How To Preserve Ransomware Evidence: A Step-By-Step Forensic Guide



Ransomware evidence preservation is the process of capturing and protecting digital artifacts from affected systems immediately after a ransomware attack. Because volatile evidence can disappear within minutes, forensic collection should begin as soon as the attack is detected. Organizations that follow a structured incident response process improve their chances of identifying the attack vector, supporting insurance claims, meeting regulatory obligations, and restoring access through available decryptors.
"Evidence preservation failures are one of the most consistent gaps we see after an incident, and one of the most preventable," says Magdy Abdelaziz, seasoned DFIR specialist with experience across SOC, offensive security, and incident response.
What evidence must you collect after a ransomware attack
Ransomware forensic investigations draw evidence from four artifact layers: memory, disk, network, and cloud. Each layer answers different investigative questions, and each has a distinct collection priority based on how quickly the evidence degrades or disappears.
Memory artifacts
Memory artifacts are the most time-sensitive class of evidence in any ransomware investigation. Acquire a RAM dump as the first technical action because encryption keys and attacker tooling often reside in memory.
- RAM dump acquired with a write-protected forensic acquisition tool
- Running process list and parent-child process relationships, which reveal the malware execution chain
- Active network connections, which may expose command-and-control server IP addresses
- Loaded drivers, which are critical for identifying BYOVD (Bring Your Own Vulnerable Driver) attacks are used to disable endpoint detection tools before encryption begins
Disk artifacts
After volatile evidence is secured, create a forensically sound disk image using write-blocking hardware or software. Do not run any analysis tools directly on the original drive. Capture:
- Bit-for-bit forensic image of all affected volumes using FTK Imager, dcfldd, or equivalent tools
- Encrypted files and their file extensions, which identify the ransomware variant
- Ransom note file and its full directory path, including the naming scheme used by the attacker
- Malware binaries that are still present on disk
- Master File Table (MFT) records and Volume Shadow Copy Service status
Network artifacts
Network logs are time-sensitive and often have short default retention periods set by vendor configuration.
- Firewall logs, which capture egress traffic and may reveal data exfiltration activity
- VPN logs, which show initial access source IP addresses and session timestamps
- DNS query logs, which identify command-and-control domain lookups
- Proxy and web gateway logs, which may record the phishing delivery or malware download event
- EDR telemetry exports, if the EDR agent was not disabled before the ransomware detonated
Cloud and SaaS artifacts
According to Coveware's Q2 2025 Ransomware Market Report, 74% of ransomware cases in 2025 involved data exfiltration alongside encryption. Many exfiltration paths run through cloud environments before any on-premises encryption begins. Double-extortion tactics make cloud logs a critical part of modern ransomware investigations.
- Microsoft 365 Unified Audit Log (90-day default retention, covers user and admin activity)
- Entra ID (Azure AD) sign-in and audit logs (30-day default retention; export these immediately)
- Cloud storage access logs, which reveal data staging and exfiltration paths
- SaaS application consent records, which identify OAuth abuse and malicious app grants
- Cloud snapshot status before any restoration is attempted
Contact Proven Data's 24/7 emergency response team to assist with cloud evidence preservation before automatic log purges clear the record.
Documentation and ransom note details
Manual documentation runs in parallel with technical collection and requires no forensic tools. Capture:
- A photograph or copy of the ransom demand note
- The ransomware variant name, if known (Proven Data's free Ransomware ID tool can identify the variant from encrypted file extensions)
- File extension used on encrypted files
- Approximate date and time the attack was first observed
- All attacker-provided contact methods, communication channels, and cryptocurrency wallet addresses
- The ransom amount demanded
Why ransomware evidence preservation is critical for data recovery and legal outcomes
The value of forensic evidence extends far beyond the technical investigation. Properly preserved evidence directly affects insurance reimbursement, the scope of regulatory disclosure, law enforcement effectiveness, and the likelihood of maintaining recovery paths without ransom payment. Evidence gaps in any of these areas carry measurable consequences.
According to the 2025 State of Ransomware Report, ransomware incidents increased 49% in 2025. Organizations that navigate those incidents most effectively treat forensic collection as a first-hour priority.
Cyber insurance claims
Cyber insurers require documented proof of the incident scope, the attack vector, and the security controls in place at the time of the attack. Forensic evidence is what transforms an incident report into a compensable claim.
"We have seen insurance problems tied to technical gaps. Logs may have been retained for days when the investigation needed months. Backups may have existed but were never tested," says Abdelaziz. A forensic report helps close those gaps or, at minimum, demonstrates that your organization followed a documented response protocol from the first moment of detection.
Law enforcement reporting and attribution
A complete forensic investigation produces the evidence package the FBI's Internet Crime Complaint Center (IC3) requires: IP addresses, cryptocurrency wallet identifiers, attacker email addresses, and attack vector details. Indicators of compromise from your case are shared through public alerts that help the broader security community defend against the same threat actor.
Ransomware decryption and file recovery
Forensic preservation creates recovery options that do not otherwise exist. Memory analysis can sometimes identify encryption keys that the ransomware loaded into RAM before completing execution.
