AWS VPC Flow Logs

Log Preservation and Snapshot

preserve

Map Exfiltration Channels (HTTP, DNS, Cloud Sync)

analyze

Coordinate Log Collection from Third-Party Vendors

collect

Critical Logs Rotated/Overwritten Before Collection

Key log files (Security EVTX, web server access logs, syslog) have been rotated out or overwritten due to aggressive retention settings, high volume, or attacker manipulation. The evidence window for those sources is now closed.

SIEM Not Ingesting Relevant Log Sources

The SIEM does not ingest logs from the affected systems, applications, or network segments. Correlation, alerting, and historical search capabilities are unavailable for the evidence sources most relevant to this incident.

Legal Requesting Preservation Conflicts with Containment

Legal counsel has issued a preservation hold requiring that certain systems, mailboxes, or data stores remain untouched. This directly conflicts with containment actions like reimaging hosts, resetting accounts, or blocking network segments.

Attacker Used Timestomping, Log Clearing, or Other Anti-Forensics

Evidence of deliberate anti-forensic activity has been found: timestamps modified, event logs cleared, prefetch/shimcache wiped, or tools designed to defeat forensic analysis were executed. Standard timeline analysis may be unreliable.

Cloud or Container Logging Coverage Missing

The investigation depends on cloud-control-plane or container telemetry that was never enabled, was retained too briefly, or was routed to an unavailable destination. This creates blind spots around identity misuse, cluster administration, and workload behavior.

Host Wiped Before Forensic Acquisition

The compromised host has been zeroed or securely wiped (DBAN, `dd if=/dev/zero`, `sdelete`, `shred`) before forensic imaging could begin. Traditional filesystem-carving techniques recover limited content; the investigation must pivot to peer-host artifacts, network telemetry, and cloud/identity records that survived the wipe.

Evidence Chain of Custody Compromised

Evidence handling has gaps or integrity issues (missing hash verification, broken custody log, unauthorized access to evidence storage, transfers without documented handoffs). Evidence may still be technically useful but legal admissibility is compromised; pivot to secondary preservation and early legal assessment.

Law Enforcement Requested Investigation Pause

A law-enforcement agency (FBI, Secret Service, Europol, national police cybercrime unit) has requested that the organization pause or slow-walk active investigation, containment, or notification steps while they pursue their own investigation. This creates tension between legal obligations to customers/regulators and cooperation with LEA.

Deep Anti-Forensics: Timestomping, Rootkits, Secure Delete

The attacker has employed anti-forensic techniques: timestomping ($MFT/$STANDARD_INFORMATION manipulation), log clearing (Security.evtx wiped, journalctl truncated), NTFS alternate data stream hiding, rootkits, file-attribute masking, or secure-delete of specific indicators. Standard forensic analysis produces incomplete or misleading results.

Investigation Requires Air-Gapped Network Access

The affected systems are on an isolated network segment with no connectivity to standard IR tooling (EDR management plane, SIEM, evidence-transfer channels). Acquisition and analysis must happen via physical media or through carefully-controlled trusted-transfer workflows that do not breach the air gap.

Evidence Spans Multiple Jurisdictions with Conflicting Laws

Affected systems or data span multiple countries with differing data-protection, breach-notification, and cross-border transfer laws (GDPR, data-residency rules, PIPL, LGPD, state-level US laws). Acquisition and analysis that is lawful in one jurisdiction may be unlawful in another. Engage legal counsel early and plan in-region processing.

AWS VPC Flow Log Export

linux — cloud