Evidence preservation is the practice of keeping logs, disk images, memory captures, backups, and other artifacts unchanged so investigators can reconstruct what happened. In cyber security, this means collecting data in a way that maintains integrity, such as hashing files, recording timestamps, and limiting access to original evidence.
It matters because ransomware, intrusion, and insider cases often depend on details that disappear quickly: volatile memory, rotated logs, overwritten files, and cloud audit trails. Preserving evidence lets defenders prove whether a claim reflects real compromise, identify the initial access path, trace lateral movement, and verify whether data was copied or encrypted. In practice, teams preserve evidence before rebuilding systems, and they document every handling step so the findings remain defensible for incident response, legal review, and potential law enforcement use.