Incident data and metadata are collected, and their integrity and provenance are preserved
Incident data, the raw evidence gathered during an investigation, is the factual foundation of every conclusion drawn about the incident. If data is incomplete, uncollected, or of uncertain provenance, the conclusions built on it are equally uncertain. Collecting incident data systematically and preserving its integrity ensures that findings are defensible, that the investigation can be re-examined if needed, and that lessons learned are grounded in fact rather than inference.
Implementation steps
- 1
Define a standard evidence collection checklist for incident types
For each major incident category (compromised endpoint, data breach, insider threat, ransomware), define a standard checklist of evidence to collect: which log sources to export, which system artifacts to capture, what network data to preserve, and what user account activity to review. A checklist prevents gaps in collection that happen when investigators under pressure forget to gather a key data source.
confluencenotion - 2
Centralize and catalog collected incident data
Store all collected incident data in a centralized location tied to the incident record: attach log exports, disk images, screenshots, and other artifacts directly to the incident ticket or a linked evidence repository. Record the collection time, the source system, and the collection method for each artifact. This catalog allows any team member to locate and understand what evidence exists without searching across disconnected locations.
jiraconfluenceaws-s3 - 3
Apply integrity verification to collected data
For each collected artifact, compute a cryptographic hash (SHA-256 minimum) at the time of collection and record it alongside the artifact. Before using evidence in analysis, verify the hash to confirm it has not been altered. For cloud log exports, use the service's built-in log integrity verification where available (e.g., AWS CloudTrail log file validation). This step makes evidence trustworthy for both internal review and external inquiry.
aws-cloudtrailgcpazure
Evidence required
Evidence collection procedures
Documented procedures for systematically collecting incident data.
- · Incident response runbook with evidence collection checklists by incident type
- · Evidence collection procedure defining which artifacts to capture and how
- · Training materials for incident responders on evidence preservation
Evidence catalog from past incidents
Evidence that incident data is cataloged and integrity-verified during investigations.
- · Incident ticket showing attached evidence artifacts with collection metadata
- · Evidence hash verification records from a past incident
- · CloudTrail log validation output confirming log file integrity
Related controls
Investigate contributing factors to confirmed incidents
Incident Analysis
Forensics are performed
Incident Analysis
Actions performed during an investigation are recorded, and the records' integrity and provenance are preserved
Incident Analysis
The impact of the incident is understood
Incident Analysis