
Protecting SCADA systems in the Oil & Gas sector: how to secure critical infrastructure against cyber threats
2 de July de 2026Digital evidence in cybersecurity refers to any valuable information or data stored, received, or transmitted by an electronic device that can be used to establish facts during a security incident, an audit, or legal proceedings. Ensuring its admissibility and integrity requires maintaining a strict chain of custody, applying standards such as ISO/IEC 27037, and designing security architectures that guarantee the immutability of data from the moment it is created.
Virtually all activity within an organization today leaves a digital footprint. Every authentication, access to a corporate application, modification to a database, remote administration session, or interaction with an industrial system generates information that, under certain circumstances, can become decisive legal and technical proof.
Just a few years ago, digital evidence was a concept reserved for computer forensics laboratories, law enforcement agencies, or courts, almost exclusively tied to criminal investigations or litigation over technological crimes. In the corporate environment, that reality has changed completely.
Cyberattacks are increasingly sophisticated, European regulations demand a growing audit capacity, and incidents must be investigated quickly to minimize their operational and reputational impact. In this context, the question is no longer whether a company has activity logs or records, but whether those logs can be used as complete, verifiable, and legally valid digital evidence.
A simple log might indicate that a user logged into a server. Properly preserved digital evidence can prove who that user really was, what device they accessed from, what specific actions they took, how long they remained connected, and prove, without a margin of doubt, that there was no subsequent modification to the recorded information. This objective reconstruction capability makes digital evidence one of the most valuable assets in a modern cybersecurity and compliance strategy.
From digital forensics to corporate governance
Digitalization has broadened the traditional concept of forensic evidence. Today, practically any connected system generates information that could become technical or judicial proof: Active Directory authentication logs, sessions opened by system administrators, operations on critical applications, transfers of sensitive information, external supplier access, or activity correlated by a SIEM (Security Information and Event Management) system.
However, retaining information is not the same as preserving evidence. The difference lies in trust and immutability. For evidence to be useful in an audit or litigation, it must be proven that it genuinely comes from the system that claims to have generated it, that it has not been modified since its creation, and that there is complete traceability regarding who has had access to it throughout its lifecycle.
The impact of regulatory frameworks on digital evidence
Regulatory evolution has shifted the burden of proof onto the companies themselves. It is no longer enough to have documented security policies: it is mandatory to demonstrate, with immutable data, exactly what happened.
| Framework / Regulation | Impact on Digital Evidence Management |
| ISO/IEC 27037 | International reference standard. Defines guidelines for identifying, collecting, acquiring, and preserving digital evidence, ensuring its legal admissibility. |
| NIS2 Directive | Requires essential and important entities in Europe to report incidents within strict timeframes (24/72 hours) and to demonstrate breach traceability using technical evidence. |
| DORA (Financial Sector) | Requires financial entities to have demonstrable digital operational resilience, including the ability to audit and reconstruct incidents using immutable logs. |
| National Security Scheme (ENS) | In Spain, establishes categorical requirements for logging user activity and protecting audit trails against tampering. |
| GDPR | Requires organizations to proactively demonstrate (accountability principle) how they protect data and the exact scope of any information leak. |
Digital evidence thus ceases to be a tool exclusive to Incident Response (DFIR) teams and becomes an essential component of corporate governance and risk management.
Real cases: why evidence decides the outcome of an incident
The importance of correctly preserving digital evidence is not just theoretical. The most significant incidents worldwide prove that the ability to accurately reconstruct a cyberattack is the difference between corporate survival and a devastating crisis.

SolarWinds: when historical evidence is the only defense
One of the most revealing examples is the supply chain attack on SolarWinds, discovered in late 2020. In this nation-state attack, attributed to the APT29 group, attackers compromised the Orion monitoring software and introduced the malicious Sunburst code, affecting thousands of organizations, US federal agencies, and multinational tech companies.
Beyond the sophistication of the initial attack, the case revealed something alarming: the attackers operated stealthily in the victims’ networks for over nine months without being detected, forging SAML tokens and moving laterally through cloud environments like Microsoft 365.
The ability to investigate this massive incident depended entirely on the quality of historical digital evidence. Only organizations that had implemented architectures capable of preserving activity logs, network events, endpoint telemetry, and authentication logs long-term, with their integrity and chain of custody intact, could reconstruct the attackers’ lateral movement. Companies that overwrote their logs every 30 days were left completely blind, unable to determine which emails had been read or what data had been exfiltrated.
