Post-Breach Forensics: The Critical First 48 Hours

When a breach is confirmed, two clocks start at once. One is operational: stop the bleeding, restore service, reassure stakeholders. The other is forensic: preserve the evidence that will tell you what was taken, how, and whether the attacker is still inside. These clocks pull in opposite directions, and in the first 48 hours, the operational one usually wins — at great cost.

We are repeatedly called into investigations where the most valuable evidence was destroyed not by the attacker but by the response. Reimaging an infected machine before capturing it. Powering off a server and losing everything in volatile memory. Deleting attacker artefacts in a rush to "clean up." Each of these is understandable under pressure, and each can blind an investigation permanently.

Preserve before you remediate

The instinct to wipe and rebuild is strong, but capture first. In practice that means:

• Capture volatile memory before powering anything down — running processes, network connections, and encryption keys often live only in RAM.
• Preserve logs immediately, and pull them off the affected systems. Attackers tamper with or rotate logs; assume yours are a target.
• Image affected disks rather than working on the live system, so the original state is frozen and defensible.
• Record your own actions with timestamps. Who did what, when. This protects both the investigation and the responders.

Containment without destruction

You can contain without destroying evidence. Isolate a compromised host from the network instead of shutting it down. Disable a compromised account rather than deleting it. Block attacker infrastructure at the firewall while preserving the connection records. The goal is to cut the attacker's access while keeping the crime scene intact.

The single most common way organisations sabotage their own investigation is by treating containment and forensics as the same step. They are not. Contain the access; preserve the evidence.

Why the discipline pays off

Beyond understanding the attack, that preserved evidence determines whether you can meet regulatory notification duties accurately, support an insurance claim, or pursue legal action. An investigation built on properly handled evidence answers the questions that matter: what data was actually accessed, whether the attacker still has a foothold, and how to close the door for good.

If you take one thing from this: write a short, rehearsed checklist now, while calm, that puts evidence preservation before remediation. In the chaos of hour one, nobody invents good forensic discipline on the spot — they fall back to what was practised, or they improvise and lose the evidence.