Design preview · adopts the Kaharagian design system
An official training service of the State of the Kaharagians
Royal Army CollegeRoyal Army CollegeRoyal Kaharagian ArmyThe College of the Army
CIS 310 Cyber Incident Response and Continuity
Lesson 7 of 10CIS 310

Evidence, Forensics, and Investigation

Lesson Overview

When an incident happens, two pressures pull against each other: the urge to fix it fast, to wipe the infected machine, reset everything, and get the service back, and the need to understand what actually happened, which depends on evidence that the hasty fix would destroy. This lesson is about that second need: preserving the evidence of an incident, investigating it to establish what occurred, and doing both without trampling the very traces that explain the attack. Forensics, in this context, is the disciplined handling and examination of the evidence an incident leaves, so that the team can answer the questions that matter, how did the attacker get in, what did they reach, what did they do, are they truly gone, which cannot be answered if the evidence was destroyed in the rush to recover. It deepens the detection and analysis of Lesson 02 and the containment of Lesson 03 into the specific discipline of preserving and investigating evidence.

The governing idea is that you cannot understand an incident whose evidence you have destroyed, so evidence is preserved before it is overwritten, and the investigation is done on preserved evidence carefully handled. Incidents leave traces, in logs, on systems, in the timeline of events, that together explain what happened, but those traces are fragile and easily destroyed, by the attacker covering their tracks, by normal system activity overwriting them, and, most avoidably, by the response itself wiping or altering systems before the evidence was captured. So a disciplined response captures and preserves the evidence before acting in ways that would destroy it, handles that evidence carefully so it remains trustworthy, and investigates methodically to establish the truth of the incident. The team that preserves and investigates can answer the questions that turn an incident from a mystery survived into a lesson learned and a gap closed; the team that destroys the evidence in the rush to recover is left guessing, unable to know how the attack happened or whether it is really over. This is a genuine tension with containment and recovery, and managing it is much of the lesson.

This is the knowledge layer; the practice of forensic preservation and investigation is done under those who lead the Principality's cyber defence, and serious forensics may require specialist help. It rests on recognised incident-investigation practice and is strictly defensive and lawful. Read this to understand evidence and investigation; the practice comes under guidance.

By the end you will be able to explain why evidence must be preserved and the tension with recovery, preserve the evidence of an incident before it is destroyed, handle evidence so it stays trustworthy, investigate methodically to establish what happened, and know the limits and when specialist help is needed.

Key Terms

  • Evidence: the traces an incident leaves, in logs, on systems, and in the sequence of events, from which what happened can be reconstructed.
  • Forensics: the disciplined preservation and examination of the evidence of an incident, so that the truth of what occurred can be established.
  • Investigation: the methodical work of establishing, from the evidence, how an incident happened, what it reached, and whether it is over.
  • Preservation: capturing and protecting evidence before it is overwritten, altered, or destroyed, so it remains available to investigate.
  • Volatile evidence: evidence that is quickly lost, such as the contents of memory or live system state, which must be captured early if at all.
  • Do not tamper: the discipline of not altering systems or evidence in ways that destroy traces, especially in the rush to fix the problem.
  • Chain of custody: the documented handling of evidence over time, so that it remains trustworthy and its integrity can be shown.
  • Timeline: the ordered reconstruction of what happened and when, the spine of an investigation (introduced in Lesson 02).
  • Root cause: the underlying way the incident was able to happen, which the investigation seeks so the gap can be closed.
  • Scope: the full extent of an incident, what systems, accounts, and data were affected, which the investigation establishes.

Why evidence must be preserved

The reason evidence matters is that, without it, an incident cannot be understood, and an incident not understood cannot be properly closed. After an attack, the team must answer questions on which the recovery and the future depend: how did the attacker get in (so the gap can be closed), what did they reach (the scope, so the full extent is known), what did they do (so the damage is understood), and are they truly gone (so recovery is not built on a still-compromised system). Every one of these questions is answered from the evidence the incident left, the logs, the system state, the sequence of events, and if that evidence is gone, the questions cannot be answered, leaving the team to guess at how the attack happened, hope they have found its full extent, and trust that it is over without being able to confirm it. Evidence is what makes understanding possible, and understanding is what makes a sound recovery and a closed gap possible.

