The evidence you destroy in the first hour cannot be recovered

Why evidence preservation matters more than you think

In the chaos of a ransomware attack, business owners and IT teams instinctively focus on getting systems back online as fast as possible. That instinct is understandable — and it's the single biggest reason forensic evidence gets destroyed.

The first 24 hours of an incident contain irreplaceable evidence: volatile memory contents, network connection logs, attacker-created files, and timestamps that establish the incident timeline. Reboot a machine, restore from backup, or wipe an infected workstation, and that evidence is gone permanently. With it goes your ability to make a cyber insurance claim, pursue law enforcement action, identify the ransomware variant for potential decryption, and prevent the same attack from happening again.

Do not power off, reboot, or wipe affected machines

This rule overrides every other instinct. Until a forensic investigator gives you clearance, infected machines must remain powered on and disconnected from the network — not shut down.

Why this matters:

• Volatile memory (RAM) often contains encryption keys, command-and-control communication details, and active process information. All of this disappears when the machine powers off.
• Active network connections in memory can identify the attacker's infrastructure — IP addresses, domains, and tools — which can be used to identify the threat group.
• Decryption keys for some ransomware variants have been recovered from memory dumps. Power the machine down, and any chance of free decryption goes with it.
• Forensic timeline reconstruction depends on file system metadata that can be altered by reboots, defragmentation, or even normal shutdown processes.

Preserve logs before they roll over

Logs are evidence. They establish the timeline, identify the entry point, and document the attacker's actions inside your environment. The problem: most log systems have retention policies that overwrite older entries within hours or days. You need to capture them before they're gone.

Logs to preserve immediately:

• Windows Event Logs from all affected servers and workstations — especially Security, System, and Application logs
• Microsoft 365 audit logs and Entra ID sign-in logs
• Firewall logs showing inbound and outbound traffic in the days leading up to and during the attack
• VPN connection logs identifying who connected, from where, and when
• Active Directory authentication logs and changes to user accounts or group memberships
• EDR and antivirus alerts and detection events
• Cloud storage access logs (SharePoint, OneDrive, Google Drive)
• Email security platform logs showing inbound phishing or attacker communication

If you have a SIEM or log aggregation platform, export the relevant time windows immediately. If you don't, copy individual log files to a separate clean drive — never to the production network.

Document the attack as you see it

Take photographs and screenshots of everything before anything changes. This sounds obvious, but it's frequently skipped in the rush of response.

• Photograph ransom notes on screen — phone camera is fine
• Screenshot every error message, encrypted file extension, and ransom demand interface
• Photograph any physical evidence — unusual USB devices, attached external drives
• Note the exact filenames of ransom notes (often README.txt, HOW_TO_DECRYPT.html, or variant-specific names)
• Record the cryptocurrency wallet addresses and ransom amounts demanded
• Save copies of any communication from the attacker — email, chat portals, or ransom note text

This evidence is what cyber insurance carriers require to process claims and what FBI investigators need to identify the threat group and potentially recover funds.

Engage forensics before paying or recovering

If you have cyber insurance, your policy almost certainly includes an incident response retainer or panel — pre-approved forensics firms that the carrier will pay for if you call them in early. Calling them is one of your first priorities, not a later step.

Why this order matters:

• Forensics firms can image affected systems before recovery efforts destroy evidence
• They can identify the ransomware variant and check whether free decryptors exist
• They can detect whether attackers still have persistence in your environment — common with sophisticated attacks
• Their work product is what your insurance claim and any regulatory notifications will be built on

If you don't have cyber insurance or your policy doesn't include forensics coverage, this is a paid engagement — but for any business with more than 25 users, it's almost always worth it. The cost of a misdiagnosed recovery is much higher than the cost of a forensic investigation.

Chain of custody for collected evidence

Forensic evidence has to be handled carefully or it loses its value in insurance claims, law enforcement investigations, and any legal proceedings that may follow. Maintain a written chain of custody:

• Who collected the evidence, when, and from which system
• Where the evidence is stored (locked location, encrypted drive)
• Who has accessed the evidence since collection, and for what purpose
• Any copies made and where they were sent (to insurance, law enforcement, forensics)

Even an informal log kept in a spreadsheet is better than nothing. Forensics firms will take over formal chain of custody once they're engaged.

What's next: Step 4: Attack Vector

Once you've completed this step, the next priority is identifying the attack vector — how the attackers got in. That's covered in Step 4 of this guide.