SolarWinds proves that properly preserved evidence is not only useful for immediate containment. It is vital for investigating Advanced Persistent Threats (APTs) that operate in the shadows for long periods.
Hospital Clínic of Barcelona: critical data-driven recovery
On a national level, a paradigm case was the ransomware attack suffered by the Hospital Clínic of Barcelona on March 5, 2023. The criminal group RansomHouse stole nearly 4.5 TB of data from patients, professionals, and suppliers, blocked access to critical systems, emergency room, laboratory, pharmacy, and forced the shutdown of multiple healthcare services.
The containment and recovery process required an unprecedented technical deployment. Collection, isolation, and analysis of digital evidence were essential to understand the entry vectors, identify compromised servers, and prioritize the safe restoration of clinical activity without the risk of reinfection.
Both incidents provide a fundamental lesson: the initial goal when facing a breach is to contain the attack and recover operations, but the real incident management begins afterward. The organization needs to accurately reconstruct the anatomy of the attack, and that forensic reconstruction is only possible when digital evidence has been protected from the very first second.
The digital chain of custody: the pillar of legal validity
What is the digital chain of custody?
In cybersecurity, the digital chain of custody is the technical and documentary procedure that guarantees an electronic proof has not been altered, replaced, or destroyed from the moment of its collection until its presentation in an audit or trial.
There is a widespread misconception that evidence only loses its validity when a cybercriminal manages to actively modify it, for example, by deleting logs. However, cybersecurity audits reveal that most evidence is invalidated much earlier due to deficiencies in the organization’s own IT architecture. It is common to find companies that:
- Store their logs on servers where the same administrators generating the events retain modification or deletion permissions (conflict of interest).
- Distribute logs across multiple silos without cryptographic mechanisms to ensure their immutability.
- Allow privileged access using shared accounts, such as admin or root, breaking the principle of non-repudiation.
In these scenarios, when the company tries to submit this information in a legal or regulatory process, it is impossible to certify that it was not manipulated. The evidence ceases to inspire trust because the system’s design itself allows for reasonable doubt.
Essential techniques for preserving evidence
For a chain of custody to be solid, systems must incorporate controls by design (security by design):
- Cryptographic hashing: Generating unique signatures (like SHA-256) for log files at the moment of their creation to detect any future alteration.
- Time stamping and NTP synchronization: Organizations like NIST consider it critical that all systems use the same time source. If an attacker breaches the system at 02:17 and the firewall has a five-minute offset compared to the domain controller, the chronological reconstruction of events is invalidated.
- WORM (Write Once, Read Many) Storage: Sending critical audit trails to immutable storage systems, where data can be read but not rewritten or deleted before its legal retention period expires.
Zero Trust architecture and identity management: the origin of the proof
The evolution of cybercriminal tactics shows that most initial intrusions no longer exploit software vulnerabilities (zero-days), but rather compromise legitimate identities. Stolen credentials, MFA fatigue, or poorly managed third-party access. This shifts the evidence paradigm: every authentication constitutes the first link in the future chain of custody.
Identity as contextual evidence
For years, companies relied on traditional audit logs. They are necessary, but insufficient: one log indicates a login; another, an executed command; another, an SQL query. This is fragmented information.
Modern architectures aim for contextual evidence. Technologies like XDR (Extended Detection and Response) and SIEM correlate these silos to build a continuous storyline. But for that story to carry full evidentiary weight, it is vital to integrate advanced identity management:
- PAM (Privileged Access Management): Historically, PAM’s central control was the credential vault: the password is encrypted and injected into the session without the user seeing it. Newer models are evolving toward ephemeral or vaultless access (Zero Standing Privilege), where there is no permanent credential to protect, but a permission granted and revoked at the exact moment of use. In both cases, the common element, and what is relevant for digital evidence, is session brokering. All privileged access goes through a single control point, tied to a specific identity rather than a shared account. The most comprehensive platforms also record the entire session, metadata and often video, generating a much stronger forensic evidence package than a simple access log. This recording capability is not guaranteed in all market solutions and should be verified if session evidence is a compliance requirement.
