Cybercrime Evidence Lifecycle: Preservation, Validation, and Adversarial Destruction Tradecraft Under Modern Adversary Capability

Modern cybercrime evidence operates under a 4-6 order-of-magnitude time-constant mismatch between adversary destruction (sec-min) and warrant-based preservation (h-d). We characterize the evidence lifecycle as a 6-stage pipeline, enumerate adversary destruction tradecraft per stage, and derive a front-loaded preservation doctrine. Proxy simulation (N=1,000) shows front-loaded preserves 39% vs reactive 6.3% (6.2x improvement). Bilateral preservation reciprocity adds +7.4pp. Stage-sensitivity tornado reveals leverage shifts from S1 (reactive) to S3 (front-loaded) as architecture is deployed. Cost-of-doctrine analysis identifies front-loaded alone as the cost-Pareto-optimum. This paper is part of the AIACW (AI-Autonomous Cyber Weapons) ResearchProgramme, Wave 2 (papers P10-P20). Wave 1 (P1-P9) was deposited atpeer-review venues 2026-Q2 (NDSS, ACM CCS, IEEE S&P, USENIX Security,Oxford J. of Cybersecurity, ACM Computing Surveys). Wave 2 establishesthe empirical interior. P19 (cross-paper integration test) and P20(methodology meta-paper) provide programme-level validation anddocumentation.