Ransomware First 60 Minutes: The Evidence Collection Checklist

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
Most ransomware incident response guides start with 'contain the affected system.' That is correct, but containment is not the first step: evidence collection is, because the most valuable forensic artifacts disappear within minutes of encryption starting.
This checklist assumes you have confirmed ransomware execution on a Windows system and have physical or remote access to a command prompt. Every command uses built-in Windows tools. No downloads required. Work through steps in order: the earliest steps capture the most volatile evidence.
T+0 to T+5: Volatile Evidence (Collect Before Anything Else)
Do not reboot. Do not run antivirus scans. Do not move files. These actions destroy evidence or trigger additional encryption.
Create a working directory on an external drive or network share you control:
mkdir D:\forensics
Capture running processes (highest priority: disappears on reboot):
tasklist /v /fo csv > D:\forensics\processes.csv
wmic process get Caption,CommandLine,ParentProcessId,ProcessId,CreationDate /format:csv > D:\forensics\wmic_processes.csv
Capture network connections (shows C2 communication and lateral movement paths):
netstat -ano > D:\forensics\connections.txt
arp -a > D:\forensics\arp.txt
ipconfig /all > D:\forensics\network.txt
route print > D:\forensics\routes.txt
Capture active sessions and logged-on users:
query session > D:\forensics\sessions.txt
query user > D:\forensics\users.txt
net session > D:\forensics\net_sessions.txt
These five command groups take under 3 minutes and capture the data most likely to identify the initial access vector, lateral movement paths, and C2 infrastructure.
T+5 to T+20: Event Logs (Export Before Overwrite)
Windows event logs are finite in size. The Security log defaults to 512 MB and overwrites oldest entries when full. During a ransomware incident with high authentication activity, it can fill within minutes. Export now.
Export core event logs:
wevtutil epl Security D:\forensics\Security.evtx
wevtutil epl System D:\forensics\System.evtx
wevtutil epl Application D:\forensics\Application.evtx
wevtutil epl "Microsoft-Windows-PowerShell/Operational" D:\forensics\PowerShell.evtx
wevtutil epl "Microsoft-Windows-TaskScheduler/Operational" D:\forensics\TaskScheduler.evtx
wevtutil epl "Microsoft-Windows-WMI-Activity/Operational" D:\forensics\WMI.evtx
If Sysmon is deployed (highest forensic value if present):
wevtutil epl "Microsoft-Windows-Sysmon/Operational" D:\forensics\Sysmon.evtx
The Security log contains logon events (4624/4625), privilege use (4672), and object access. The PowerShell Operational log captures the download cradle or execution chain used for initial access. TaskScheduler and WMI logs capture persistence mechanisms.
Key event IDs to search for in post-collection analysis:
- 4624 Type 3: Network logon (lateral movement)
- 4625: Failed logon (brute force or credential stuffing)
- 4698: Scheduled task created (persistence)
- 4720: User account created (attacker backdoor account)
- 7045: New service installed (common persistence method)
- 1102: Security audit log cleared (attacker covering tracks)
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
T+20 to T+35: Shadow Copies and Startup Items
Check VSS shadow copies immediately: most ransomware deletes them within 30 minutes:
vssadmin list shadows > D:\forensics\shadows.txt
vssadmin list shadowstorage > D:\forensics\shadow_storage.txt
If shadow copies exist, they are your fastest path to pre-encryption file recovery. Do not attempt to mount them from the infected system: they may be in the process of being deleted. Document their IDs from the output above and use a clean system to mount them later.
WARNING: Do not run vssadmin delete shadows or any command that modifies shadow copies. Do not run System Restore. These destroy recovery options.
Capture startup and persistence locations:
reg export HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run D:\forensics\run_hklm.reg
reg export HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run D:\forensics\run_hkcu.reg
reg export HKLM\SYSTEM\CurrentControlSet\Services D:\forensics\services.reg
reg export HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon D:\forensics\winlogon.reg
List scheduled tasks:
schtasks /query /fo csv /v > D:\forensics\scheduled_tasks.csv
Ransomware persistence mechanisms almost always appear in one of these four locations. Capturing them now documents the persistence mechanism before it is removed by the ransomware itself or by premature remediation.
T+35 to T+60: File System and Network Context
Identify the encryption start time from file modification timestamps in the affected directories. Run this against a sample of encrypted files:
dir C:\Users\ /t:w /s /a > D:\forensics\file_timestamps.txt 2>&1
The earliest modified timestamps cluster around when encryption started. This establishes the timeline for log correlation.
