First 60 Minutes

Incident Response Checklist: What to Do in the First 60 Minutes

Since 2006. CISSP, ISSAP and ISSMP certified. Immediate incident response from investigators who have handled hundreds of breaches.

The first 60 minutes of a cyber incident determine the outcome. This step-by-step checklist covers detection and triage (minutes 0-5), containment (5-15), notification (15-30), evidence collection (30-60) and the transition to investigation. Built by CISSP-ISSAP certified incident responders with 20+ years of breach experience.

Call 604.229.1994 Incident Response Services

Step 1

Minute 0-5: Detection and Triage

Something triggered the alarm. Before mobilizing your entire organization, confirm you are dealing with a real incident and not a misconfigured alert or a scheduled penetration test. False positives burn credibility and exhaust your team. Spend the first five minutes verifying before you escalate.

Minutes 0-5
  • Confirm the incident is real. Correlate the alert with at least one additional data source. A single SIEM alert is not enough. Check firewall logs, endpoint detection, authentication logs or network flow data. Rule out false positives, scheduled maintenance and authorized penetration testing before escalating.
  • Classify severity. P1: active data exfiltration or ransomware deployment in progress. P2: confirmed compromise with no active exfiltration detected yet. P3: suspicious activity that remains unconfirmed. Severity determines who you call and how fast you move through the rest of this checklist.
  • Start the incident log. Open a dedicated document or ticketing system entry. Record the date, time (UTC), alert source, initial observations and every action taken from this point forward. This log becomes a legal record. Sloppy documentation undermines forensic findings in court and regulatory proceedings.
  • Assign an incident commander. One person owns this incident. They make containment decisions, authorize communications and coordinate all responding teams. Without a single decision-maker, conflicting actions destroy evidence and delay containment. The incident commander does not need to be the most senior person in the room. They need to be the most experienced responder available.

For severity classification frameworks, refer to NIST SP 800-61 Rev 2: Computer Security Incident Handling Guide.

Step 2

Minute 5-15: Containment

Containment is the most time-sensitive phase. Every minute an attacker maintains network access is another minute they can exfiltrate data, move laterally or deploy ransomware. Act fast but act deliberately. Rash containment decisions destroy evidence that you will need later.

Minutes 5-15
  • Isolate affected systems from the network. Unplug Ethernet cables. Disable Wi-Fi adapters. Place the machine on an isolated VLAN if remote. Do NOT power off the system. Volatile memory contains active network connections, running processes, loaded malware and encryption keys that are lost permanently the moment you cut power.
  • Block malicious IPs and domains at the firewall. If your SIEM or EDR identified command-and-control infrastructure, block those indicators immediately at the perimeter firewall and DNS resolver. This severs the attacker's communication channel even if you have not yet isolated every compromised endpoint.
  • Disable compromised user accounts. If the attacker gained access through a specific user credential, disable that account in Active Directory or your identity provider immediately. Do not just reset the password. Disable the account entirely and revoke all active sessions and tokens.
  • Revoke exposed API keys and tokens. If the compromise involves cloud services, SaaS applications or CI/CD pipelines, rotate every API key, access token and service account credential that the attacker may have accessed. Assume any credential stored on a compromised system is burned.
  • Preserve evidence. Do NOT reimage any system. Do NOT wipe any drive. Do NOT run antivirus or anti-malware scans. These actions modify timestamps, overwrite deleted files and alter the forensic state of the machine. The urge to "clean up" is strong. Resist it. You cannot investigate what you have already destroyed.

For containment strategy frameworks, see MITRE ATT&CK for understanding attacker techniques that inform containment decisions.

Step 3

Minute 15-30: Notification

Notification is a legal obligation, not a courtesy. Delayed notification to your insurance carrier can void coverage. Late regulatory reporting triggers fines. Failing to engage forensic investigators early means evidence degrades before anyone qualified examines it. Make these calls now.

Minutes 15-30
  • Internal notification. CISO, legal counsel, executive team and IT operations. Use phone calls or an out-of-band messaging platform. Do NOT use corporate email if the breach may have compromised your email system. Assume the attacker is reading your email until proven otherwise.
  • Cyber insurance carrier. Check your policy SLA immediately. Many cyber insurance policies require notification within 24 to 72 hours of incident discovery. Some policies require you to use their approved forensic vendors. Missing the notification window or using an unapproved vendor can result in denied claims worth hundreds of thousands of dollars.
  • Regulatory notification assessment. PIPEDA requires mandatory breach notification to the Office of the Privacy Commissioner within 72 hours if there is a real risk of significant harm to individuals. GDPR requires notification to the supervisory authority within 72 hours. U.S. state breach notification laws vary by jurisdiction. Your legal counsel must assess which notification obligations apply based on where your data subjects reside.
  • Engage a forensic investigator. Call Sherlock Forensics at 604.229.1994 for immediate incident response. External forensic investigators bring independence, specialized tools and courtroom experience that internal IT teams do not have. Early engagement means better evidence preservation and faster root cause identification.

