Legal Requesting Preservation Conflicts with Containment

Legal counsel has issued a preservation hold requiring that certain systems, mailboxes, or data stores remain untouched. This directly conflicts with containment actions like reimaging hosts, resetting accounts, or blocking network segments.

Signals

•Legal has issued a litigation hold notice covering systems in the blast radius
•Containment actions (wipe, reimage, account disable) are being blocked pending legal review
•Regulatory counsel is requiring full evidence preservation before any remediation steps

Pivot Actions

1.Perform forensic images (bit-for-bit) of all systems under hold BEFORE executing containment to satisfy both objectives
2.Coordinate with legal to define the minimum preservation set so containment can proceed on non-held assets
3.Use network-level isolation (VLAN quarantine, firewall block) as a non-destructive containment method that preserves host state
4.Document chain-of-custody for every image and export to demonstrate preservation compliance
5.Propose a phased approach: image first, isolate second, reimage only after legal sign-off

Alternate Evidence Sources

•Forensic disk images satisfying preservation requirements while freeing the physical host for containment
•M365 eDiscovery / Purview hold preserving mailbox and OneDrive data independently of the endpoint
•Cloud snapshot (Azure VM snapshot, AWS EBS snapshot) preserving disk state without blocking containment

Related Procedures

Network Isolation of Compromised Systems

contain

Log Preservation and Snapshot

preserve

Credential and Account Lockdown

contain