- ITDR (Identity Threat Detection and Response): While PAM controls access, ITDR audits behavior: it detects if an identity anomalously elevates privileges or performs lateral movement. These platforms add the “why” to the evidence, pinpointing the moment a legitimate identity begins to behave like an attacker.
Zero Trust: every validation generates an auditable trail
The Zero Trust model, never trust, always verify, adds invaluable worth to corporate computer forensics. By requiring verification of not just the password, but also the device’s security posture, geographic location, and real-time risk, it generates a massive volume of metadata. In the event of a cyberattack, the organization can prove not only who entered, but what security policies the system evaluated, in that specific millisecond, to authorize the connection.
The Cosmikal approach: comprehensive traceability by design
Useful evidence is not improvised during a crisis: it is designed in the architecture phase. Waiting for an incident to occur before activating forensic teams is a flawed strategy in the current threat landscape.
As a Spanish manufacturer of cybersecurity technology, at Cosmikal we understand that traceability and the preservation of digital evidence should not be reactive tasks or add-ons, but inherent features of the operational infrastructure.
Endurance and Ranger redefine access to the organization’s critical assets. Instead of allowing direct network connections, traditional VPNs, to critical infrastructures, servers, or OT/ICS environments. These solutions force internal users and suppliers to interact through secure desktops and completely isolated environments.
This isolation architecture pursues a dual objective:
- Drastically reduces the attack surface: Preventing the spread of malware or ransomware from a supplier’s computer into the corporate network.
- Generates complete, contextualized evidence by default: By integrating IAM, PAM, and DLP capabilities into a single environment, any action performed during the session is recorded, signed, and audited.
If an external maintenance technician makes a critical error, or performs a malicious action, on an industrial SCADA system, the response team (SOC/CSIRT) does not have to spend weeks deciphering disjointed logs: they immediately have a complete, visual, and technically immutable representation of the session. This not only speeds up containment but also provides the necessary backing to clarify contractual or legal liabilities.
Conclusion: digital evidence as a strategic asset
In the hyperconnectivity era, data is valuable, but the ability to prove the technical truth is critical. Digital evidence in cybersecurity has transcended the boundaries of forensic labs to consolidate itself as a non-negotiable pillar of corporate trust.
Global incidents like SolarWinds have taught us that resilience is not only measured by the ability to block an attack, but by the capacity to investigate it thoroughly, understand its ramifications, and demonstrate due diligence to regulators, customers, and shareholders.
Ensuring the legal and technical validity of corporate records requires abandoning legacy architectures and embracing models like Zero Trust, where verified identity, session monitoring, and the cryptographic chain of custody operate uninterruptedly. Preserving digital evidence is, today more than ever, a fundamental strategic capability to ensure the survival and legal viability of any organization.
Frequently asked questions (FAQ)
What is considered digital evidence in a corporate environment?
Any electronic information capable of proving a relevant fact during an investigation. Network logs, database records, authentication trails (Active Directory/Entra ID), emails, traffic captures (PCAP), PAM session recordings, and EDR/XDR system telemetry.
What are the requirements for digital evidence to have legal validity in court?
To be admissible, the proof must meet three principles: authenticity (proving it comes from the claimed source), integrity (proving via hashing that not a single bit has been altered), and chain of custody (a documented and uninterrupted record of who collected, stored, and analyzed the information).
What role does the ISO/IEC 27037 standard play in cybersecurity?
It provides global guidelines for first responders to a cyber incident. It standardizes the methods for identifying, collecting, acquiring, and preserving digital evidence, ensuring that the technical procedures used do not invalidate the evidence in cross-border judicial processes.
Why are traditional VPNs a problem for evidence collection?
They grant network-level access, allowing a user, or an attacker, to interact directly with multiple systems. This fragments activity logs across the entire infrastructure, making it difficult to correlate events and create a clear narrative during a forensic analysis.
How does the Cosmikal approach help with incident investigation?
Cosmikal centralizes critical access through isolated environments, Endurance and Ranger, with integrated IAM, PAM, and DLP capabilities. Instead of searching for scattered clues after an attack, the security team has access to complete session recordings, absolute identity traceability, and immutable logs, facilitating fast and legally backed forensic investigations.
Do you want to know how Endurance and Ranger can help you preserve irrefutable digital evidence in your IT and OT environments? Contact our team.




