Which action is most appropriate when preserving evidence after a breach?

• A. Contains the area and preserve evidence, and initiate incident reporting.
• B. Deletes related logs to speed up investigation.
• C. Alters the sequence of events to fit a narrative.
• D. Moves evidence to a different location.

Answer: (A)

The essential idea is to act quickly to limit damage while maintaining the integrity of the evidence. Containing the area and preserving evidence prevents further tampering or loss and protects the original state of what occurred, which is crucial for forensic analysis and later investigations. At the same time, initiating incident reporting ensures the right people are alerted, the breach is documented, and proper procedures and timelines are followed for containment, investigation, and remediation.

Deleting related logs would erase valuable data that helps establish what happened and when, making the investigation far harder. Altering the sequence of events to fit a narrative undermines trust and corrupts the evidentiary timeline. Moving evidence to another location risks loss or contamination and breaks the chain of custody, which is essential for any later legal or regulatory review.