Evidence Preservation Checklist
An evidence preservation checklist helps teams identify, preserve, and protect potentially relevant evidence before it is altered, deleted, overwritten, or accessed inappropriately.
Primary Audience & Scope
Investigators, IT, Security, Legal, HR
When to Use
- •Triage, investigation, preservation, containment, or legal review is required.
- •A consistent record is needed across teams.
- •A matter may require later review, audit, or legal defensibility.
Interactive Work Area
Fill or track items interactively and copy out to your Clipboard
Template Table Structure
| Field | Working prompt |
|---|---|
| Case/resource field 1 | Use this field to document: Identify preservation trigger. |
| Case/resource field 2 | Use this field to document: Confirm preservation authority and scope. |
| Case/resource field 3 | Use this field to document: List custodians and systems. |
| Case/resource field 4 | Use this field to document: Preserve email, chat, collaboration, file, endpoint, cloud, IAM, PAM, DLP, SIEM, repository, badge, CCTV, HR, and physical evidence as applicable. |
| Case/resource field 5 | Use this field to document: Record time period covered. |
| Case/resource field 6 | Use this field to document: Restrict access to preserved material. |
| Case/resource field 7 | Use this field to document: Calculate and record hashes for digital evidence when appropriate. |
| Case/resource field 8 | Use this field to document: Start chain-of-custody log. |
Checklist Audit List
Identify preservation trigger.
Confirm preservation authority and scope.
List custodians and systems.
Preserve email, chat, collaboration, file, endpoint, cloud, IAM, PAM, DLP, SIEM, repository, badge, CCTV, HR, and physical evidence as applicable.
Record time period covered.
Restrict access to preserved material.
Calculate and record hashes for digital evidence when appropriate.
Start chain-of-custody log.
Coordinate with legal hold if needed.
Document collection method and location.
What Completion Looks Like
- 1Decision documented.
- 2Owner assigned.
- 3Evidence and actions recorded.
- 4Scope and authority preserved.
- 5Follow-up action created where needed.
Insider Risk Capability Framework™ (IRCF™) Alignment
Operationalize This Template in RiskTKO®
Use RiskTKO® or request ITMG® support to adapt this template, align it to the Insider Risk Capability Framework™, and connect the output to measurable exposure reduction. Chain of Custody Log Template