The danger is that evidence is fragile and easily destroyed, in three ways the team must guard against. The attacker may destroy it deliberately, covering their tracks by deleting logs and traces, which is why capturing evidence promptly, before the attacker or the response erases it, matters. Normal system activity may overwrite it, especially volatile evidence like the contents of memory, which is lost when a system is powered off and gone quickly even while running, so the most fragile evidence must be captured early or not at all. And, most avoidably, the response itself may destroy it: the natural urge to fix the problem fast, wipe the infected machine, reset everything, rebuild, in the rush to recover, destroys exactly the evidence needed to understand the incident, trading the answer to "how did this happen" for a few minutes' faster recovery. This last is the tension at the heart of the lesson.

That tension, between recovering fast and preserving evidence, is real and must be managed, not ignored. Containment and recovery (Lesson 03) often want to alter or wipe systems; investigation needs those systems' evidence intact. The resolution is not to choose one over the other absolutely but to preserve the evidence first, then recover, capturing the key evidence before taking the actions that would destroy it, so that both needs are met, the incident is understood and the service restored. This requires the discipline to pause, in the pressure of an incident, long enough to preserve what is needed before wiping and rebuilding, which is exactly the discipline this lesson builds, because the team that rushes to recover without preserving wins a few minutes and loses the understanding that would have prevented the next incident.

Preserving evidence before it is destroyed

The first and most important forensic discipline is preservation: capturing and protecting the evidence before it is overwritten, altered, or destroyed, because evidence not preserved early is often gone, and the rest of the investigation depends on it. The governing rule is do not tamper: do not alter the systems or evidence of an incident in ways that destroy traces, especially in the rush to fix the problem, because every careless action on a compromised system, every reboot, every cleanup, every change, may destroy evidence that cannot be recovered. The disciplined responder, on recognising an incident, is careful about what they do to the affected systems, preserving before changing, in deliberate contrast to the untrained instinct to start fixing immediately.

Preservation has a priority of urgency, because some evidence is far more fragile than other. Volatile evidence, the contents of memory, live system state, current connections, is lost quickly, especially when a system is powered off, so if it is to be captured at all it must be captured early, before the system is shut down or rebooted; the instinct to "turn it off and on again," or to power down a compromised machine, can destroy the most valuable evidence there is, which is why the response is careful about powering off until volatile evidence is considered. Less volatile evidence, the logs, the files, the system as it stands, lasts longer but is still vulnerable to being overwritten by activity or destroyed by the cleanup, so it too is captured and protected, copied and secured, before the system is wiped or rebuilt. And the timeline of Lesson 02, started the moment an incident is suspected and kept live, is itself preserved evidence, the ordered record of what was observed and when, which a memory-based reconstruction days later cannot match.

The practical discipline, then, is: on recognising an incident, preserve before you fix. Capture the volatile evidence early if it is needed and before the system is powered off; capture and secure the logs, files, and system state before the system is wiped or rebuilt; keep the timeline live; and generally treat the affected systems as evidence to be protected, not just problems to be cleared, until the needed evidence is safely captured. Only then, with the evidence preserved, does the team proceed to the containment and recovery that would have destroyed it. This ordering, preserve, then recover, is the core operational point of the lesson, and the discipline to hold it under the pressure to fix fast is what separates an investigable incident from a mystery.

   PRESERVE BEFORE YOU FIX  (the rush to recover destroys the evidence)

   THE TENSION   recovery wants to WIPE/REBUILD; investigation needs the
                 system's EVIDENCE intact. Resolve by PRESERVE FIRST, then recover.

   DO NOT TAMPER  don't alter the compromised system in ways that destroy
                  traces (reboots, cleanup, changes) before capturing evidence

   PRIORITY (by fragility):
     VOLATILE first   memory, live state, connections, LOST on power-off ->
                      capture EARLY (don't just "turn it off and on again")
     LESS VOLATILE    logs, files, system state -> copy and secure before
                      wiping/rebuilding
     THE TIMELINE     kept live from the moment of suspicion (Lesson 02)

   The team that rushes to recover without preserving wins minutes and loses
   the understanding that prevents the next incident.

