog, auth logs), application logs (web server, database server, mail server), cloud logs (access logs, audit logs, API logs), emails (phishing emails, attacker communication), mobile devices (smartphones, tablets), external storage media (USB drives, external hard drives), and backups (to determine the point of compromise).
Preservation of this data must be forensically correct, meaning: original data remains untouched. A bit-for-bit image is created from each relevant storage device (forensic copy, e.g., using dd, FTK Imager, or EnCase). Each image is hashed with a cryptographic hash (SHA-256) to verify integrity. Volatile data (RAM, network connections, running processes) is preserved first because it is lost when the system is powered off (order of volatility). Preservation is documented without gaps.
Phase 2: Analysis
Analysis is performed exclusively on forensic copies, never on originals. Typical analysis steps include timeline analysis (reconstructing events based on timestamps from various sources), malware analysis (identification and analysis of the malware used), log analysis (correlating logs from various sources to trace the attack path), file analysis (identifying modified, deleted, or exfiltrated files), network analysis (analyzing network traffic, identifying command-and-control connections), and artifact analysis (registry entries, browser history, prefetch files, event logs, scheduled tasks, and other system traces).
The goal of the analysis is to answer the core forensic questions: what happened (attack vector, scope of damage)? When did it happen (timeline of the compromise)? How did it happen (tactics, techniques, and procedures of the attacker)? Who was responsible (identification of the attacker, where possible)? What data was affected (type, scope, sensitivity)?
Phase 3: Documentation
Every step of the forensic investigation is documented: which systems were preserved, with what tools, when, by whom, what hashes were created, what analyses were performed, what results were obtained, and what conclusions are drawn.
Documentation must be detailed enough that another forensic examiner can reproduce the results. This is the prerequisite for admissibility in court and credibility with insurers and supervisory authorities.
Phase 4: Presentation
The results are compiled in a forensic report that typically contains an executive summary (for management and decision-makers), a technical description (for IT professionals and other forensic examiners), a timeline of events, identified indicators of compromise (IoCs), recommendations for immediate actions and long-term improvements, and a list of preserved evidence.
Chain of Custody: The Evidence Chain
The chain of custody is the backbone of forensic evidence. It documents without gaps who received, processed, or transferred which piece of evidence, when, and in what state. Without an intact chain of custody, evidence can be challenged in court because it cannot be proven that it was not tampered with.
What the Chain of Custody Documents
For each piece of evidence, the following is recorded: unique identification (serial number, description, labeling), when and where it was preserved, who preserved it, how it was preserved (tool, method), the cryptographic hash at the time of preservation, every handover to another person (who, when, why), every access to the evidence (who, when, what), and the current storage location (physically secured, e.g., in a safe).
Practical Implementation
Use a form or digital system that captures the chain of custody for each piece of evidence. Every person who receives or transfers evidence signs the form. Evidence is stored in a physically secured area (lockable cabinet, safe, vault). Digital copies are stored on encrypted media that are also physically secured.
The Most Common Mistakes in Evidence Preservation
Mistake 1: Shutting Down Systems Immediately
The natural reflex during an attack is to shut down the affected systems. This can be appropriate in certain situations (e.g., when data is actively being exfiltrated), but it destroys volatile memory. RAM contains running processes (including malware), active network connections, encryption keys (potentially the key to decrypt ransomware), cached credentials, and temporary files.
Better: If possible, capture a RAM dump before shutting down (using tools like Magnet RAM Capture, WinPmem, or Belkasoft). Then isolate the system (disconnect the network cable, do not shut down) and image the hard drive in the isolated state.
Mistake 2: "Cleaning Up" Systems
After discovering an attack, the urge is strong to remove the malware, run the antivirus scanner, and "clean" the systems. Each of these actions alters the evidentiary situation: the antivirus scanner deletes or quarantines the malware, modifying the file system. Updates and patches overwrite system files. Deleting user accounts removes traces of the attacker.
Better: First preserve forensically, then clean up. If cleanup cannot wait for operational reasons, at minimum document what you changed and when.
Mistake 3: No or Insufficient Documentation
"We isolated the server at 2:30 PM" is not sufficient documentation. Forensically correct would be: "On 2026-03-14 at 14:30 CET, server SRV-DB01 (serial number: XYZ, IP: 192.168.1.10) was physically disconnected from the network by [name, role] by removing the Ethernet cable at port 3 of switch SW-CORE-01. At that time, the processes [list] were active and the network connections [list] were established."
Better: Document everything you do and observe from the very first minute. Use a logbook (physical or digital) in which every action is recorded with timestamp, person, and description.
Mistake 4: Modifying Originals
Never work on original evidence. If you want to analyze a hard drive, first create a forensic image and work on the image. If you want to analyze logs, first copy them to a secure location and work on the copy. The original remains untouched and sealed.
Mistake 5: Not Stopping Log Rotation
Most systems rotate their logs automatically: older entries are deleted when the log reaches a certain size or a certain time period has passed. If you do not stop log rotation or promptly preserve the logs, the oldest entries — which may document the beginning of the attack — will be irrevocably deleted.
