A ransomware crew encrypts your trading platform on a Friday evening. Your incident responders pull the plug, rebuild from backup, and restore trading by Monday morning. Job done — until the FCA asks for a root cause analysis, the ICO wants to know whose data was exfiltrated, and your insurer demands proof of what the attacker touched. Now you discover the forensic evidence is gone. Wiped during recovery. Overwritten by logs that rotated after 14 days. Lost because nobody preserved volatile memory before the reboot.
This is the failure mode our consultants see most often in UK financial services post-incident reviews. The breach gets contained. The evidence does not survive. And without evidence, regulatory reporting under Principle 11 of the FCA Handbook becomes guesswork, ICO notification under UK GDPR Article 33 becomes incomplete, and any subsequent civil claim collapses for lack of admissible material.
Forensic readiness is the discipline of preparing — before an incident — to capture, preserve, and present digital evidence that holds up under regulatory and legal scrutiny. The NCSC has published guidance on it. ISO/IEC 27037:2012 codifies the international standard for evidence handling. Yet most UK financial firms treat it as something the incident response retainer will magically deliver at 3am. It will not. Here are seven controls to implement now.
1. Define what you will collect — and where it lives
Forensic investigation preparation starts with an asset-to-evidence map. For every critical system — trading platforms, customer databases, authentication services, email, cloud workloads — document where the forensically useful artefacts sit. That includes Windows Event Logs, sysmon data, EDR telemetry, firewall and proxy logs, cloud audit trails (AWS CloudTrail, Azure Activity Logs, GCP Cloud Audit Logs), VPN concentrator logs, and application-level audit data.
Most firms discover during a real incident that half their logs were never shipped to a central store, the EDR retained 72 hours of telemetry instead of 90 days, and the cloud audit trail was never enabled in the subsidiary's tenant. Map it before you need it. The FCA's operational resilience policy (PS21/3, effective March 2022) expects firms to understand the technology supporting important business services in detail — that mapping doubles as your forensic readiness inventory.
For UK financial services firms with EU exposure, the same exercise satisfies DORA's ICT incident classification requirements for EU-regulated entities. Two regimes, one piece of work.
2. Set retention that survives the investigation timeline
Attackers dwell in networks for weeks before detonating. Mandiant's M-Trends 2024 report put the global median dwell time at 10 days; for ransomware specifically, intrusion-to-encryption windows of 30–90 days are routine. If your logs only retain 14 days, your forensic team is investigating blind for the period that matters most.
Set minimum retention floors per evidence class:
- Authentication and identity logs: 12 months minimum (Entra ID sign-in logs, Okta system logs, AD security events)
- EDR telemetry: 90 days hot, 12 months cold
- Network flow data and DNS: 90 days minimum
- Cloud audit trails: 12 months (CloudTrail, Azure Activity, GCP Audit)
- Email security gateway logs: 12 months
Push everything to immutable storage. S3 Object Lock, Azure immutable blobs, or a dedicated SIEM tier with write-once semantics. The first thing competent attackers do is delete logs — if your only copy lives on the compromised host, you have no evidence.
3. Build the chain of custody before the incident
Chain of custody requirements are not a paperwork formality. If your evidence ends up in an employment tribunal, a civil claim, or a criminal prosecution, the court will ask: who collected this, when, using what tool, how was it hashed, and who handled it between collection and presentation? A gap anywhere in that chain renders the evidence inadmissible.
Document your chain of custody process now. Specify:
- Who is authorised to collect evidence (named roles, not "IT")
- The forensic imaging tools approved for use (FTK Imager, dd, KAPE, Velociraptor)
- Hashing standard (SHA-256 minimum) applied at collection and verified at every handover
- Physical custody log for any seized hardware
- Secure evidence storage location with access logging
ISO/IEC 27037:2012 is the reference standard. Align to it. If you outsource forensics, your retainer provider should already follow it — verify before you sign.
4. Preserve volatile data before you reboot
The single most common forensic failure our team encounters: the incident response team rebooted the compromised host before capturing memory. Everything in RAM — running processes, network connections, decrypted malware payloads, attacker command-and-control sessions, credentials in cleartext — is gone the moment the power cycles.
Bake memory acquisition into your first-responder playbook. Tools like WinPMEM, Magnet RAM Capture, or AVML for Linux take minutes to run and produce evidence that is otherwise irretrievable. Train your SOC analysts to capture memory before any containment action that involves a reboot or power-off. For cloud workloads, snapshot the instance before terminating it — AWS, Azure, and GCP all support this natively.
5. Pre-position legal and regulatory escalation paths
Digital evidence preservation is technical. Reporting obligations are legal. Under UK GDPR Article 33, you have 72 hours to notify the ICO of a personal data breach. Under FCA SUP 15.3, you must notify the regulator of significant operational or security incidents without delay. PRA-regulated firms have parallel obligations under the PRA Rulebook.
Pre-agree the decision tree now. Who decides whether the 72-hour clock has started? Who drafts the ICO notification? Which external counsel handles privilege? Which forensic firm has a retainer in place with pre-negotiated SLAs? Get these arrangements documented in your incident response plan and rehearse them in tabletop exercises twice a year.
A fractional vCISO engagement is often where this gets formalised — our consultants build the escalation matrix, draft the regulator-facing templates, and run the tabletop. Doing this cold during a live incident wastes the hours that matter most.
6. Lock down cloud forensic capability
Cloud forensics breaks every assumption from on-premises investigations. You do not own the hypervisor. You cannot image the underlying disk. Evidence acquisition depends entirely on what the cloud provider exposes through APIs and what you configured before the incident.
Implementation priorities:
- Enable CloudTrail (AWS), Activity Logs and Defender for Cloud (Azure), and Cloud Audit Logs (GCP) across every account, region, and subscription — including dormant ones
- Centralise logs to a dedicated security account/subscription that the workload accounts cannot write to or delete from
- Pre-build EBS snapshot and Azure managed disk snapshot automation for incident response
- Document the cross-account IAM roles your forensic team will assume during an incident — test them quarterly
CloudAuditX identifies cloud logging and evidence-preservation gaps across AWS, Azure, and GCP automatically — exactly the configuration weaknesses that surface during a breach when it is too late to fix them.
7. Rehearse — under realistic pressure
A forensic readiness policy that has never been tested is a document, not a control. Run a quarterly tabletop with a realistic scenario: ransomware on the trading platform, business email compromise targeting the CFO, a malicious insider exfiltrating client data to a personal cloud account. Time the team. Force decisions. Identify where the evidence chain breaks.
Once a year, escalate to a technical exercise — a red team or purple team engagement where actual evidence has to be collected, hashed, and handed off to a forensic provider. The gaps you find in rehearsal are gaps you fix before the regulator finds them for you.
How Pyralink helps
Pyralink Innovation Ltd is a UK cybersecurity firm led by Michael Adedeji (CISM, CISA, CC, MSc Data Science), Founder & Managing Director. Our team builds forensic readiness programmes for UK financial services firms — from evidence retention design and chain of custody documentation to cloud forensic tooling and tabletop facilitation. We integrate forensic readiness into ISO 27001 certification programmes (Annex A controls A.5.24 through A.5.28 cover this directly) and into operational resilience work for FCA-regulated firms. We carry £5M professional indemnity insurance. For more detailed analysis, see our insights or assess your current posture with the free compliance scanner.