Evidence Preservation

This is the part most people skip. This is the part that matters.

Evidence that is modified, deleted, or overwritten during incident response cannot be used for forensic analysis, legal proceedings, or regulatory compliance. Evidence preservation means taking immutable snapshots of the system state before any containment or remediation actions modify it. The containment action itself may destroy evidence — isolating an agent flushes its memory, rotating a credential invalidates the authentication log. Preserve first, then contain.

1. System State Snapshot Before containment, snapshot: conversation logs, context window contents, model configuration, system prompt, tool permissions, active credentials, and guardrail configuration. Store snapshots in immutable storage with hash verification. The chain of custody starts at preservation.
2. Log Preservation Export all relevant logs to a separate, read-only storage location. AI interaction logs, tool invocation logs, guardrail event logs, and infrastructure logs for the affected time window. Log retention in the primary system may be limited — exporting to preserved storage ensures the evidence survives log rotation.
3. Chain of Custody Document who preserved the evidence, when, using what method, and where it is stored. The chain of custody is required for any legal or regulatory proceeding. An evidence artifact without provenance is an artifact without legal weight.