Handling evidence and investigating

Preserved evidence must be handled so it stays trustworthy, which is the discipline of chain of custody: the documented handling of evidence over time, who captured it, when, how it was stored and protected, so that its integrity can be shown and it remains reliable. Evidence carelessly handled, of uncertain origin, possibly altered, not securely stored, loses its value, because no one can trust what it shows; evidence whose handling is documented and whose integrity is protected remains trustworthy. So the team records how evidence was captured and handled, protects it from alteration, and stores it securely, both so the investigation can rely on it and so that, if the incident ever requires it to be shown to others, to authorities, in any formal process, the evidence holds up. For a small force this need not be elaborate, but the principle, handle evidence carefully and document the handling so it stays trustworthy, applies at any scale.

With evidence preserved and trustworthy, the investigation establishes what happened, methodically and from the evidence rather than from assumption. It works to answer the key questions through the timeline as its spine, reconstructing the ordered sequence of the attack, when the attacker got in, what they did, in what order, so the incident's story becomes clear. From the timeline and the evidence the investigation establishes the scope, the full extent of what was affected, which systems, accounts, and data the attacker reached, because containment and recovery must cover the whole extent, and an incident whose scope is underestimated is one where compromised systems are missed and the attacker remains. And it seeks the root cause, the underlying way the incident was able to happen, the unpatched flaw, the leaked credential, the misconfiguration, because closing the root cause is how the gap is shut so the same incident does not recur, which feeds directly into the after-incident learning of Lesson 10. The investigation, in short, turns preserved evidence into understanding: the story of the attack, its full extent, and the gap that allowed it.

The investigation is conducted with the same calm method the whole course teaches, following the evidence to conclusions rather than leaping to them, distinguishing what is established from what is assumed, and being honest about what is not yet known. A hasty investigation that assumes the scope, guesses the cause, or concludes the attacker is gone without evidence, leaves the incident half-understood and the recovery unsound; a methodical one, building from preserved evidence to confident conclusions about how, what, and whether-truly-over, gives the team the understanding to recover soundly and close the gap. The member who investigates methodically from preserved, trustworthy evidence establishes the truth of the incident, which is what the whole forensic discipline exists to enable.

Limits, specialist help, and the defensive purpose

A realistic word on limits and specialist help, because forensics can be a deep technical field. The preservation discipline, do not tamper, capture the volatile evidence early, secure the logs and state before wiping, keep the timeline live, handle evidence carefully, is within any disciplined responder's reach and is the most important part, because it is what keeps investigation possible, and it must be done in the moment by whoever is there. The deeper forensic analysis, the detailed technical examination of captured evidence, can require specialist skills and tools beyond a small force's everyday capability, and the honest course is to recognise when an incident is serious or complex enough to need specialist help, and to have preserved the evidence well enough that such help, when sought, has something to work with. The small force's part is often: preserve the evidence properly (which it can do), investigate to the depth it can, and bring in or defer to specialists for the deep analysis when the incident warrants, with the preserved evidence making that possible. Preserving well is the contribution any responder can make to even an investigation they cannot themselves complete.

Finally, the purpose of all of this is understanding for defence and recovery, in keeping with the course's strictly defensive posture. The evidence is preserved and investigated to understand the incident, so as to recover soundly, close the gap, and learn, not to pursue, surveil, or retaliate against anyone; the forensic discipline serves defence and the protection of the Principality's systems and people. Where an incident's evidence is needed for a lawful process, by proper authority, that is a matter for those responsible, handled lawfully, but the responder's purpose in preserving and investigating is the defensive one: to understand what happened so the force can recover and protect itself better. The member who preserves and investigates evidence carefully gives the force the understanding it needs to close the gap and harden against the next attack, which is the defensive end that evidence, forensics, and investigation serve, and the reason this discipline sits at the heart of responding to incidents well.

In Practice: Preserve, Then Recover

A member of the Royal Kaharagian Army responding to a serious incident faces the tension at the heart of this lesson: the service is down and the pressure to wipe the compromised machine and rebuild it fast is intense, but doing so would destroy the evidence needed to understand how the attack happened and whether it is truly over. An untrained responder gives in to the urge, wipes the machine, restores the service, and is left guessing, never knowing how the attacker got in or whether they are gone. The disciplined member preserves first.

