Evidence Checklist (Internal)
Identity & Access
- Admin roles list
- MFA enforcement screenshot/config
- Guest/externals settings
Email/Collaboration
- Anti-phishing settings
- SPF record result (present/missing, obvious syntax issues)
- DMARC record result and policy (
none,quarantine,reject) - DMARC reporting mailbox (
rua/ruf) configured or missing - DKIM selector result (known selector/provider, resolvable or not)
- MX provider snapshot
- External forwarding controls
- Gmail Postmaster / SNDS / Yahoo CFL status for bulk senders
- Sharing defaults snapshot
Endpoints
- Inventory counts
- Patch posture snapshot
- Encryption posture snapshot
Backups/Restore
- Coverage/job list snapshot
- Retention snapshot
- Restore test:
- start time
- end time
- result
- blockers
Ops readiness
- Incident roles/contact tree
- Vendor escalation path
- Documentation/runbook snapshot
Evidence rules
- Capture just enough to support claims
- Sanitize: blur names/emails/IDs where needed