Digital Evidence Preservation Guide
Most of the evidence in a cyber incident is lost in the first hour — either deleted by the attacker, lost to a platform's automatic clean-up, or destroyed by the victim trying to 'clean up'. KNOMI Cyber's incident team is built around digital forensics, and these are the principles we apply to every case.
Capture before you change anything
The first move is always to capture, not fix. Take screenshots that include the URL, date and time. Save email source/headers, not just the body. Export chat logs and DMs where the platform allows. Note the timezone you're in.
Preserve the metadata
What separates a screenshot from real evidence is metadata: timestamps, hashes, file metadata, header information, and a clean chain of custody. KNOMI Cyber's evidence packs include all of this in a structure that police, eSafety, banks and platforms accept.
Evidence checklist
- Full-page screenshots with URL and time visible
- Original files, not re-shared copies
- Email headers (raw source)
- Hashes (SHA-256) of files where possible
- A written timeline of what happened, when
What not to do
Don't reply to the attacker. Don't delete messages 'because they're upsetting'. Don't factory-reset a device until evidence has been captured. Don't post the incident publicly before reporting — it tips off the attacker. KNOMI Cyber helps Australians avoid the well-meaning mistakes that destroy a case.
Frequently asked questions
Are screenshots enough as evidence?
Sometimes — but headers, hashes and metadata are often what tips a case from 'possible' to 'actionable'.
Can KNOMI Cyber help build an evidence pack?
Yes. That's a core part of every KNOMI incident response.
How long should I keep evidence?
Minimum two years for serious incidents. KNOMI's Secure Evidence Vault keeps it for the life of the plan.