Honeybadger Solutions LLC

Preserve Digital Evidence Before an Examiner

Sealed digital evidence scene with a laptop and phone held in a frozen, untouched state behind a gold containment perimeter in navy and gold

Before a forensic examiner arrives, your single objective is to change nothing. Leave powered-on devices running and powered-off devices off, restrict who can touch them, and never open files or log in to “just check.” Photograph everything in place, suspend auto-deletion and log rotation, and document who had access. Well-meaning IT triage — rebooting, reimaging, running antivirus, or copying files — is the leading cause of destroyed digital evidence.

Almost every serious matter — employee misconduct, data theft, fraud, a network intrusion, a contentious departure, or litigation — now turns on digital evidence. That evidence is extraordinarily fragile. It can be altered, overwritten, or destroyed in seconds, often by the very people trying to help. By the time a qualified examiner is retained, the decisive artifacts have frequently already been lost — not by a wrongdoer covering tracks, but by an IT administrator, an executive, or a manager acting on instinct in the first anxious hour. This guide is written for the general counsel, executive, business owner, or family-office principal who has just realized something is wrong and must protect the record before the specialists take over. What you do — and, more importantly, what you refrain from doing — in the interval before an examiner is engaged can decide whether the truth is provable or merely suspected.

Why do the first hours decide whether evidence survives?

Digital evidence is not like a paper document sitting in a drawer. Much of what matters is volatile — it exists only while a system is running and vanishes the instant power is cut: the contents of memory (RAM), active network connections, running processes, decryption keys held in memory, and malware that never writes itself to disk. Even the evidence that does live on disk is delicate. Modern operating systems write to storage constantly; simply booting a computer, logging in, or opening a folder updates hundreds of files, rewrites access timestamps, and can silently overwrite the deleted data an examiner would otherwise recover. Metadata — the who, when, and how behind a file — is frequently the actual evidence, and it is the first casualty of careless handling.

There is also a legal dimension that runs parallel to the technical one. Evidence is only useful if it is admissible, and admissibility depends on being able to prove that what you produce is an exact, unaltered copy of the original, with a documented chain of custody. Under Federal Rule of Civil Procedure 37(e), a party that fails to take reasonable steps to preserve electronically stored information can face curative measures, adverse-inference instructions, or case-ending sanctions. Consider a representative scenario: a company suspects a departing executive has taken client lists, so a manager logs into the laptop over the weekend to look for proof. That single login boots the machine, mounts the drive, updates system files, and alters the very timestamps that would have shown when the files were copied. The evidence was not hidden by the wrongdoer — it was overwritten by the investigation. This is why the discipline of the first hour is not caution for its own sake; it is the foundation of everything that follows.

Should you power the device off or leave it on?

This is the question that causes the most damage, because the intuitive answer is usually wrong, and because the right answer depends on the situation. The general principle is deceptively simple: leave a running device running, and leave a powered-off device off. Powering down a live machine destroys everything in volatile memory. Powering up a dormant one alters the disk. But there are important exceptions, and each involves a trade-off that a specialist should ideally weigh before you act.

Encryption changes the calculus dramatically. Full-disk encryption — BitLocker, FileVault, and their equivalents — is now the default on most modern devices. If a running computer is encrypted and you power it off, the decryption key that was held in memory disappears, and without the passcode or recovery key the drive can become permanently inaccessible. In that case the live, running state may be the only window into the data. Mobile devices carry their own hazard: they are connected to networks that allow remote wiping, and modern phones enter a hardened, harder-to-access state after they are powered off or restarted. The decisive first move for a phone is usually to isolate it from all wireless signals — airplane mode or a Faraday bag — not to power it down. The table below sets out the default posture for the most common scenarios; treat it as a starting point, not a substitute for a call to your examiner.

