In a suspected breach, avoid overwriting logs and disk. Take snapshots or images if the provider allows. Preserve timestamps and chain of custody. Have a runbook and contact for legal and provider support.
Preserve evidence
- Do not overwrite: Avoid rebooting, wiping, or running tools that write heavily to disk. Logs and disk content may be needed for investigation and legal.
- Snapshots: If the provider offers it, take a snapshot or image of the affected system(s) before making changes. Store in a separate account or region if possible so it is not accidentally modified.
- Logs: Copy logs (auth, app, firewall, IDS) to a secure, append-only or write-once store. Preserve timestamps and origin.
Chain of custody and documentation
- Who, when, what: Document who accessed what and when. Use read-only access where possible. If you must run forensic tools, document the tool and version.
- Legal and provider: Have a contact for legal counsel and for the hosting provider. The provider may need to preserve evidence on their side (e.g. network logs, access logs). Ask early what they can retain and for how long.
- Runbook: Have a short incident response runbook: preserve evidence, isolate if needed, notify, and escalate. Update it after drills or real incidents.
After the incident
- Analysis: Prefer analysis on copies (snapshots, log copies) rather than live systems. Restore affected systems from known-good backups or rebuild after evidence is secured.
- Lessons learned: Document what happened, what was preserved, and what could be improved (detection, response, provider capabilities).
Summary
In a suspected breach: do not overwrite; take snapshots if possible; preserve logs and timestamps; document chain of custody. Have a runbook and contacts for legal and provider. Analyze on copies when possible.