Better: Preserve all relevant logs immediately after discovering the incident. Stop automatic rotation on the affected systems or redirect logs to a separate, secured log server.
Working with Law Enforcement
Filing a Criminal Complaint: Yes or No?
The question of whether to file a criminal complaint is not purely legal but also strategic. Advantages of filing: the police have investigative powers not available to you (e.g., search warrants, international legal assistance). Criminal prosecution can identify attackers and prevent future attacks. Some insurers require a criminal complaint as a prerequisite for coverage. And filing demonstrates that you take the incident seriously.
Disadvantages: investigations can be time-consuming and consume your own resources. After filing, you no longer have influence over the course of the investigation. In rare cases, evidence may be seized, which can impair business operations.
Competent Authorities in Germany
The Zentrale Ansprechstellen Cybercrime (ZAC) at the state criminal police offices are the first points of contact for businesses. They specialize in cybercrime and understand the particular requirements of businesses. The Federal Police and the BKA are responsible for cross-regional or internationally organized attacks. The BSI is not a law enforcement authority but accepts reports and assists with situational assessment.
Preparing Evidence for Authorities
When filing a criminal complaint, prepare the following information: a chronological account of the incident, preserved evidence with chain of custody, log data and forensic images, known indicators of compromise (IoCs), and the contact details of your forensics service provider.
Working with the Cyber Insurer
Your cyber insurer has its own requirements for evidence preservation and forensics. Many insurers have framework agreements with forensic service providers and expect you to engage their experts. Others accept your own forensic professionals but require that the investigation follows certain standards.
Report the incident to the insurer immediately, ideally before you initiate your own forensic measures. The insurer can immediately arrange a forensic service provider, specify requirements for evidence preservation, and cover the costs of the forensic investigation as part of the insurance claim.
If you initiate forensic measures without consulting the insurer, you risk that the insurer will not cover the costs or will not accept the results.
Preparation: Forensic Readiness
Forensic readiness means preparing for a forensic emergency before it occurs. This includes:
Logging strategy: Ensure that all relevant systems generate logs that are sufficiently detailed and retained long enough. Centralize logs in a SIEM or log management system. Synchronize the clocks of all systems (NTP) so that timestamps from different sources can be correlated.
Forensic toolkit: Maintain a forensic toolkit containing the essential tools: RAM dump tools, forensic imaging software, write blockers (hardware that prevents data from being written when connecting a hard drive), chain of custody forms, and a separate, clean analysis system.
Forensic service provider: Identify and contact a forensic service provider before you need one. Ideally, enter into a framework agreement that specifies response times and hourly rates in advance. In an emergency, you have no time to compare offers.
Incident response plan: Integrate forensic requirements into your incident response plan. Define who performs the forensic preservation, which systems are preserved first (prioritization), and how the chain of custody is maintained.
Training: Train the employees who will be the first responders in an emergency in the fundamentals of evidence preservation. They must know what they may do (document, isolate, capture RAM) and what they must not do (shut down, clean up, delete logs).
Forensics and Data Protection
A forensic investigation inevitably touches on data protection. When you image hard drives and analyze logs, you also process personal data of employees and potentially customers. The DSGVO (GDPR) requires that this processing is lawful.
Legal basis: A forensic investigation of a security incident can be based on the legitimate interest under Article 6(1)(f) GDPR. The company's interest in investigating the incident and preserving evidence generally outweighs the interests of the data subjects, provided the investigation is conducted proportionately.
Proportionality: Only preserve data relevant to the investigation. If you know the attack affected the mail server, you do not need to image the hard drives of all workstations. Limit access to forensic data to those who need it for the investigation.
Works council: If a works council exists, inform it about the forensic investigation to the extent possible without jeopardizing the investigation. The works council has co-determination rights regarding employee monitoring, and a forensic investigation may be classified as such.
Digital Evidence in Court
For digital evidence to be admissible in a German court, it must meet the following requirements: authenticity — demonstrating that the evidence is genuine and unaltered (cryptographic hashes, chain of custody). Integrity — proving that the evidence has not been tampered with (forensic copy, write blocker, documentation). Traceability — documenting that the methodology of preservation and analysis is documented and reproducible. And proportionality — showing that the collection of evidence was lawful and proportionate.
German courts evaluate digital evidence according to the principle of free evaluation of evidence (§ 286 ZPO, Code of Civil Procedure). There are no rigid rules of evidence, but a deficient chain of custody or undocumented analysis methodology will significantly undermine the court's assessment.
The Forensic Investigation as a Learning Process
The forensic analysis of a security incident delivers not only evidence but also valuable insights for improving your security measures. Use the results for a lessons-learned session in which you analyze the attack vector (how did the attacker get in?), evaluate detection capability (how long was the attacker undetected? why?), assess the effectiveness of measures (which worked, which did not?), and derive specific improvement actions.
Document the results and integrate the derived actions into your PDCA cycle. Every security incident is an opportunity to improve the ISMS — provided you use the forensic findings systematically. In ISMS Lite, incidents can be linked to derived actions so that the improvement cycle is documented without gaps.