Digital Evidence Preservation Guide for Malaysian IT First Responders

Why this matters

Most Malaysian organisations lose forensic evidence in the first hour of an incident — and they lose it to themselves. Well-intentioned IT staff reboot a compromised workstation, run antivirus scans, browse to malicious domains, or shut down servers to limit damage. Each of those actions destroys ephemeral evidence (RAM, network connections, running processes, timestamps) that a forensic analyst cannot recover. By the time external responders arrive, the case is materially weaker.

This guide is for the IT first responder — the on-call admin, network engineer, SOC analyst or helpdesk lead who is the first technical person to engage when something goes wrong. The goal is to preserve evidence in a state that supports a subsequent forensic investigation, internal disciplinary action or, if needed, criminal proceedings under Malaysian law.

First-responder checklist

1. Stop touching. The moment you suspect a security incident, stop interacting with the affected system. Do not open files, run commands or scroll through logs locally — every action overwrites volatile state.
2. Notify the IR lead. Trigger your incident-response process. If you do not have one, escalate to the CISO, Head of IT, or — for retainer clients — your external IR provider.
3. Document everything. Start a notebook (paper or a separate device). Record the time you observed the issue, what you saw, who you notified and at what time. This becomes part of the legal record.
4. Isolate, do not power off. Disconnect the affected device from the network (unplug cable, disable Wi-Fi via switch, isolate the VLAN). Do not shut down or reboot. Volatile memory dies on power loss.
5. Preserve volatile data first. If you have an authorised forensic responder available, they will capture RAM, running processes, network connections, mounted volumes and clipboard contents before disk imaging.
6. Image the disk. Use a write-blocker. Take an MD5 and SHA-256 hash before and after imaging. Image the disk, do not work on the original.
7. Preserve logs. Copy SIEM data, firewall logs, AD authentication logs, DNS logs, EDR telemetry and cloud audit logs for the affected window (at minimum: 7 days before incident, ongoing). Get them off systems that retention policies might purge.
8. Photograph the scene. If the device is physical, photograph it in place — screen state, cabling, surrounding environment, serial numbers.
9. Chain of custody form. Begin a chain of custody document immediately. See below for required fields.
10. Hand off to forensics. Transfer evidence under documented custody to your forensic team. Maintain the chain.

Chain of custody fields

A defensible chain of custody form should capture:

• Case reference and incident date/time
• Evidence item description (make, model, serial, asset tag, hostname)
• Acquisition method and tool (e.g. FTK Imager, dd, dc3dd; hashing algorithm and value)
• Acquired by (name, role, signature, date/time)
• Storage location and conditions
• Each subsequent transfer: from, to, date/time, signature, purpose
• Final disposition

What NOT to do

• Do not reboot or shut down — volatile state is destroyed.
• Do not run antivirus or EDR on-demand scans — file metadata is altered, attacker tools may be quarantined and destroyed.
• Do not browse to attacker URLs from the affected device or your workstation — you may be served further malware or be logged by the attacker.
• Do not open files to "check what they contain" — access timestamps change, embedded triggers may detonate.
• Do not delete suspicious files — the forensic team needs them.
• Do not log in to a compromised system with privileged credentials — you may expose credentials to the attacker.
• Do not announce publicly or to wider staff until comms approves — premature disclosure tips off attackers and breaches PDPA notification protocols.

Malaysian Evidence Act 1950 considerations

Under the Evidence Act 1950, digital evidence is admissible in Malaysian courts provided its authenticity, integrity and chain of custody can be demonstrated. Section 90A and 90B specifically address computer-generated evidence and the documents produced by computers. The practical implications for first responders are:

• Hashing the evidence at acquisition is critical — it is how integrity is later demonstrated in court.
• The person who acquired the evidence may need to attest to the process and tools used.
• The system from which the evidence was acquired needs to be shown to have been functioning correctly at the time.
• Chain of custody must be unbroken from acquisition to presentation.

For matters that may end up in court — financial fraud, intellectual property theft, criminal cyber activity — engage a qualified forensic team early. The cost of getting evidence preservation wrong is not recoverable.

When to escalate to external responders

Escalate immediately if you suspect: nation-state activity, ransomware in progress, exfiltration of personal data (PDPA implications), insider data theft, or any incident affecting regulated workloads (banking, healthcare, NCII). See our incident-response service for retainer options, or our digital forensics service for one-off engagements. For ongoing readiness, see our tabletop exercise guide.

Related reading: Digital Forensics vs Incident Response.