Introduction
When a cyber incident happens, leaders ask simple questions: What happened? How did it happen? Who was affected?
You can only answer well if you have good evidence. Forensic readiness means preparing your systems so you can investigate without guessing.
What “Good Evidence” Looks Like
Good evidence is:
• Accurate (timestamps and sources are reliable)
• Complete (you can see key actions)
• Protected (it cannot be easily altered)
• Traceable (you can show who accessed it)
Logging: The Core of Forensic Readiness
Logs are your storybook. Without them, you only have rumours.
Focus on:
• Login logs (successful and failed attempts)
• Admin actions (new users, role changes, permission edits)
• File access for sensitive areas
• Endpoint alerts (malware, unusual behaviour)
Keep Evidence Without Breaking Trust
Evidence collection must respect privacy and policy.
• Define what you log and why (in clear internal policies)
• Limit access to logs to authorised staff only
• Set retention rules (how long logs are kept)
• Document every step during an investigation (who did what, when)
Chain of Custody in Simple Terms
Chain of custody is a record showing that the evidence stayed safe.
Basic steps:
• Save copies of key logs and files in a protected location
• Record who collected it and where it came from
• Keep it read-only where possible
• Avoid “sharing around” evidence in chat apps
Conclusion
Forensic readiness helps organisations respond calmly, learn quickly, and support legal or regulatory action when needed. With strong logging, clear retention rules, controlled access, and simple chain-of-custody habits, you can turn an incident into clear, usable facts.