Device / StateDefault actionWhyPrimary danger
Desktop or laptop, powered ONLeave on; isolate from network; do not useVolatile memory, live connections, and decryption keys survive only while runningShutting down destroys memory evidence and may lock an encrypted drive
Desktop or laptop, powered OFFLeave off; do not boot itBooting writes to disk and overwrites recoverable deleted data“Just taking a look” alters timestamps and system files
Encrypted device, powered ONLeave on; call examiner urgently before any shutdownDecryption key lives in memory; loss can be irreversiblePower-off may make the data unrecoverable forever
Smartphone or tabletAirplane mode or Faraday bag; keep charged; do not power off or resetPrevents remote wipe and avoids a harder-to-access locked stateRemote wipe, or losing access after a reboot
Server actively under attackIsolate from network; preserve memory before any shutdown; engage respondersLive intrusion evidence and attacker presence exist in memory and connectionsRebooting “to clear it” erases the intrusion evidence
Cloud accounts (email, SaaS, drives)Preserve logs and data immediately; suspend deletionAudit logs rotate and expire on short retention windowsEvidence silently ages out before anyone requests it

When in genuine doubt about a live, high-stakes system — particularly an encrypted one or a server under active attack — the safest move is to secure the area, keep the device powered and connected to power, prevent anyone from using it, and get a qualified examiner on the phone before you touch anything. Five minutes of expert guidance can preserve evidence that no amount of later effort can recover.

Power-on versus power-off preservation decision concept showing one live device with volatile memory and one sealed dark device in navy and gold

What should you never do to a device you may need as evidence?

If the power question is where damage is done by accident, this list is where it is done by well-intentioned effort. Every item below is an ordinary, reasonable-seeming action that routinely destroys evidence. Treat the device as a sealed crime scene, and avoid all of the following until an examiner has imaged it:

  • Do not log in or use the account. Every login and every click writes data and rewrites timestamps. If the machine is already logged in and running, leave it as it is.
  • Do not open files, emails, or attachments to “confirm” the problem. Opening a document changes its metadata; opening a suspicious attachment can detonate malware or destroy the very artifact you needed to preserve.
  • Do not run antivirus, malware removal, or “cleanup” tools. These quarantine or delete the exact samples an examiner needs and overwrite forensic traces of the intrusion.
  • Do not reboot, update, or shut down “to see if it fixes itself.” A reboot can wipe memory evidence, trigger pending updates that overwrite files, and place an encrypted device out of reach.
  • Do not reimage, wipe, or reassign the device. Reimaging a departing employee’s laptop on the standard IT schedule is one of the most common ways strong cases are erased.
  • Do not copy files by dragging, emailing, or USB. Ordinary copying alters metadata and misses deleted, hidden, and system-level data. It is not forensic collection.
  • Do not reset passwords broadly or delete accounts. Doing so can invalidate active sessions, sever access to cloud logs, and destroy evidence of who did what. Isolate access surgically instead.
  • Do not let the custodian keep using the device. Continued use overwrites deleted data with each passing hour. Remove it from service and secure it.

The unifying rule behind every prohibition is the same: do not confuse investigating with preserving. Your job before an examiner arrives is not to find the answer — it is to freeze the scene so a professional can find it defensibly.

How do well-meaning IT teams and staff destroy evidence?

The greatest threat to digital evidence is almost never a sophisticated cover-up. It is competent, conscientious people doing their normal jobs. IT departments are trained to restore service, remove threats, and recycle hardware efficiently — instincts that are exactly backward for evidence preservation. Understanding how the damage happens is the fastest way to prevent it. Consider these representative scenarios, each drawn from the common patterns of the field rather than any specific client:

  • The scheduled reimage. An executive resigns; a week later, IT wipes and reissues the laptop per routine offboarding. The evidence of what was copied on the way out is gone before anyone thought to look.
  • The helpful malware removal. A workstation shows signs of compromise, so a technician runs a removal tool. It deletes the malware sample and its logs — the precise artifacts needed to identify the attacker, the entry point, and what was taken.
  • The reboot reflex. A server behaves strangely during an intrusion, so it is rebooted “to clear it up.” Memory-resident attacker tooling and live network connections — often the only proof of the breach — evaporate.
  • The backup restore. To get a user working again, IT restores a machine from backup, overwriting the live state and the deleted-file remnants that told the story.
  • The account cleanup. Suspecting compromise, an administrator resets passwords and deletes the suspect account, unintentionally severing access to the cloud audit logs that recorded the intrusion.
  • The log that rotated. No one suspended log rotation or extended cloud-audit retention, so the records aged out on a 30- or 90-day cycle while the organization deliberated.

