Episode 9 — Preserve cloud evidence correctly so investigations remain reliable and defensible
This episode explains how to preserve evidence in cloud environments so your investigation remains trustworthy and your conclusions can withstand scrutiny. You’ll define evidence sources in cloud terms, including identity logs, control-plane activity, data access logs, workload telemetry, and configuration history, then discuss why integrity and chain-of-custody considerations still apply. We’ll cover best practices like centralized log storage, immutability controls, least-privilege access to evidence repositories, and careful use of snapshots or exports that avoid altering the system state unnecessarily. You’ll also learn troubleshooting considerations, such as gaps caused by disabled logging, retention limits, region variance, and clock drift that breaks timelines. By the end, you’ll be able to identify what to collect first and how to protect it from tampering during a live response. Produced by BareMetalCyber.com, where you’ll find more cyber audio courses, books, and information to strengthen your educational path. Also, if you want to stay up to date with the latest news, visit DailyCyber.News for a newsletter you can use, and a daily podcast you can commute with.