For Canadian breach notification requirements, refer to the Office of the Privacy Commissioner of Canada guidance on responding to privacy breaches. See also our PIPEDA breach notification guide.

Step 4

Minute 30-60: Evidence Collection

Evidence collection is where most organizations fail. IT teams rush to restore services and inadvertently destroy the forensic evidence needed to understand what happened, determine what data was exposed and build a legal case. Follow this sequence exactly. Order matters.

Minutes 30-60
  • Forensic imaging of affected systems. Create bit-for-bit forensic images of all affected hard drives using write-blocked acquisition. Use the Sherlock Forensics Disk Imager for SHA-256 verified forensic images that are court-admissible. Never examine the original drive directly. Work from the forensic copy.
  • Volatile memory capture. Capture RAM from every affected system before any reboot. Volatile memory contains running processes, active network connections, loaded DLLs, encryption keys, clipboard contents and malware that exists only in memory. Once the machine reboots or loses power, this evidence is gone permanently. Memory capture must happen before disk imaging.
  • Log preservation. Export and preserve logs from every relevant source: SIEM aggregated logs, firewall connection logs, DNS query logs, web proxy logs, authentication and Active Directory logs, VPN connection logs and endpoint detection logs. Copy these to write-protected storage immediately. Attackers frequently target log infrastructure to cover their tracks.
  • Chain of custody documentation. Every piece of evidence needs a documented chain of custody from the moment it is collected. Record who collected it, when, from which system, using which tool, where it is stored and who has accessed it since collection. Use our chain of custody tools for forensic-grade documentation that holds up in court and regulatory proceedings.
  • Network traffic capture. If the attack is ongoing, deploy packet capture on network segments where attacker activity has been observed. Full packet capture provides definitive proof of data exfiltration, command-and-control communication and lateral movement. This is the evidence that answers the question regulators and insurers care about most: what data left the network.
  • Screenshot indicators of compromise. Photograph or screenshot any visible indicators of compromise on affected screens: ransom notes, unusual processes in task manager, suspicious command windows, error messages or anomalous login screens. These screenshots provide immediate visual context that supplements the technical forensic evidence.

Step 5

After 60 Minutes: Investigation Phase

The first 60 minutes are about stopping the bleeding and preserving evidence. Now the investigation begins. This phase determines the full scope of compromise, identifies the attack vector, quantifies data exposure and produces the findings that drive regulatory response, insurance claims and potential legal action.

Post-60 Minutes
  • Timeline reconstruction. Correlate events across all log sources to build a unified timeline of attacker activity. When did they gain initial access? How did they escalate privileges? Which systems did they touch? When did exfiltration begin? The timeline is the backbone of every forensic report.
  • Browser forensics on affected workstations. Examine browser history, cached pages, downloaded files, stored credentials and session data using the Sherlock Forensics Browser Viewer. Browser artifacts frequently reveal the initial infection vector, especially in phishing and watering hole attacks.
  • Email analysis. If phishing was the suspected entry vector, analyze the malicious email including headers, embedded links, attachments and metadata using the Sherlock Forensics PST Viewer. Identify every recipient who received the phishing email. Determine who clicked. Determine who entered credentials.
  • Malware analysis and reverse engineering. Isolate any malware found on compromised systems and analyze it in a sandboxed environment. Identify its capabilities: does it exfiltrate data, establish persistence, move laterally, encrypt files or destroy evidence? Malware analysis reveals the attacker's objectives and helps predict their next move.
  • Lateral movement assessment. Determine every system the attacker accessed after initial compromise. Check authentication logs for credential reuse, RDP session logs, SMB connections, PowerShell remoting logs and WMI activity. Each system the attacker touched is a system that needs forensic examination.
  • Data exfiltration determination. The question that matters most: did data leave the network, and if so, what data? Analyze network flow data, DNS query volumes, outbound connection logs and any packet captures to determine whether the attacker successfully exfiltrated sensitive information. This finding drives your regulatory notification obligations.
  • Root cause analysis. Identify the vulnerability or weakness that enabled initial access. Unpatched software, weak credentials, misconfigured cloud services, phishing susceptibility or insider threat. The root cause must be remediated before systems are restored to production, or the attacker will return through the same door.

Warning

Critical Mistakes to Avoid

We have investigated hundreds of breaches. In nearly every case, the organization made at least one of these mistakes in the first hour. Each one makes the investigation harder, the legal exposure greater and the recovery more expensive. Read this list before you need it.

