Case Study 2 — When a Recovery Job Becomes a Case

A thirty-person firm was hit by ransomware on a Friday night, and every instinct said "restore everything as fast as possible and reopen Monday." The responder who paused for ninety minutes to preserve the evidence first is the reason the insurance claim paid, the law-enforcement referral had something to work with, and an awkward question about an insider could later be answered. Same incident, two workflows — run together.

Background

This is the book's third anchor case — the ransomware recovery (its home is Chapter 12) — seen at the moment that decides everything: the first hour, when the work is still pure recovery and no one is thinking about a courtroom.

A small architecture and accounting firm arrived Saturday morning to locked workstations, a ransom note on every screen, and a file server full of encrypted documents with a new extension. There was no current backup — the nightly job had silently failed for weeks — only a two-month-old external drive someone had taken home. The owner wanted one thing: the data back, today. By the textbook recovery workflow, that is the correct priority — speed weighted higher than rigor, deliverable = recovered files.

But the responder asked the question this chapter trains you to ask on every job: could this become a case? The answer was plainly yes, and on more than one front. The firm intended to file a cyber-insurance claim, which would demand documented proof of what happened. Ransomware is a crime; a referral to law enforcement (and the FBI's IC3) was likely, and any payment decision carried its own legal weight under sanctions rules. And one uncomfortable possibility could not be excluded: the intrusion might have involved a current or former employee. The instant any of those is true, the recovery job is also a forensic job — and the evidence that proves what happened is the most perishable thing in the building.

The response

The responder split the work along the two workflows of this chapter, and crucially put a sliver of the forensic one first.

Preserve the volatile before touching anything (forensic, minutes that cannot be redone). One infected workstation was still powered on, the ransomware process possibly still resident. Per the order of volatility (Chapter 15), RAM dies with the power and can hold what the disk never will: the malware's running process, its network connections to a command-and-control host, and — occasionally, decisively — an encryption key still in memory. The responder captured a memory image before pulling any plugs (analysis is Chapter 22; the malware itself is Chapter 32), documenting the tool and the exact time, accepting that capturing RAM is itself a change — the documented exception ACPO Principle 2 permits.

Preserve the systems (forensic). The encrypted server and the still-on workstation were imaged before remediation. Where a machine could be powered down and pulled, the responder write-blocked and imaged to E01 with dual hashes; where a server could not be taken offline, a live, documented acquisition was made instead, and the deviation recorded honestly. The point was not courtroom polish on a server-room floor — it was that if this became a case, an image of the systems as-attacked would exist, hashed and dated, instead of a crime scene mopped clean by Monday.

[Evidence preserved before remediation]
  Item 01  RAM capture, WS-07 (powered on)          14:02  tool+ver logged
  Item 02  E01 image, file server (live acquisition) 15:40  MD5+SHA-256 verified
  Item 03  E01 image, WS-07 system drive             16:55  write-blocked, verified
  Item 04  Copy of ransom note + encrypted samples   17:10  hashed
  Plus: firewall/VPN logs and the failed-backup job logs, exported and hashed

Then recover (recovery workflow, speed weighted higher). Only after the evidence was safe did restoration begin — and it happened on copies and clean hardware, never on the originals now sealed as potential evidence. The team mounted the two-month-old external backup read-only and restored what it held; carved unencrypted fragments and Volume Shadow Copy remnants the ransomware had tried but failed to fully delete; and stood the firm back up on rebuilt machines. The outcome was the honest, partial result this anchor always delivers without a current backup: most files recovered to a two-month-old state, a painful gap of recent work, and a prevention lesson that landed hard. But the firm reopened.

The payoff came later, on three fronts. The insurer's forensic requirement was met by the hashed images, the timeline, and the preserved logs — the claim paid. The IC3 referral had real artifacts to work with: the C2 address from the memory capture, the malware sample, and a timeline of initial access. And when the awkward insider question surfaced weeks on, it could be answered — the firewall logs and the preserved server image showed the intrusion's true vector (a phished credential, not an insider), clearing a specific employee whom suspicion would otherwise have followed. None of that would have been possible if the responder had treated it as "just a recovery" and restored over everything by Monday.

The analysis

  1. "Could this become a case?" is the most valuable instinct in the field. Nothing about a ransom note says courtroom, yet insurance, law enforcement, sanctions exposure, and a possible insider all made this a case-in-waiting. Asking the question early — and acting on a "yes" — is what separated a recoverable incident from an unprovable one.

  2. Recovery and forensics are two workflows on one foundation, and they can run together. The team did both: preserve first (forensic), then restore fast (recovery), on copies and clean hardware. The shared foundation — image first, hash, work on the copy — served both goals at once; the legal machinery rode on top only where it was needed.

  3. The most perishable evidence is volatile, and you get one chance. RAM, live network connections, and an in-memory key vanish with the power. Spending minutes to capture them before remediation — accepting the documented change that capture entails — preserved options (including a possible key) that pulling the plug would have erased forever.

  4. Preserve before you remediate. Remediation is, by design, the destruction of the crime scene: you wipe, rebuild, and patch. Imaging the systems as-attacked, with hashes and timestamps, is the only way to have both a running business and a provable record of what happened. Do it in that order.

  5. The honest recovery is partial — and the discipline still mattered. Without a current backup, ransomware recovery is partial at best; two months of work were gone. But because the responder preserved first, the partial recovery came with a defensible record that paid a claim, fed an investigation, and cleared an innocent employee. Speed without preservation would have delivered the same lost files and nothing else.

Discussion questions

  1. List the four signals in this scenario that should trigger the "this could become a case" instinct, and for each, name what evidence would be needed and why it is perishable.

  2. Capturing RAM changes RAM, which seems to violate "change nothing." Explain how the ACPO principles accommodate this, and what the responder must document to make the live captures defensible. Contrast this tension with the powered-off laptop in Case Study 1.

  3. ⭐ The responder put a forensic step (memory capture) ahead of the owner's urgent demand to restore. Argue both sides: the business case for restoring immediately versus the case for spending ninety minutes preserving first. Where is the line, and who should make that call — the technician or the client?

  4. Compare this case with Case Study 1. Both honored "image first, work on the copy," but the reason and the legal weight differed. Name the reason in each, and explain how the differing reason changes what gets documented and how much.

  5. The preserved logs and server image ultimately cleared an employee who suspicion would otherwise have followed. Explain how the same preservation that could have convicted an insider instead exonerated one — and connect this to the duty to seek exculpatory as well as inculpatory evidence (theme: the human cost is real).