Forensic preservation is the practice of protecting digital evidence so investigators can later reconstruct what happened. It includes saving logs, disk and memory images, configuration files, cloud audit records, and other artifacts in a way that avoids alteration. The goal is to keep evidence reliable, attributable, and usable in an investigation or legal review.
In cyber security, forensic preservation matters because attackers often delete logs, wipe traces, or encrypt systems before defenders can inspect them. Good preservation helps incident responders determine the initial entry point, the scope of compromise, what data may have been accessed, and whether the attacker still has access. In ransomware cases, defenders may need to preserve systems before rebuilding them, capture volatile data, and maintain chain of custody for any copied evidence. Strong preservation also supports compliance, disclosure, and recovery decisions by separating facts from assumptions.