Medical devices in hospital operating rooms are getting increasingly interconnected. This enables them to download instructions and report results with less risk of error compared to traditional manual techniques. However, many of these devices are safety critical. Thus, any risks from cyber-attacks can be extremely high. This paper describes BEEER, a distributed record and replay framework suitable for environments where more than one safety critical device is in simultaneous use. A prominent example is a hospital operating room where a number of networked devices work together. In such scenarios, a key step to forensically analyze an incident is understanding the causality of events produced by devices. BEEER orders events during recording by leveraging the fact that it takes significantly more time for a drug’s effects to come to prominence on a patient compared to device-to-device communication on a local network. During replay, BEEER uses a newly developed token mechanism to coordinate execution of the events. We implemented and evaluated a prototype of BEEER. We found that synchronization for short medical operations can be achieved using Network Time Protocol (NTP). For longer operations we designed and developed a new event ordering protocol (projection protocol) based on vector timestamps. BEEER’s replay mechanism is efficient and therefore suitable for forensics analyses in practice.