Capture screenshots of every significant access point. - Record hashes (not plaintext) of compromised accounts. - Create an attack chain diagram showing the complete path from initial access to highest-impact compromise. - Note timestamps for all activities.