16.5 Evidence Preservation

Evidence Preservation

Insider threat evidence must meet a higher standard than external-attacker evidence. If Marcus is terminated and contests the decision at an employment tribunal, the investigation evidence will be scrutinised by legal professionals. If the case is referred for criminal prosecution (theft of trade secrets), the evidence must meet criminal standards.

Required role: Compliance Administrator (for eDiscovery and litigation hold).

Step 1: Place mailbox and OneDrive on litigation hold

Before any content is modified or deleted (by Marcus, by automated retention policies, or during cleanup):

1
2
3
4
5

// PowerShell — litigation hold on mailbox and OneDrive
// Set-Mailbox -Identity "m.chen@northgateeng.com" -LitigationHoldEnabled $true -LitigationHoldDuration 365
// Set-SPOSite -Identity "https://northgateeng-my.sharepoint.com/personal/m_chen_northgateeng_com" -LockState NoAccess
// Note: LockState NoAccess preserves content but blocks user access — use only when ready to tip off
// For covert preservation: use In-Place Hold via eDiscovery case instead

Covert preservation (recommended during active investigation): Create an eDiscovery case in Purview Compliance → eDiscovery → create case → add m.chen as a custodian → place on hold. This preserves all content without notifying the user and without changing their access. Litigation hold on the mailbox is also invisible to the user.

Blast radius: Litigation hold and eDiscovery hold are invisible to the user. No impact on their daily work. Content is preserved in the background. Per-user. No user-facing impact.

Step 2: Export evidence via eDiscovery content search

1
2
3
4
5
6
7

// PowerShell — create content search for investigation evidence
// New-ComplianceSearch -Name "IT-INC-2026-0401-005"
//   -ExchangeLocation "m.chen@northgateeng.com"
//   -SharePointLocation "https://northgateeng-my.sharepoint.com/personal/m_chen_northgateeng_com"
//   -ContentMatchQuery '(c:c)(date>=2026-03-01)'
// Start-ComplianceSearch -Identity "IT-INC-2026-0401-005"
// New-ComplianceSearchAction -SearchName "IT-INC-2026-0401-005" -Export -Format FxStream

Export the search results to a secure location. This creates a forensic copy of Marcus’ email and OneDrive content from the investigation window.

Step 3: Document chain of custody

For every piece of evidence: record who collected it, when, how, and where it is stored. Example:

“Evidence item: eDiscovery export of m.chen mailbox and OneDrive, date range 1 March — 1 April 2026. Exported by: [investigator name] on [date] at [time] UTC. Export method: Purview Compliance eDiscovery export tool. Storage location: [secure file share path]. Hash verification: [SHA256 of export file].”

If a forensic disk image of LAPTOP-NGE027 is required (legal counsel will advise): this is typically performed by a specialist forensic examiner, not the SOC analyst. The SOC analyst’s role is to identify the need and escalate — not to perform the imaging.

Compliance mapping: NIST CSF RS.AN-1 (Investigations conducted). ISO 27001 A.5.28 (Collection of evidence). SOC 2 CC7.4 (Response to incidents).

Subsection artifact: The evidence preservation procedure with eDiscovery commands and chain of custody template. This is the evidence preservation section of your insider threat investigation playbook.

Knowledge check

Forensic imaging considerations

For cases where litigation or criminal prosecution is likely, digital forensic imaging of the device may be required.

When to image: Legal counsel advises that the value of the stolen data justifies the cost and complexity of forensic examination. The subject may have used encryption, file wiping tools, or anti-forensic techniques that require specialist analysis. The subject’s device contains evidence not available in cloud logs (locally stored files, browser history, application data).

Who performs the imaging: A qualified digital forensic examiner — not the SOC analyst. Forensic imaging requires specialist hardware (write-blockers), validated tools (EnCase, FTK, or open-source equivalents), and documented methodology that meets evidentiary standards. The SOC analyst’s role: identify the need for forensic imaging, preserve the device (do not allow the subject to continue using it after the decision to image is made), and hand the device to the forensic examiner with a chain of custody form.

Timing: The device must be imaged BEFORE it is wiped or re-provisioned. Once the subject’s account is disabled and the device is collected (at the HR meeting), the device should go directly to the forensic examiner — not to IT for reprovisioning. Coordinate with IT: “Do NOT wipe LAPTOP-NGE027. It is required for a forensic examination. IT will receive it after the examination is complete.”

Remote device collection. If the subject works remotely: coordinate with HR to arrange device return (courier or in-person collection at a meeting). Until the device is collected, Defender for Endpoint continues logging device activity — preserving evidence in the cloud even if the subject attempts to delete local files.

eDiscovery search strategies for insider threat

The eDiscovery search must be targeted — not a full mailbox export. A targeted search preserves relevant evidence while respecting data minimisation principles (UK GDPR).

Search strategy 1: Date-bounded. Export all content from the investigation window (e.g., last 30 days). This captures everything the subject sent, received, and stored during the period of interest. Simple but broad.

Search strategy 2: Keyword-targeted. Export content matching specific keywords: competitor name, project names, product codes, “confidential,” “proprietary.” This narrows the export to potentially sensitive content. More proportionate but may miss exfiltration that does not use obvious keywords.

Search strategy 3: Recipient-targeted. Export all email sent to personal addresses (gmail.com, hotmail.com, etc.) or to the competitor’s domain during the investigation window. This directly targets the exfiltration channel.

Recommended approach: Start with strategy 3 (most targeted, most proportionate). If results are found: expand to strategy 2 to understand the context. If comprehensive evidence is needed (legal counsel advises): use strategy 1.

1
2
3
4
5
6
7
8

// eDiscovery search — targeted approach (strategy 3)
// PowerShell:
// New-ComplianceSearch -Name "IT-INC-2026-0401-005-Email"
//   -ExchangeLocation "m.chen@northgateeng.com"
//   -ContentMatchQuery '(recipients:gmail.com OR recipients:hotmail.com
//     OR recipients:yahoo.com OR recipients:meridian-precision.co.uk)
//     AND (date>=2026-03-01)'
// Start-ComplianceSearch -Identity "IT-INC-2026-0401-005-Email"

OneDrive search: Separately search the subject’s OneDrive for files matching product-related keywords:

1
2
3
4
5
6

// PowerShell:
// New-ComplianceSearch -Name "IT-INC-2026-0401-005-Files"
//   -SharePointLocation "https://northgateeng-my.sharepoint.com/personal/m_chen_northgateeng_com"
//   -ContentMatchQuery '(filetype:dwg OR filetype:step OR filetype:pdf
//     OR filetype:xlsx) AND (date>=2026-03-01)'
// Start-ComplianceSearch -Identity "IT-INC-2026-0401-005-Files"

The file type filter targets CAD drawings (.dwg, .step) and documents (.pdf, .xlsx) that are most likely to contain proprietary information — rather than exporting every file including personal photos and browser bookmarks.