Why the First Hour Determines the Outcome
I've worked incidents where the first responder immediately started killing processes and deleting files — destroying forensic evidence before we had any idea what we were dealing with. The first 60 minutes should be about understanding scope, preserving evidence, and containing spread.
The First 15 Minutes: Orient
date -u
uptime
who
last -20
ps aux --forest
netstat -anlp
ss -tulpn
lsof -i
Save all output to a timestamped file on your jump host, not on the compromised system.
Minutes 15-30: Scope
- Check adjacent systems for similar IOCs
- Pull authentication logs for the affected account
- Check DNS for unusual lookups (C2 beaconing patterns)
- Notify legal and management per your escalation policy
ss -tnp state established | awk '{print $5}' | sort | uniq -c | sort -rn
Minutes 30-45: Preserve
# Memory dump
avml /tmp/memory.lime
# Capture running processes with hashes
ps aux | awk '{print $11}' | xargs -I{} sha256sum {} 2>/dev/null > process_hashes.txt
Minutes 45-60: Contain
Containment options in order of invasiveness:
- Network isolation (ACL or firewall rule) — preferred for servers
- VLAN isolation
- Physical disconnect (last resort — destroys volatile data)
Defensive Takeaways
- Practice IR tabletop exercises quarterly
- Pre-position your IR toolkit on all servers: avml, tcpdump, volatility plugins
- Document the timeline as you go — memory is unreliable during high-stress incidents
- Never reimage before taking a disk image
Keep going
Get the next writeup in your inbox
New posts delivered when I publish. No spam.