Initial Forensic Consultation and Scoping

Phase 1 is the phase most teams skip or rush, and it is the phase that quietly decides whether the rest of the investigation is going to work. When a breach alarm goes off, the instinct is to start doing things: pull the cable, run the antivirus scan, call the hosting provider, wipe the laptop, log into the cloud console. All of those instincts are understandable and almost all of them destroy evidence.

The purpose of the initial consultation is to slow down, take an accurate picture of the situation, and make three decisions before anything technical happens. First, what is actually in scope. Second, what needs to be preserved right now before it disappears. Third, who has the authority to make the decisions the engagement is going to require. In a typical case the call runs thirty to sixty minutes. In an active ransomware or wire-fraud event, the scoping call happens while preservation is starting in parallel, and the written scope is issued within hours.

We treat Phase 1 as protected time. No matter how urgent the incident feels, the fifteen-minute investment in scoping saves days later. Investigations that skip this phase end with a report that says more about what we could not determine than what we could, because the evidence that would have answered the question was overwritten, rebooted, restored, or auto-remediated in the first hours.

We use a written questionnaire to structure the initial conversation. You do not need to answer everything before the call. The point is to cover the same ground every time so nothing gets skipped because the incident felt urgent. These are the categories we walk through together.

The Triggering Event

When did you first notice the issue? Who raised it? What were the first indicators: a file extension change, a bank alert, an employee complaint, a vendor calling about a wire that never arrived? Has the user interacted with the suspicious artifact since? Has anyone logged into the affected accounts since the event? Have any remediation tools run automatically?

Identity and Access

Which user accounts are involved? Do they have multi-factor authentication enabled and what factor? Have there been recent password resets or MFA changes? Are any of these accounts privileged, service accounts, or shared accounts? Are any accessed by a third-party MSP or vendor?

Infrastructure

Are the affected systems on-prem, cloud, or both? Which cloud providers? Do you have endpoint detection and response deployed? Which product? Is cloud SIEM or log aggregation in place? How long are you retaining logs? Is there a backup system and when was the last successful backup?

Financial Loss Exposure

Has money moved? Which bank, when, how much, to where? Has the bank been notified? Has the FBI IC3 complaint been filed? Is there cyber insurance in force and has the carrier been notified? What is the SLA for insurance notification under the current policy?

Regulatory Exposure

Do you handle protected health information, payment card data, Controlled Unclassified Information, personally identifiable information for residents of states with breach notification statutes? Any contractual notification obligations to customers, partners, or the federal government?

People and Communication

Who inside the company knows about the incident? Who needs to know? Who must not know yet because they are a suspect, a potential source of leak, or because the situation is not yet verified? Is there outside counsel and do we engage through them?

If you have not yet called and something is actively going wrong, this is the short list that covers most cases. None of it is a substitute for speaking with a forensic team and counsel, but doing these things while you wait for the scoping call can save the case.

Do

• Isolate affected systems at the network layer. Unplug the ethernet, disable the Wi-Fi adapter, or put the device in airplane mode. Do not power down.
• Preserve logs. Increase retention, stop any log-rotation cron jobs, and flag cloud audit logs for export. The 90-day M365 Unified Audit Log window is the single most common evidence loss we see.
• Screenshot the incident as it exists right now. Malware binaries, unfamiliar logged-in sessions, suspicious mailbox rules, wire-transfer confirmations, ransomware notes. Preserve with full metadata.
• Document the sequence of events as you remember it, with times, to the best of your ability. Do it while memory is fresh. We will use it as a starting point for the timeline.
• Notify cyber insurance. Many policies have strict initial-notice windows, sometimes as short as 24 hours, and coverage can be compromised by delay.

Do Not

• Reboot or shut down affected systems. Volatile memory contains running processes, injected code, and sometimes decryption keys that exist only until power cycles.
• Reimage or wipe. If the user needs to keep working, stand up a replacement device.
• Run antivirus cleanup, EDR remediation, or automated malware removal. These tools are built to destroy the very artifacts we need to analyze.
• Delete suspicious emails, even if the user feels embarrassed. Forward copies to the forensic mailbox with full headers, but leave the originals alone.
• Negotiate with attackers directly. Loop in counsel and a ransom-negotiation specialist before any reply.
• Talk about the incident on public Slack channels, general-staff email, or personal phones. Assume the attacker still has access until we prove otherwise.

The call comes in on a Wednesday afternoon. A Raleigh-area accounting firm has just confirmed that a $187,000 client trust wire left the bank Tuesday night for a fraudulent supplier account. The CFO is on the line with the partner-in-charge. The office manager is in the room. The IT provider is dialing in from another call.

In the first fifteen minutes we capture the narrative: the office manager processed the wire through the bank portal based on email instructions that matched an existing supplier thread. The supplier has since confirmed their own email account was compromised three weeks ago and the attacker had been reading messages to time the wire. The money has already moved out of the receiving US bank and there is a possibility of partial clawback if we move fast.

