Digital Forensics After a Breach:
What Companies Must Preserve & Why It Matters

Volatile System Memory (RAM)

RAM contains the richest forensic evidence available — and it vanishes when power is cut. A live memory acquisition of a compromised system can reveal running processes, injected malicious code, decrypted data, active network connections, recently executed commands, and attacker tools resident only in memory. Fileless malware — which accounts for over 77% of successful breaches — leaves almost no disk artifacts. RAM acquisition is often the only way to detect and attribute such attacks. Priority: Acquire immediately before any other action.

Authentication & Identity Logs

Authentication logs — from Active Directory, Azure AD, Okta, Google Workspace, and every other identity provider — document every login attempt, success, failure, privilege escalation, and account creation. These logs establish the attacker's initial access vector, the accounts compromised, the timeframe of unauthorized access, and the scope of privilege abuse. For ransomware and nation-state intrusions alike, authentication logs are the narrative backbone of the investigation. Logs must be preserved in their original, unmodified format with cryptographic hash verification. Retention window: many authentication logs default to 30–90 days. Organizations must extend this immediately upon breach detection.

Endpoint Telemetry & EDR Data

Endpoint Detection and Response (EDR) platforms generate continuous telemetry: process trees, parent-child process relationships, file creation and modification events, registry changes, network connections from the endpoint, and script execution logs. This data is essential for reconstructing attacker TTPs (Tactics, Techniques, and Procedures) and mapping them against the MITRE ATT&CK framework. Forensic disk images should be taken from all endpoints involved in the incident, including lateral movement paths. Disk images must be write-protected and stored in forensically sound containers with SHA-256 hash verification.

Network Traffic Logs & SIEM Data

Network flow data (NetFlow/IPFIX), full-packet captures (PCAP), DNS query logs, proxy logs, and firewall connection records document how the attacker moved through the network and where they sent data. For data exfiltration cases — the highest-cost breach type — network evidence is often the only way to quantify exactly what was stolen, when, and where it went. SIEM (Security Information and Event Management) platforms aggregate these logs; their preservation must include both raw log sources and SIEM-indexed records. DNS over HTTPS (DoH) and encrypted C2 channels make network forensics increasingly complex; organizations must maintain visibility into encrypted traffic flows.

Email & Communication Records

Business Email Compromise (BEC) and phishing remain the leading initial access vectors. Email metadata — headers, routing information, timestamps, sender authentication records (SPF, DKIM, DMARC results) — can identify forged sender identities, attacker infrastructure, and targeted users. Full email bodies and attachments must be preserved for malware analysis, social engineering attribution, and financial fraud recovery. Microsoft 365 and Google Workspace audit logs document email rule creation (a key attacker persistence technique), forwarding configurations, and inbox access from external IPs.

Cloud Activity Logs & API Records

Cloud environments introduce unique forensic challenges. AWS CloudTrail, Azure Monitor, GCP Cloud Audit Logs, and equivalent services in other platforms record every API call, configuration change, resource creation, permission modification, and data access event. Attackers who compromise cloud credentials can exfiltrate entire S3 buckets, modify security group rules, or deploy persistent backdoor infrastructure — all within minutes and without touching a single endpoint. Cloud audit logs are often disabled, under-retained, or stored in attacker-accessible locations. A forensic engagement must immediately verify log completeness and integrity before any cloud infrastructure modification.

VPN, Remote Access & Third-Party Logs

The majority of breaches begin outside the traditional network perimeter. VPN authentication logs, Citrix access records, RDP session logs, and third-party vendor access logs document who connected from where, at what time, and what they accessed. Supply-chain attacks — where the adversary enters through a trusted vendor — make third-party access logs especially critical. Managed Service Provider (MSP) platform logs, ticketing systems, and shared credential stores must all be preserved and analyzed to rule out or confirm supply-chain compromise.

Application & Database Logs

When attackers target customer data, intellectual property, or financial records, the attack path typically runs through application layers and databases. Web application firewall (WAF) logs, SQL query logs, API gateway records, and application error logs document exploitation attempts (SQL injection, XSS, authentication bypass), successful data queries, and schema reconnaissance. Database audit logs — often overlooked — provide the most granular record of what data was read, exported, or modified during a breach. These logs are critical for GDPR data subject notifications, PCI-DSS breach evidence, and quantifying breach scope for cyber insurance claims.

Cloud-Native Challenges

• Ephemeral compute instances that self-terminate after attacks
• Serverless function logs spread across multiple AWS/Azure/GCP services
• Container forensics requiring Kubernetes audit logs and pod metadata
• Multi-cloud identity attacks crossing cloud boundaries
• SaaS audit logs controlled by vendors with varying retention policies

On-Premise Challenges

• Older operating systems with limited native logging capabilities
• Legacy SCADA/ICS systems where forensic tools may not be deployable
• Physical access requirements for isolated air-gapped environments
• Network appliances with proprietary operating systems and limited log export
• Anti-forensic tools that attackers deploy to wipe artifacts before detection

HIPAA (Health Insurance Portability and Accountability Act)

Covered entities must preserve documentation of security incidents and response activities for a minimum of six years. Forensic analysis must support breach risk assessment — the four-factor test determining whether PHI disclosure triggers notification. Notification to HHS and affected individuals is required within 60 days of breach discovery for incidents affecting 500+ individuals.