None of these people did anything careless by the standards of their day-to-day role. That is the point. The moment a matter becomes potentially investigative or legal, ordinary IT procedure must be paused and replaced with a preservation posture — and that decision has to come from leadership or counsel, because IT will otherwise default to keeping the business running.

What are the first steps for legal and business leaders?

When you recognize that a situation may become an investigation or a dispute, work a disciplined sequence rather than improvising. The following protocol is the same logic elite responders apply, distilled into what a non-specialist can and should do in the first hour, before an examiner is engaged.

  1. Recognize the trigger and stop routine processes. The duty to preserve attaches when litigation or an investigation is reasonably anticipated — not when it is filed. Treat that moment as the start of the clock.
  2. Issue a preservation (litigation) hold. Instruct in writing that relevant data must be preserved, and suspend all auto-deletion, retention purges, log rotation, and device-recycling for the systems and people involved.
  3. Isolate, do not sanitize. If a system is under active attack, disconnect it from the network — unplug the cable or disable the switch port — but do not power it down, wipe it, or “clean” it. Containment and preservation are different from remediation.
  4. Physically secure the devices. Remove them from use, place them where only authorized people can reach them, and note everyone who has had access since the trigger event.
  5. Document the scene. Photograph each device in place, record whether it is on or off and what is on the screen, and capture make, model, and serial numbers. This becomes the first entry in the chain of custody.
  6. Preserve volatile and cloud sources. Flag email, SaaS platforms, cloud drives, and collaboration tools for immediate preservation, because their logs expire on short retention windows. Put mobile devices in airplane mode or a Faraday bag.
  7. Establish chain of custody. Begin a written record of who holds each item, when, and why, from this moment forward.
  8. Engage a qualified examiner — ideally through counsel. Bring in forensic expertise before anyone touches the data, and structure the engagement at the direction of an attorney so the work is shielded by privilege where it applies.

The frameworks that professionals rely on for this discipline — the U.S. Department of Justice’s Electronic Crime Scene Investigation: A Guide for First Responders, the National Institute of Standards and Technology’s SP 800-86 guide to integrating forensic techniques into incident response, and the best-practice publications of the Scientific Working Group on Digital Evidence — all reinforce the same core principle: minimize handling of the original, preserve volatile data first, and document every action. You do not need to master those documents to protect a matter. You need to do less, not more, and to bring in the specialists early.

How do you preserve cloud and mobile evidence?

The physical-device instincts of a generation ago no longer cover the ground, because most of the decisive evidence now lives in accounts, not on hardware. Cloud platforms — corporate email, file storage, CRM and collaboration suites — keep detailed audit logs of logins, downloads, sharing, and deletions, but many of those logs are retained for only a limited window and then silently overwritten. Preservation here is not about a device at all; it is about immediately extending retention, applying an in-place hold, and, where appropriate, exporting the relevant records before they rotate out of existence. This has to happen in parallel with securing hardware, because the clock on cloud logs is often shorter and entirely invisible.

Mobile devices deserve particular care because they are the most easily and irreversibly destroyed. A phone that remains connected can be remotely wiped by a departing employee or an attacker in seconds, so isolating it from all signals — airplane mode, then a Faraday bag if the stakes warrant — is the priority. Do not power it off casually, do not factory-reset it, and do not let anyone continue using it. Ephemeral and encrypted messaging apps add a further wrinkle: content can be set to auto-delete, and once it is gone it is usually unrecoverable, which is one more reason preservation cannot wait for a leisurely internal deliberation.

Why does chain of custody make or break admissibility?

