Cyber Doc logo Cyber Doc
Cybersecurity Term

What is evidence preservation?

Keeping emails, logs, files, screenshots, and timelines useful for investigation.

Incident Response Last reviewed: 2026-05-20

← Back to Learn Centre

What is evidence preservation?

Evidence preservation means keeping logs, files, emails, screenshots, and system information that may help understand what happened.

Simple example

Instead of deleting a suspicious email, the business saves it with headers and records when it was received.

Why it matters

Without evidence, it is harder to find the cause, understand impact, or support insurance, legal, or reporting needs.

Common warning signs

  • The activity is unexpected or unusual for the business context.
  • The request or system behaviour creates pressure to act quickly.
  • Normal approval, verification, or security processes are bypassed.
  • There are signs of unauthorised access, data exposure, or system change.
  • Staff are unsure whether the request, message, or system behaviour is legitimate.

Cyber Doc view

This term should be understood in business context, not only as a technical issue. Good protection usually combines clear processes, appropriate technical controls, staff awareness, and a calm response plan.

What to do

Proactive steps

  • Enable useful logging before incidents happen.
  • Define where logs are stored and how long they are kept.
  • Train staff not to delete suspicious emails or files too quickly.
  • Keep backup and audit records protected.
  • Document incident actions as they happen.

Reactive steps

  • Save suspicious emails, files, and screenshots.
  • Record who noticed what and when.
  • Preserve logs before they expire or rotate.
  • Avoid unnecessary cleanup before investigation.
  • Share evidence securely with responders.

Related terms

  • Forensics
  • Timeline analysis
  • Incident response