Collection of Evidence

It is an organizational control that requires an entity to establish and implement procedures for identifying, collecting, acquiring, and preserving evidence related to information security events to ensure its integrity and admissibility.

Types of evidence include system and audit logs, network traffic captures (PCAPs), memory dumps, disk images, and physical devices such as compromised laptops or unauthorized removable media.

A defensible chain of custody is maintained by meticulously documenting who collected the evidence, when and how it was collected, who has had access to it since, and proving it has not been altered using cryptographic hashes.

The procedure should detail the scope of what constitutes evidence, roles authorized to collect it, approved forensic tools, chain of custody documentation requirements, and secure storage specifications.

Preserve logs by forwarding them in real-time to a secure, centralized log server (such as a SIEM) configured with Write-Once-Read-Many (WORM) storage or strict read-only access controls to prevent tampering.

Evidence collection should be handled by a trained Incident Responder or a designated digital forensics specialist, with the Incident Manager overseeing the process and legal counsel advising on preservation requirements.

Retention periods depend on legal hold requirements, regulatory obligations, and the organization's data retention policies, often spanning from several months to years depending on the jurisdiction and severity of the incident.

Common tools include write-blockers for physical disks, specialized imaging software (like FTK Imager or EnCase), memory capture utilities, and cloud-native snapshot features for virtual machines.

Store digital evidence in encrypted, access-controlled environments and generate SHA-256 hashes immediately upon collection to verify integrity later; physical evidence should be secured in locked safes.

Evidence collection is a critical phase within the broader incident response lifecycle (A.5.26), providing the raw, untampered data required for digital forensics and conducting thorough root cause analysis (A.5.27).

Evidence collection fails most often due to inconsistent procedures and missing documentation under pressure. WatchDog Security's Compliance Center can help by mapping A.5.28 requirements to a repeatable checklist, storing the approved chain-of-custody form as an evidence template, and flagging gaps (e.g., missing hashes, missing owner sign-off) before an audit.

Evidence often needs to be reviewed by multiple stakeholders, and uncontrolled sharing can create integrity and confidentiality risks. WatchDog Security's Secure File Sharing supports encrypted distribution with access controls, TOTP verification, and audit logs so you can demonstrate who accessed which evidence package and when, while keeping the original files protected.