Evidence you destroy in the first hours can never be recovered

Why evidence preservation is non-negotiable

In the panic of a ransomware attack, the instinct is to clean up — delete the malicious files, wipe and rebuild the infected machines, restore from backup and move on. This instinct, while understandable, can be extremely costly.

Forensic evidence from a ransomware attack is needed for: cyber insurance claims (most policies require evidence of the incident), law enforcement investigation, regulatory compliance notifications, understanding the attack vector to prevent reinfection, and potential legal action against attackers if they're identified.

Much of this evidence is volatile — it exists only in memory or in log files that get overwritten — and once destroyed, it cannot be recreated.

What not to do

Do not delete or overwrite any files on infected systems. Even files that look like ransomware artifacts — the executable that started the encryption, temporary files, ransom notes — should not be deleted until a forensic investigator has had the opportunity to examine them.

Do not run cleanup tools or antivirus scans on infected machines. These tools are designed to delete malware — which is exactly the evidence you need to preserve. Run them after forensic imaging is complete, not before.

Do not restart infected machines (we covered this in Step 1, but it bears repeating). Volatile memory — RAM — may contain encryption keys, attacker tools, and forensic artifacts. A restart wipes RAM permanently.

What to capture and preserve

Ransom notes

Ransom notes contain critical information: the ransomware variant, the attacker's communication method (usually a .onion address or email), the ransom amount, and the payment deadline. Photograph or screenshot every ransom note you find — they sometimes appear as text files (README.txt, HOW_TO_DECRYPT.txt) in every encrypted directory.

System and network logs

Windows Event Logs, firewall logs, VPN logs, email gateway logs, and Active Directory logs contain evidence of how the attack entered your environment and where it moved. These logs have retention limits and may be overwritten if not exported promptly. Ask your IT team or MSP to export and preserve logs from:

• Windows Security Event Log from affected servers and workstations
• Firewall and network logs for the 30 days preceding the attack
• VPN access logs
• Microsoft 365 audit logs (available in the Security & Compliance Center)
• Email gateway logs
• Active Directory authentication logs

Memory capture

If you have access to forensic tools, capturing a memory image (RAM dump) from infected machines before they're shut down can preserve encryption keys and attacker artifacts. This typically requires specialist tools and expertise — it's a task for your incident response team, not something to attempt without training.

Disk images

Before wiping and rebuilding any infected machine, create a forensic disk image. This preserves a complete copy of the machine's state at the time of the attack. Your incident response team can analyze it later without needing the original hardware.

Chain of custody

If you believe law enforcement may become involved, document every action taken with affected machines and evidence. Who touched what, when, and why. This "chain of custody" documentation may be required for evidence to be admissible in legal proceedings.