Chain of custody is the documented, unbroken record of who handled a piece of evidence, when, and what they did with it, from the moment of the trigger event through to production in a proceeding. It is what allows a party to prove that the evidence presented is authentic and unaltered. A forensically sound examination reinforces that proof mathematically: the examiner captures a bit-for-bit image of the original media through a write-blocker, calculates a cryptographic hash value at acquisition, and re-verifies that hash later — a matching value is proof that not a single bit changed. But the strongest technical process cannot repair a custody record that was broken before the examiner arrived. If three people used the laptop, an antivirus scan ran, and the device sat unsecured over a weekend, the integrity of everything downstream is already in question. This is precisely why the pre-examiner phase — restricting access, documenting the scene, and refusing to “take a quick look” — is not clerical caution but the load-bearing foundation of a defensible matter.

How does Honeybadger help you preserve evidence the right way?

Honeybadger Solutions delivers digital forensics led by in-house examiners, which means the guidance you receive in that critical first hour comes from the same command that will later image, analyze, and defend the evidence — not a disconnected vendor learning the matter after the fact. When a client calls at the moment of discovery, our team can direct the preservation posture over the phone in minutes: whether to leave a system running, how to isolate a compromised server, how to protect an encrypted device, and how to lock down cloud and mobile sources before their logs rotate. Because our forensic, cybersecurity, financial-investigation, and background-intelligence capabilities are handled internally and delivered nationwide and internationally, a matter never fragments across incompatible providers.

That integration matters most when preservation flows into investigations and the broader intelligence picture behind a dispute — data theft, insider misconduct, fraud, or a contentious departure. Every engagement is structured to operate at the direction of counsel, to preserve privilege where it applies, and to produce methodology an examiner can defend on the record. From Arizona home command — with offices in Casa Grande, Phoenix, and Oro Valley — we support executives, general counsel, families, and organizations across the United States and abroad. If you suspect something is wrong, the most valuable thing you can do is stop, secure the scene, and call before you touch anything else.

Frequently asked questions

Should I turn off a computer I think has been hacked?

Usually not, if it is currently running. Powering it off destroys volatile evidence in memory — active connections, running malware, and decryption keys — that may be the only proof of what happened, and it can lock an encrypted drive permanently. The safer move is to disconnect it from the network to stop ongoing harm, leave it powered on and unused, and call a forensic examiner before shutting down. When in doubt, isolate rather than power off.

Can our own IT department preserve the evidence for us?

IT can help secure and isolate devices, but it should not attempt to collect or examine the evidence. IT is trained to restore service and remove threats — instincts that overwrite exactly what an investigation needs. Reimaging, malware removal, rebooting, and ordinary file copying all destroy evidence and break the chain of custody. The right role for IT is to freeze routine processes, suspend deletion and log rotation, and hand the collection to a qualified forensic examiner.

What if the employee already left and we need their laptop?

Locate the device and take it out of service immediately, before it is reissued or reimaged on the standard offboarding schedule — the routine wipe is one of the most common ways evidence of data theft is erased. Do not boot it, log in, or search it. Secure it physically, document its condition, and preserve the departing employee’s cloud accounts and audit logs in parallel, since much of the relevant activity often lives there rather than on the hardware.

How quickly do I need to act to preserve digital evidence?

Immediately. Volatile memory evidence exists only while a system runs, cloud audit logs expire on short retention cycles, mobile devices can be remotely wiped in seconds, and every hour a device stays in use overwrites more recoverable data. The duty to preserve begins when an investigation or dispute is reasonably anticipated, not when it is formally filed. Secure the scene first, deliberate second, and engage an examiner before anyone touches the data.

About Honeybadger Solutions

Honeybadger Solutions is an Arizona-licensed security and investigations firm delivering intelligence-led forensics, investigations, and cyber services to executives, general counsel, families, and organizations nationwide and internationally. Digital forensics, cybersecurity, financial investigations, and background intelligence are handled in-house, so evidence preservation, collection, and analysis run under a single accountable chain of command from the first hour through production.

Offices: Casa Grande (HQ), Phoenix, and Oro Valley, Arizona.
Phone: 602-725-2818
Confidential consultation: if you suspect a matter, call before you touch a device — our command team can direct preservation in minutes.