Recognising the incident, the member resists the instinct to start fixing and instead preserves before fixing, following the do not tamper discipline. They capture the volatile evidence early, the memory and live state that would be lost the moment the machine is powered off, rather than rebooting or shutting it down first; they capture and secure the logs, files, and system state before anything is wiped; and they keep the timeline live, the ordered record of what was observed and when. They handle the captured evidence carefully, documenting its chain of custody so it stays trustworthy. Only then, with the evidence preserved, do they proceed to the containment and recovery of Lesson 03 that would otherwise have destroyed it, so that both needs are met: the incident understood and the service restored.

With the evidence preserved and trustworthy, the investigation establishes the truth methodically: the timeline reconstructs how the attack unfolded; the scope is established so the full extent of affected systems and accounts is known and none missed; and the root cause is found, the underlying gap that let the incident happen, so it can be closed and the same attack prevented, feeding the after-incident learning of Lesson 10. Where the analysis exceeds the small force's depth, the member has preserved the evidence well enough that specialist help has something to work with. Throughout, the purpose is defensive understanding, to recover soundly, close the gap, and learn, not to pursue anyone. Because the member preserved before they fixed and investigated from trustworthy evidence, the incident becomes a mystery solved and a gap closed rather than a fright survived in ignorance, which is exactly what evidence, forensics, and investigation are for.

Check Your Understanding

  1. Explain why evidence must be preserved (the questions it answers: how in, what reached, what done, truly gone), the three ways evidence is destroyed (attacker, normal activity, the response itself), and the tension between recovering fast and preserving evidence, and how it is resolved.
  2. Describe the discipline of preservation: do not tamper, capturing volatile evidence early (before power-off), securing less-volatile evidence before wiping, and keeping the timeline live. Why is "preserve before you fix" the core operational point?
  3. Explain chain of custody (handling evidence so it stays trustworthy) and how the investigation establishes the timeline, the scope, and the root cause. When is specialist help needed, and what is the strictly defensive purpose of forensics?

Reflection (write a short paragraph): This lesson argues that the natural urge to fix an incident fast, wiping and rebuilding, destroys exactly the evidence needed to understand how the attack happened and whether it is over, trading the answer for a few minutes' faster recovery. Why is it so hard, in the pressure of a live incident, to pause and preserve evidence before fixing, and what does a team lose when it does not? Then consider the discipline of "do not tamper" and capturing volatile evidence before power-off: why is the instinct to "turn it off and on again" sometimes the worst thing a responder can do, and what does that teach about training the response in advance?

Summary

  • An incident cannot be understood, or properly closed, without its evidence, which answers how the attacker got in, what they reached (scope), what they did, and whether they are truly gone. Evidence is fragile and destroyed three ways: by the attacker covering tracks, by normal activity overwriting it (especially volatile evidence), and, most avoidably, by the response itself wiping systems in the rush to recover.
  • The tension between recovering fast and preserving evidence is resolved by preserve first, then recover. The core discipline is do not tamper: capture volatile evidence early (before power-off, the "turn it off and on again" instinct can destroy the best evidence), secure the logs and state before wiping or rebuilding, and keep the timeline live. Preserve before you fix.
  • Handle evidence so it stays trustworthy (chain of custody: documented handling, protected from alteration, securely stored). Investigate methodically from preserved evidence: reconstruct the timeline, establish the full scope (so no compromised system is missed), and find the root cause (so the gap is closed, feeding Lesson 10). Follow the evidence to conclusions, distinguishing established from assumed.
  • Preservation is within any responder's reach and is the most important part; deep forensic analysis may need specialist help, so recognise when an incident warrants it and preserve the evidence well enough that help has something to work with. The purpose throughout is defensive understanding, to recover, close the gap, and learn, never to pursue or retaliate.
  • This is the knowledge layer; forensic preservation and investigation are done under those who lead the Principality's cyber defence, with specialists for deep analysis. The lesson deepens the timeline and analysis of Lesson 02, manages the tension with the containment of Lesson 03, and feeds the root-cause learning of Lesson 10. Everything here is strictly defensive and lawful.

Crown Copyright © 2026 | Published by Authority of H.R.H. The Prince of Kaharagia

Lesson 7 · Knowledge Check

Question 1 of 3

What are the three ways evidence is destroyed?