AuditRubric
rs-an-6 medium Respond / Incident Analysis

Actions performed during an investigation are recorded, and the records' integrity and provenance are preserved

An incident investigation is itself a chain of events that needs to be documented. Without records of what actions investigators took, when they took them, and what evidence they examined, it becomes impossible to reconstruct the investigation itself. This documentation is essential for legal proceedings, regulatory inquiries, insurance claims, and post-incident reviews. Investigators who work without documenting their steps risk having their findings challenged and their actions misattributed.

Estimated effort: 3h
forensicschain-of-custodyevidence-integrityincident-documentationlegal

Implementation steps

  1. 1

    Require real-time documentation of investigative actions

    Establish a norm that investigators document their actions as they work, not after the fact: commands run, systems accessed, evidence collected, and findings noted. Use a dedicated incident management system or a Slack channel with retained logs as a running record. Real-time documentation is more accurate than memory-based reconstruction after the fact.

    jirapagerdutyconfluenceslack
  2. 2

    Use write-once or tamper-evident storage for forensic artifacts

    Store forensic artifacts (disk images, memory captures, log exports) in storage that is protected against modification after the fact: S3 buckets with Object Lock enabled, write-once storage volumes, or forensic workstations with chain of custody procedures. Hash all collected evidence immediately after acquisition and record the hash alongside the artifact. If the hash changes, the evidence has been tampered with.

    aws-s3gcpazure
  3. 3

    Maintain a formal chain of custody for significant incidents

    For incidents where legal action or regulatory investigation is possible, maintain a formal chain of custody: a record of every person who had access to each piece of evidence, when they accessed it, and what they did with it. This chain of custody preserves the admissibility and credibility of evidence. Designate an evidence custodian for significant incidents.

    confluencejira

Evidence required

Investigation documentation practices

Evidence that investigative actions are recorded during incident response.

  • · Incident ticket history showing timestamped investigator actions
  • · Incident response runbook requiring action logging
  • · Evidence collection log from a past incident

Evidence integrity controls

Evidence that forensic artifacts are stored with integrity protections.

  • · S3 Object Lock or write-once storage configuration for forensic artifact storage
  • · Evidence hash verification procedure in the incident response runbook
  • · Chain of custody form template used for significant incidents

Related controls

rs-an-1 high

Investigate contributing factors to confirmed incidents

Incident Analysis
rs-an-3 high

Forensics are performed

Incident Analysis
rs-an-7 medium

Incident data and metadata are collected, and their integrity and provenance are preserved

Incident Analysis
rs-an-2 high

The impact of the incident is understood

Incident Analysis