The first hours after discovering a cyber incident are among the most critical — and the most chaotic. In the rush to contain damage and restore operations, organisations often inadvertently destroy the very evidence needed to understand what happened, how it happened, and how to prevent it from happening again.

TL;DR — Key Takeaways

  • Learn the fundamentals of digital forensics after a cyber incident, including evidence preservation, chain of custody, and working with professionals
  • Understand why Digital Forensics Matters for Small Businesses
  • Understand the Golden Rule: Preserve First, Investigate Later

Visual Overview

flowchart TD
    A["Incident Occurs"] --> B["Preserve Evidence"]
    B --> C["Create Forensic Image"]
    C --> D["Analyze Artifacts"]
    D --> E["Document Findings"]
    E --> F["Report and Remediate"]

Digital forensics is the discipline of collecting, preserving, analysing, and presenting electronic evidence in a manner that is legally defensible and technically sound. While your small business may not need a full-time forensics team, understanding the fundamentals can mean the difference between a thorough investigation and a botched one. This guide covers what every organisation should know about handling digital evidence after a cyber incident.

Why Digital Forensics Matters for Small Businesses

You might assume digital forensics is only relevant to large enterprises or law enforcement investigations. In reality, every organisation that experiences a cyber incident needs some level of forensic capability, for several important reasons:

  • Understanding the attack: Without forensic analysis, you may never know how the attacker got in, what they accessed, how long they were present, or whether they left backdoors for future access.
  • Regulatory compliance: Breach notification laws often require organisations to specify what data was compromised. Forensic analysis provides this information.
  • Insurance claims: Your cyber insurance claims process will almost certainly require a forensic report documenting the incident, its scope, and the response actions taken.
  • Legal proceedings: If you pursue legal action against attackers, or if affected parties take action against you, forensic evidence must meet legal standards of admissibility.
  • Prevention: Forensic findings inform your security improvements, helping you address the specific vulnerabilities and gaps that were exploited.

The Golden Rule: Preserve First, Investigate Later

The single most important principle in digital forensics is evidence preservation. Every action taken on a compromised system after the incident potentially alters or destroys evidence. Rebooting a server clears volatile memory. Running antivirus scans modifies file timestamps. Deleting malware removes the very artefacts investigators need to analyse.

The instinct to "fix things immediately" is understandable but can be profoundly counterproductive. Resist the urge to clean up until evidence has been properly preserved. A few hours of patience can save weeks of uncertainty.

This does not mean you should leave compromised systems connected to your network indefinitely. The correct approach is to isolate affected systems — disconnect them from the network to prevent further damage — while keeping them powered on to preserve volatile data such as running processes, network connections, and memory contents.

Evidence Preservation: A Step-by-Step Approach

Step 1: Document Everything

Begin documenting from the moment the incident is discovered. Record:

  • Who discovered the incident, when, and how.
  • Every action taken on affected systems, by whom, and at what time.
  • The current state of affected systems (error messages, unusual processes, network connections).
  • Physical location and identifiers of affected hardware (serial numbers, asset tags).
  • Screenshots of anything displayed on affected screens.

This documentation forms the foundation of your forensic record. Use a dedicated incident log — a shared document, a physical notebook, or an incident management tool — and ensure entries are timestamped.

Step 2: Capture Volatile Evidence

Volatile evidence exists only in a system's temporary state and is lost when the machine is powered off or rebooted. It must be captured first, in order of volatility:

  1. System memory (RAM): Contains running processes, open network connections, encryption keys, and malware that may only exist in memory. Memory capture tools can create a forensic image of RAM without shutting down the system.
  2. Network connections: Active connections reveal which external servers the compromised system was communicating with.
  3. Running processes: A list of all running processes can identify malicious software or unauthorised tools.
  4. Logged-in users: Identifying who (or what) is currently authenticated to the system.
  5. Temporary files and caches: Browser caches, temp directories, and clipboard contents may contain relevant evidence.

Step 3: Create Forensic Disk Images

A forensic disk image is a bit-for-bit copy of a storage device — not just the visible files, but every sector of the disk, including deleted files, slack space, and hidden partitions. This differs from a standard backup, which only copies active files.

Key principles for disk imaging:

  • Use write-blocking hardware or software to prevent any modification of the original disk during the imaging process.
  • Generate cryptographic hash values (SHA-256) of both the original disk and the forensic image to prove they are identical.
  • Create at least two copies of each forensic image — one for analysis and one for archival.
  • Label each image with the date, time, system identifier, and the name of the person who created it.

Step 4: Collect Log Data

Logs are the backbone of most forensic investigations. Collect and preserve logs from every relevant source:

  • System logs: Windows Event Logs, Linux syslog, macOS unified logs.
  • Authentication logs: Active Directory, identity provider, MFA system, and VPN logs.
  • Network logs: Firewall, proxy, DNS, and intrusion detection system logs.
  • Application logs: Email server, web server, database, and business application logs.
  • Cloud service logs: Cloud platform audit trails (Microsoft 365, Google Workspace, AWS CloudTrail, etc.).
  • Security tool logs: Antivirus, EDR, email gateway, and SIEM alerts.

Be aware that many log sources have limited retention periods. If your logs are configured to overwrite after seven days, evidence from three weeks ago may already be lost. This is why proactive log retention policies are critical to forensic readiness.