Capture the ransom note: it typically contains the ransomware family name, a decryption ID, and sometimes the C2 contact method:
dir C:\ /b /s /a | findstr /i "readme" > D:\forensics\ransom_notes.txt
dir C:\ /b /s /a | findstr /i ".txt" | findstr /i "ransom\|decrypt\|recover" >> D:\forensics\ransom_notes.txt
The ransom note family identification matters for insurance purposes, for checking decryptor availability on nomoreransom.org, and for law enforcement reporting. If the family is unrecognized or you need to confirm it, static analysis of the ransomware binary with Ghidra and YARA can establish attribution when the ransom note alone is insufficient.
Document the scope before network isolation:
nbtstat -A <gateway_ip> > D:\forensics\network_discovery.txt
net view /all > D:\forensics\network_shares.txt
Isolate after evidence collection is complete. Disable the network interface via Device Manager or pull the ethernet cable. If this is a VM, take a snapshot before isolation to preserve memory state.
What to tell your IR firm when they arrive: Provide the D:\forensics directory, the encryption start time you identified, and the ransom note family. This halves their initial triage time.
The bottom line
The first 60 minutes after ransomware executes is a closing window. VSS shadow copies disappear within 30 minutes in most campaigns. Process lists are gone on reboot. Event logs overwrite during high-activity periods. Collect in this order: running processes and network connections first (T+0 to T+5), then event log exports (T+5 to T+20), then shadow copy documentation and persistence registry keys (T+20 to T+35), then file system timestamps and network scope (T+35 to T+60). Isolate the network only after evidence collection is complete. Every command in this checklist uses built-in Windows utilities: no downloads, no third-party tools, no prerequisites.
Frequently asked questions
What should I do first when ransomware hits?
Do not reboot, do not run antivirus scans, and do not move files. Open a command prompt and immediately run tasklist /v and netstat -ano to capture running processes and network connections before they disappear. These are the most time-sensitive forensic artifacts.
How long do VSS shadow copies survive after ransomware executes?
Most ransomware families execute VSS deletion commands within the first 30 minutes of encryption. Run vssadmin list shadows immediately after detecting the incident and document the shadow IDs before they are deleted. Do not attempt to mount them from the infected system.
What logs should I collect in the first 60 minutes of a ransomware incident?
Priority log collection in the first 60 minutes: (1) Windows Security event log from domain controllers covering the 72 hours before the incident (authentication, account management, policy changes). (2) Firewall and proxy logs showing outbound connections from affected endpoints over the same window. (3) EDR telemetry exports for all affected endpoints, including process execution, network connections, and file modification events. (4) DNS query logs from your DNS server or sinkhole for the affected endpoint IP addresses. (5) Any backup system logs showing when backup jobs last completed successfully. Collect these to offline storage before isolating systems, as isolation may disrupt log forwarding.
How do I preserve forensic evidence during a ransomware incident without slowing containment?
Run memory acquisition and process snapshot first (highest volatility: disappears on reboot), then network state (netstat -ano, arp -a, active connections), then event log export, then disk image of patient zero if time permits. You do not need to image every affected system: prioritize patient zero (first affected system, if identifiable), any confirmed command-and-control endpoints, and servers accessed during the attacker's lateral movement. Use a dedicated forensic workstation with external storage that has never been connected to the affected environment. Avoid running forensic tools from the affected system's own drive.
What is the first command I should run on a ransomware-affected Windows system?
Run tasklist /v /fo csv > c:\evidence\processes.csv immediately -- this captures all running processes with process IDs, user, memory usage, and window title before anything changes. Follow immediately with netstat -ano > c:\evidence\connections.txt to capture all open network connections with PIDs. Do both within the first 5 minutes, before any remediation action. These two outputs establish which process was responsible for the ransomware execution and where it was communicating at the moment of detection. Cross-reference the PIDs across both files: a process with an unusual external connection and a suspicious path is your ransomware executable.
What logs from Active Directory and domain controllers should be collected during ransomware response and why are they critical?
Active Directory logs are often the most important forensic evidence in ransomware incidents because most ransomware groups establish domain persistence before triggering encryption. Priority AD logs: Security event log from all domain controllers, especially Event IDs 4720 (account created), 4728/4756 (member added to privileged group), 4768/4769 (Kerberos ticket requests -- look for Golden Ticket and Kerberoasting indicators), 4625 (failed logons -- reveals password spraying timestamps), and 4648 (explicit credential use -- reveals lateral movement). Export these logs immediately before the attacker triggers a defensive response: netsh advfirewall set allprofiles state on and deleting event logs are common ransomware operator cleanup steps. Also collect: NTDS.dit backup timestamps (was the database recently backed up by a non-scheduled task?), DNS debug logs (reveals all lateral movement destinations), and WMI subscription persistence entries (Get-WMIObject -Namespace root\subscription -Class __EventFilter). Timeline the AD events against the ransomware encryption timestamps to determine the initial access vector and the dwell time before encryption was triggered.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
