Evidence Preservation Standards

Evidence that will not hold up in legal proceedings is evidence that protects nobody. Forensic evidence preservation for AI systems must meet the same standards as traditional digital evidence: integrity (the evidence has not been modified since collection), authenticity (the evidence is what it purports to be), completeness (all relevant evidence has been collected), and chain of custody (the evidence's handling history is documented from collection through presentation).

1. Integrity Hash every evidence artifact at collection time using SHA-256 or stronger. Store the hash separately from the evidence. At any point in the future, re-hashing the artifact and comparing it to the stored hash proves the evidence has not been modified. [CLEARED]: This is standard digital forensics practice applied to AI-specific evidence types.
2. Authenticity Document the source system, the collection method, the collection time, and the collector's identity for every evidence artifact. The documentation proves that this log entry came from this agent on this system at this time — not from a different system, not from a reconstruction, not from an approximation.
3. Completeness Define the evidence scope before collection begins. For an AI incident, the scope typically includes: all interaction logs for the affected session, the system prompt version in effect, the model version and configuration, the context window composition, all tool invocation logs, all guardrail event logs, and the infrastructure logs for the time window. A scope definition prevents both under-collection (missing evidence) and over-collection (collecting irrelevant data that complicates analysis). [RECOMMEND]: Document the scope in the incident record before collection begins.