Digital forensics are becoming increasingly important for the in-vestigation of computer-related crimes, white-collar crimes and massive hacker attacks. After an incident has been detected an appropriate incident response is usually initiated with the aim to mitigate the attack and ensure the recovery of the IT systems. Digi-tal Forensics pursues the goal of acquiring evidence that will stand up in court for sentencing and sometimes opposes contradicting objectives of incident response approaches. The concept presented here provides a solution to strengthen the credibility of digital ev-idence during actions related to incident response. It adapts an approach for data provenance to accurately track the transforma-tion of digital evidence. For this purpose, the affected system and the incident response systems are equipped with a whole system data provenance capturing mechanism and then data provenance is captured simultaneously during an incident response. Context infor-mation about the incident response is also documented. An adapted algorithm for sub-graph detection is used to identify similarities between two provenance graphs. By applying the proposed concept to a use case, the advantages are demonstrated and possibilities for further development are presented.