Chain of Custody: Maintaining Evidence Integrity

The chain of custody is a documented record of every person who handled a piece of evidence, when they handled it, and what they did with it. Maintaining an unbroken chain of custody is essential for evidence to be admissible in legal proceedings and credible in insurance claims.

For each piece of evidence, record:

  1. A unique identifier for the evidence item.
  2. A description of what it is (e.g., "Forensic image of server SRV-FILE-01 primary disk").
  3. The date and time it was collected.
  4. Who collected it.
  5. Where it has been stored.
  6. Every transfer between individuals, with signatures and timestamps.
  7. Hash values at the point of collection and at each subsequent access.

Store physical evidence (hard drives, USB devices) in sealed, tamper-evident bags in a secure location with controlled access. Store digital evidence (forensic images, log exports) in encrypted, access-controlled storage with integrity verification.

What NOT to Do After a Breach

Well-intentioned actions can destroy critical evidence. Avoid these common mistakes:

  • Do not reboot compromised systems: This destroys volatile memory evidence and may trigger malware persistence mechanisms.
  • Do not run antivirus or cleanup tools: These modify files and timestamps, potentially destroying malware samples investigators need to analyse.
  • Do not reinstall operating systems: This obliterates disk evidence. Wait until forensic images have been created.
  • Do not communicate about the incident over compromised channels: If the attacker has access to your email or messaging systems, use out-of-band communication (personal mobile phones, separate email accounts).
  • Do not attempt amateur forensic analysis: Running unfamiliar tools on production evidence can cause irreversible damage. Leave detailed analysis to qualified professionals.
  • Do not delete or modify logs: Even if you think a log entry is irrelevant, it may prove crucial later.
  • Do not publicly disclose details prematurely: Premature disclosure can alert the attacker to your investigation, compromise legal proceedings, or create regulatory issues if the information proves inaccurate.

Working with Forensics Professionals

Most small businesses do not have in-house forensic expertise, and that is perfectly normal. Knowing when and how to engage external professionals is an important part of incident preparedness.

When to Engage a Forensics Firm

  • Any incident involving confirmed data exfiltration or ransomware.
  • Breaches that may trigger regulatory notification requirements.
  • Incidents where you need to understand the full scope of compromise.
  • Situations that may lead to legal proceedings.
  • Cases where your cyber insurer requires an independent forensic assessment.

How to Choose a Forensics Provider

  • Look for firms with recognised certifications (e.g., GIAC Certified Forensic Analyst, EnCase Certified Examiner).
  • Ensure they have experience with incidents similar to yours.
  • Verify they follow established forensic standards and methodologies.
  • Confirm their evidence handling procedures are legally defensible.
  • Establish a relationship before an incident occurs — during a crisis is not the time to be evaluating vendors.

Preparing for the Engagement

When you contact a forensics firm, be ready to provide:

  1. A summary of what is known about the incident so far.
  2. A timeline of events and actions taken.
  3. An inventory of affected systems and their current state.
  4. Details of your IT environment (network diagram, key systems, cloud services).
  5. Any preserved evidence (forensic images, log exports, screenshots).

Legal Considerations

Digital forensics often intersects with legal requirements. Key considerations include:

  • Data protection: Forensic investigations may involve accessing personal data. Ensure your investigation activities comply with GDPR and other applicable privacy regulations.
  • Legal privilege: Consider engaging forensic investigators through your legal counsel so that findings may be protected by legal professional privilege.
  • Employee privacy: If the investigation involves employee devices or accounts, ensure you have appropriate policies and legal grounds for accessing that data.
  • Law enforcement reporting: Some incidents may warrant reporting to law enforcement. Your forensic evidence will be far more useful to investigators if it has been properly preserved and documented.
  • Regulatory notifications: Forensic findings often determine the scope of data affected, which directly impacts your breach notification obligations.

Building Forensic Readiness

The best time to prepare for digital forensics is before an incident occurs. Take these proactive steps:

  1. Establish log retention: Configure all systems to retain logs for a minimum of 90 days, preferably longer. Centralise log storage where possible.
  2. Document your environment: Maintain an up-to-date asset inventory and network diagram so investigators can quickly understand your infrastructure.
  3. Include forensics in your incident response plan: Define who is responsible for evidence preservation, when to engage external forensics, and how the chain of custody will be maintained.
  4. Pre-select a forensics provider: Identify and vet a forensics firm before you need one. Some organisations include forensic response in their cyber insurance or managed security service agreements.
  5. Train key staff: Ensure IT staff and incident responders understand the basics of evidence preservation. They do not need to be forensic experts, but they need to know what not to do.
  6. Test your readiness: Include forensic evidence collection in your incident response tabletop exercises to identify gaps in your processes and tools.

Key Takeaways

Digital forensics may seem like a specialised discipline beyond the reach of small businesses, but the fundamentals are straightforward: preserve evidence carefully, document everything, maintain chain of custody, and know when to bring in professionals. These basics can be the difference between a thorough understanding of what happened and permanent uncertainty.

Start by reviewing your current incident response plan through a forensic lens. Can you capture volatile evidence quickly? Are your logs retained long enough to be useful? Do your staff know what not to do in the first critical hours? Address these questions now, while you have the luxury of time, and you will be far better prepared when an incident inevitably occurs.