Digital forensics in practice: what not to do after an incident

The first hours after an incident is detected determine whether you'll be able to establish its course and scope. Unfortunately, that's exactly when the most mistakes are made — often with good intentions.

What NOT to do

• Don't shut down or restart the affected machine hastily — volatile memory (RAM) may hold key evidence that disappears once power is cut.
• Don't “clean” the system or delete suspicious files. You're destroying the traces that would let you understand the attack.
• Don't install new tools on the affected machine — every change overwrites data and reduces the credibility of the analysis.
• Don't routinely log in to accounts that may have been compromised — you could warn the attacker or erase traces.
• Don't communicate incident details over channels that may be under the attacker's control.

What to do instead

• Isolate affected systems from the network but, where possible, leave them running until they're secured.
• Secure the logs — from e-mail, servers, firewalls and workstations, before they're overwritten.
• Document every step taken and the time — it's part of the chain of custody.
• Contact a digital-forensics specialist before you start restoring data.

Restoring operations and securing evidence are two different goals. They can be reconciled — but only if you take care of the evidence before you start “fixing”.

Why it matters

Well-secured material lets you establish the root cause, assess the scope of the data leak and — if necessary — prepare an expert report for proceedings. Rash actions can close that path for good.

If you're unsure how to act after an incident — call before you take irreversible steps. A consultation takes a moment, and it can save the whole investigation.