PCI-DSS (Payment Card Industry Data Security Standard)

PCI-DSS v4.0 mandates that organizations maintain audit logs for at least 12 months, with a minimum of three months immediately available for analysis. Forensic investigation is required for any suspected cardholder data compromise. Card brands require forensic reports from PCI Forensic Investigators (PFIs) — a specialized qualification recognized by Visa, Mastercard, and American Express.

GDPR (General Data Protection Regulation)

Under GDPR, personal data breaches must be reported to supervisory authorities within 72 hours of becoming aware of the breach — where feasible. Forensic evidence is essential to determining whether the breach meets the notification threshold, quantifying which data subjects are affected, and documenting the technical and organizational measures in place. Fines of up to €20 million or 4% of global annual turnover apply for non-compliance.

SOC 2 & ISO 27001

SOC 2 Type II audits and ISO 27001 certification require documented incident response procedures and evidence of forensic capability. Security incidents must be logged, investigated, and remediated with evidence trails that auditors can review. Organizations without forensic documentation may fail their annual audits — triggering loss of certifications that are prerequisites for major enterprise contracts.

24/7 Digital Forensics Retainer

Immediate forensic response from experienced investigators within hours of breach detection. Evidence preservation, chain-of-custody documentation, and legal-admissible forensic imaging across all environment types — on-premise, cloud, hybrid, and OT.

ArgusSense Forensic Readiness Module

Pre-incident log aggregation, retention management, and tamper-evident evidence preservation that ensures all forensic evidence is available when an incident occurs. Real-time alerting on evidence destruction or log anomalies that may indicate attacker anti-forensics.

Regulatory Reporting & Expert Witness

Forensic reports prepared to meet HIPAA, PCI-DSS, GDPR, SOC 2, and SEC cybersecurity disclosure standards. Expert witness testimony and litigation support for legal proceedings arising from cyber incidents.

Forensic Tabletop & Readiness Assessment

Pre-incident assessment of your organization's forensic readiness: log coverage gaps, retention policy deficiencies, chain-of-custody procedure documentation, and tabletop exercises that simulate forensic response under realistic breach conditions.

How long does a digital forensic investigation take?

Investigation timelines vary significantly by breach scope. A targeted attack on a single endpoint can be investigated in 3–5 business days. Complex enterprise breaches involving multiple systems, cloud environments, and data exfiltration often require 4–12 weeks for a comprehensive forensic investigation. Regulatory reporting obligations — particularly GDPR's 72-hour notification window — require an initial triage assessment within the first 24–48 hours regardless of full investigation timeline.

Should we notify law enforcement before conducting a forensic investigation?

Law enforcement notification should be coordinated with legal counsel before — or concurrent with — forensic investigation initiation. In cases involving ransomware, law enforcement agencies (FBI, CISA) may have intelligence about the threat actor that accelerates investigation. However, law enforcement involvement can also complicate evidence control and business continuity. Notification obligations vary by jurisdiction and breach type. Legal counsel should guide this decision.

What is the difference between forensic investigation and incident response?

Incident response (IR) focuses on containing and recovering from an active security incident — stopping the bleeding. Digital forensics focuses on evidence collection, preservation, and analysis — understanding what happened, how, and to what extent. In practice, these disciplines are deeply interdependent: forensic evidence informs containment decisions, and IR actions must be conducted with forensic preservation in mind. Best practice is to engage both disciplines simultaneously from the moment of breach detection.

Can we conduct forensics ourselves without external experts?

Internal security teams can conduct preliminary triage, but significant breaches almost always benefit from external forensic expertise. External forensic professionals bring specialized tools, documented methodologies, legal-admissibility expertise, regulatory reporting experience, and objectivity that internal teams cannot provide. Cyber insurance policies frequently require engagement of approved external forensic vendors as a condition of coverage. Self-conducted investigations that fail to meet legal evidence standards may invalidate insurance claims.

How do we determine if data was actually exfiltrated?

Data exfiltration determination requires analysis of multiple evidence sources: network egress data (volume, destination, timing, protocol), DNS queries to attacker-controlled domains, endpoint file access logs correlated with outbound network connections, cloud storage access records, and email send logs. Absence of exfiltration evidence does not confirm that data was not stolen — it may indicate that evidence was destroyed or that monitoring was insufficient. A forensic investigation must reach a defensible conclusion on exfiltration scope, acknowledging uncertainty where evidence is incomplete.

What forensic evidence is most important for cyber insurance claims?

Cyber insurers require forensic evidence to validate claims, assess coverage, and determine whether organizational controls were adequate. Critical evidence for insurance claims includes: the forensic report establishing breach timeline and scope, evidence that required security controls were in place and operational, documentation of the attack vector (which determines coverage applicability), business interruption records correlated with forensic timelines, and documentation that the organization met notification obligations within required timeframes. Retaining a forensic firm approved by your insurer — before an incident — ensures claims are not delayed or denied on procedural grounds.