Law enforcement operations have also yielded decryption keys for active variants: Operation Cronos in 2024 resulted in the FBI obtaining over 7,000 LockBit decryption keys.
According to a 2024 Ransomware Trends Report, only 32% of organizations that paid a ransom recovered their data fully. Organizations that preserve forensic images and encrypted file samples maintain the possibility of future decryption. Once backups overwrite the original encrypted files, that recovery path may be lost permanently.
Regulatory disclosure obligations
Under HIPAA rules, a ransomware attack is presumed to be a data breach unless the organization can demonstrate a low probability of PHI compromise. The forensic report is the primary mechanism for making that demonstration. The scope of the required notification is defined by what the forensic investigation can confirm or rule out. Forensic evidence narrows the notification obligation; its absence typically expands it.
What to do in the first 15 minutes of a ransomware incident
The first 15 minutes after detecting ransomware are the most forensically critical window in the entire investigation. Most volatile evidence either survives this window or is lost permanently. The wrong action taken in these minutes cannot be undone, even by the most experienced forensic team.
1. Do not shut down the affected device
When ransomware is active, volatile memory holds data that exists nowhere else: running malware processes, encryption keys loaded by the ransomware binary, injected shellcode, and active attacker sessions. Power should remain on until a forensic professional confirms that memory acquisition is complete.
2. Disconnect the affected device from the network
Isolate the affected device immediately to stop lateral movement and further encryption. Disconnect the Ethernet cable, disable Wi-Fi, and remove any connected USB drives or external storage.
Physical disconnection is faster and more reliable than disabling network adapters via the operating system.
For servers, follow your team's playbook on isolating ransomware-infected servers without disrupting concurrent forensic acquisition.
3. Capture volatile memory before forensic imaging
RAM acquisition is the first technical step after physical isolation. Tools such as WinPmem, Magnet RAM Capture, or FTK Imager can acquire a forensic memory image while the system remains powered on.
This capture preserves injected code, active attacker sessions, and running malware processes that would otherwise be unrecoverable once the machine is powered down.
What destroys ransomware evidence
Evidence contamination is preventable. These mistakes occur in the first hours of an incident, when pressure to restore operations pushes teams toward actions that compromise the forensic record before collection is complete.
The common thread across all four is that recovery speed is prioritized over evidence integrity. The cost of that tradeoff is usually measured later, during the insurance claim or the regulatory investigation.
Rebooting or shutting down affected systems
Do not power off any affected system until forensic memory acquisition is complete. Rebooting clears RAM and destroys the encryption keys, active process data, and attacker credentials that forensic analysis depends on. A short delay to capture RAM preserves evidence that no subsequent analysis can reconstruct. Speed in the wrong direction costs more time in the end.
Running antivirus or EDR remediation before imaging
Antivirus and EDR tools delete or quarantine malware samples as part of their normal remediation function. Running remediation before forensic imaging removes the malware artifacts, execution traces, and ransom note variants that the investigation depends on to identify the ransomware family and reconstruct the attack chain.
Restoring from backups before forensic analysis is complete
Backup restoration overwrites encrypted files and eliminates the on-disk evidence layer. Organizations that restore before analysis lose their only copies of the encrypted files, malware artifacts, and MFT timestamps that show which files were accessed and when.
If a decryptor becomes available after the fact, those files are unrecoverable. Forensic imaging preserves the original disk state; restoration can proceed in parallel on clean replacement systems.
Failing to capture cloud and network logs quickly
Microsoft 365 Unified Audit Logs default to 90 days of retention, whereas Entra ID sign-in logs default to 30 days. Firewall and VPN logs vary by vendor and may roll over in hours.
Assign a dedicated team member to cloud and network log export as a parallel task alongside physical endpoint isolation, starting in the first 15 minutes. This evidence cannot be reconstructed once it is gone.
Chain of custody: how forensic evidence becomes admissible
Chain of custody is the documented record of every person who handled a piece of evidence, when they handled it, how it was stored, and whether it was altered. Courts, insurers, and regulatory bodies require an unbroken chain of custody to accept forensic evidence as valid in any formal proceeding.
For each artifact collected, document:
- Who collected it, including credentials and organizational role
- Date, time, and physical location of collection
- Collection method and tools used, including software version numbers
- The cryptographic hash (MD5 or SHA-256) of each image or file at the time of acquisition
- Where the evidence is stored and what access controls protect it
- Every individual who subsequently accessed the evidence and why
A forensic image is only legally defensible if you can prove it has not been altered since acquisition. Record the hash immediately after capture and verify it against the original before any analysis begins. Any discrepancy invalidates the image for legal purposes.
How Proven Data helps with ransomware forensic investigations
When internal teams lack forensic tooling or incident response resources, external DFIR specialists can help preserve evidence while reducing operational disruption.
Proven Data's DFIR team has handled thousands of cyber incidents, and every engagement begins with evidence preservation before any containment or recovery action is taken.
For organizations experiencing active incidents, Proven Data's ransomware recovery process includes forensically sound imaging, chain-of-custody documentation, and a final forensic report to support insurance claims, regulatory notifications, and law enforcement filings.








