Litigation holds are inevitable parts of modern civil lawsuits that mandate an organization to preserve all forms of documents related to a lawsuit. In current data storage models, this includes documents stored in clouds. However, due to the fundamental natures of today's clouds, incorporating a trustworthy litigation hold management system is very challenging. To make the situation more complicated, defendants or plaintiffs may collude with the cloud service provider (CSP) to manipulate the documents under the hold. Serious consequences can follow if a litigant party fails to comply with the litigation hold for evidence stored in the cloud, resulting in legal sanctions for spoliation. This will not only harm the reputation of an organization but also levy of sanctions, such as fines, penalties, etc. In this paper, we define a model of trustworthy litigation hold management for cloud-based storage systems and identify the key security properties. Based on the model, we propose a trustworthy LIitigation hold eNabled Cloud Storage (LINCS) system. We show that LINCS can provide the required security properties in a strong adversarial scenario, where a plaintiff or defendant colludes with a malicious CSP. Our prototype implementation reveals that the performance overhead of using LINCS is very low (average 1.4% for the user), which suggests that such litigation hold enabled storage system can be integrated with real clouds.