Do Not

  • Do NOT power off compromised systems. Powering off destroys volatile memory containing active processes, network connections, encryption keys and fileless malware. Isolate the system from the network instead. Unplug the cable. Disable the Wi-Fi adapter. Leave it running.
  • Do NOT reimage before forensic imaging. Reimaging a compromised system is destroying the crime scene. You cannot investigate a system that no longer contains the evidence. Create a forensic image first. Restore from backup after the investigation is complete.
  • Do NOT run antivirus on compromised machines. Antivirus modifies file timestamps, quarantines malware specimens, alters registry entries and overwrites disk sectors. These changes contaminate forensic evidence and can make it inadmissible in legal proceedings. Leave the compromised system untouched until forensic acquisition is complete.
  • Do NOT communicate incident details over compromised email. If you suspect the attacker has access to your email system, every message you send about the investigation is visible to the attacker. They will adapt, cover their tracks and accelerate exfiltration. Use phone calls, a separate messaging platform or in-person communication until email integrity is confirmed.
  • Do NOT delay insurance notification past the policy SLA. Cyber insurance policies have strict notification requirements. Missing the window by even one day can void coverage for incident response costs, legal fees, regulatory fines and breach notification expenses. Call your carrier the moment you confirm a P1 or P2 incident.
  • Do NOT delete logs or clear event viewers. It sounds obvious, but panicked IT staff sometimes clear logs thinking it will "clean up" the compromised system. Logs are evidence. Deleting them is spoliation. Preserve everything and let the forensic investigators determine what is relevant.

Questions

Incident Response FAQ

Should I turn off a compromised computer?
No. Powering off a compromised system destroys volatile memory containing active processes, network connections, encryption keys and fileless malware that exists only in RAM. Volatile memory is often the most valuable evidence in the first hours of an incident. Isolate the system from the network by unplugging the Ethernet cable or disabling Wi-Fi, but leave it powered on until a forensic investigator has captured the memory contents.
When do I have to report a data breach in Canada?
Under PIPEDA, organizations must report a breach to the Office of the Privacy Commissioner of Canada and notify affected individuals as soon as feasible if the breach creates a real risk of significant harm. The practical deadline is 72 hours from the point you determine a reportable breach has occurred. You must also keep records of all breaches for two years regardless of whether they meet the notification threshold. Provincial privacy legislation in Alberta, British Columbia and Quebec has additional requirements. Read our PIPEDA breach notification guide for the complete regulatory framework.
Does cyber insurance cover incident response?
Most cyber insurance policies cover incident response costs including forensic investigation, legal counsel, breach notification expenses and public relations support. Coverage is contingent on following the policy's notification procedures, which typically require contacting the carrier within 24 to 72 hours of discovering the incident. Some policies mandate using their panel of approved forensic vendors. Failing to notify within the required window or using an unapproved vendor can result in denied claims. Review your policy before an incident occurs so you know the exact SLA and vendor requirements.
How long does a forensic investigation take?
Initial triage takes 24 to 48 hours and determines the scope of compromise, attack vector and whether data exfiltration occurred. A full forensic investigation takes 1 to 4 weeks depending on the number of affected systems, volume of log data and complexity of the attack. Ransomware cases with encrypted systems and destroyed logs take longer because evidence recovery requires additional reconstruction effort. Advanced persistent threat investigations involving lateral movement across dozens of systems can extend to 6 to 8 weeks.
Can I handle incident response internally?
For P3 incidents involving suspicious but unconfirmed activity, an internal team with proper training and an established incident response plan can handle triage and initial investigation. For P1 incidents involving active data exfiltration or ransomware and P2 incidents involving confirmed compromise, engage external forensic investigators. External investigators bring specialized tools, experience with similar breach patterns and the independence that strengthens the investigation's credibility in legal proceedings and regulatory inquiries.
What should I have ready before an incident happens?
Every organization needs an incident response plan that has been tested through tabletop exercises at least annually. Keep forensic imaging tools installed and tested on a dedicated workstation. Maintain an offline contact list with phone numbers for your incident response team, legal counsel, cyber insurance carrier and forensic investigator. Store your insurance policy details where they are accessible during a network outage. Have legal counsel on retainer who specializes in breach response and privacy law. Consider an incident response retainer with a forensic firm so you skip the procurement process when minutes matter.

Immediate Response

Do Not Handle a Breach Alone

Call 604.229.1994 for immediate incident response. Our CISSP-ISSAP certified investigators have handled hundreds of breaches across ransomware, business email compromise, insider threat and advanced persistent threat cases. We deploy within hours. See our incident response services or lock in priority response with an incident response retainer.

Since 2006CISSP, ISSAP, ISSMP certified604.229.1994
Call 604.229.1994 IR Retainer

Need a Forensic Investigator Now?

Do not wait until the breach gets worse. Call us for immediate triage and evidence preservation guidance. We will tell you exactly what to do and what not to touch until we arrive.

Call 604.229.1994
Phone
604.229.1994
Email
info@sherlockforensics.com