In the next fifteen minutes we map custodians: the CFO, the office manager, the partner-in-charge, the supplier-facing relationship manager, the firm's shared accounts-payable mailbox. Each has an M365 mailbox, an endpoint, and possibly a mobile device. The firm has cyber insurance, a retainer with outside counsel, and uses a third-party MSP. We confirm the MSP has not run any remediation and has not accessed the affected endpoints since the incident.

At the thirty-minute mark we issue preservation-hold instructions: pause the CFO's M365 mailbox retention policy, disable any auto-archive, dump the Unified Audit Log for the last 90 days before the window closes, physically isolate the office manager's workstation, and leave the device on. Outside counsel joins at minute 35 and confirms the engagement runs through the firm for attorney work-product protection. We close the call at minute 55 with a verbal scope commitment and a promise to have the written engagement letter to counsel within four hours.

Nothing has been imaged yet. Nothing has been analyzed yet. The case has already gone from being at risk of unrecoverable evidence loss to being on track for a successful investigation, insurance claim, and recovery demand. That is what Phase 1 delivers.

Business Email Compromise and Wire Fraud

BEC calls are almost always urgent because the window for bank-level clawback closes fast. Phase 1 prioritizes the financial timeline: when did the wire originate, which bank, which receiving account, has the bank's fraud team been notified, has an IC3 complaint been filed. Preservation prioritizes the Microsoft 365 Unified Audit Log (90-day retention window is a real constraint), mailbox rules, OAuth consents, and the workstation used to process the wire. Regulatory analysis looks at state breach notification laws because personally identifiable information often lives in the same mailbox the attacker had access to.

Ransomware

Ransomware Phase 1 calls prioritize containment without destroying evidence. We walk through network segmentation, safe isolation of affected hosts, whether backups are intact, whether there is an endpoint detection and response platform on the affected hosts, and which systems are still encrypting. We map scope by the strain family if we can identify it from the ransom note, the file extension change, or the TOR negotiation URL. We flag whether data exfiltration is a concern (many strains are double-extortion now) and begin the insurance carrier and breach counsel notification process.

Crypto Theft and Pig Butchering

Phase 1 for crypto cases looks different because the primary evidence is on-chain and already preserved by the ledger. We focus on capturing the victim's side of the story: wallet addresses, transaction IDs, communications with the scam platform, screenshots and exports of the fake trading interface, bank wires into the scheme, and the chronology of trust-building. We identify whether the funds have moved to a centralized exchange with US legal reach (which shapes recovery strategy) and whether a freeze action through counsel is realistic. We coordinate early with law enforcement where the amount warrants it.

Insider Threat and Internal Investigations

Insider cases are the most confidentiality-sensitive. Phase 1 prioritizes decision-authority mapping (who inside knows and must not know), the privilege framework, and whether HR and employment counsel need to be synchronized with the forensic timeline. Preservation targets the subject custodian's endpoint, mailbox, cloud file storage, USB-device connection history, and print-job logs. We scope carefully to avoid scope creep into unrelated employee conduct that the engagement does not authorize.

Regulatory-Driven Review

Sometimes Phase 1 is not triggered by an incident at all but by a regulator or contract requirement. HIPAA-covered entities performing a breach risk assessment, CMMC contractors documenting an IR exercise, or organizations responding to a customer data-handling questionnaire. Phase 1 here is less urgent but more document-heavy because the deliverables are audit artifacts. We scope tightly to what the regulator is asking for and avoid the temptation to expand into adjacent areas.

Most clients go straight from scoping call to signed engagement inside a few hours. For a straightforward BEC, targeted ransomware, or crypto-tracing matter, the paperwork is lightweight because the scope is tight. For a multi-custodian internal investigation or a compliance-driven review the paperwork is thicker because there are more custodians to cover and more data categories to enumerate. Either way, the structure is the same.

Engagement Letter

A two to five page engagement letter defines the parties, the scope of work, the fee structure, the communication and privilege framework, and the data-handling terms. When counsel is engaging us on behalf of a client, the engagement letter runs through the law firm and the ultimate client is identified as the beneficiary of the work. When the client engages us directly, we still recommend counsel be named and copied on all deliverables to preserve privilege options.

Fee Structure

Most forensic engagements are structured as fixed-scope with a defined scope-change process. We quote a budget envelope based on the scoping call, identify which tasks are in the base scope and which are contingent, and set a written cap for the initial phase. Scope expansion requires written client approval. We avoid open-ended hourly-only engagements because they make cost unpredictable and erode client trust.

Data Handling and Chain of Custody

The engagement letter names the physical and cloud locations where evidence and work product will reside. Our default is encrypted storage on hardware owned and operated by Petronella Technology Group, with documented physical and logical access control. Chain-of-custody forms are initiated at acquisition. Evidence returns to you or is certified-destroyed at case close, per your written instruction.

Communication Channels

We default to encrypted email and an encrypted file-transfer system for deliverables, with a secure voice line for urgent situations. Where the sensitivity of the matter requires it, we can operate through a dedicated mailbox, a privileged data room, or a paper-first process. Every communication is dated, logged, and preserved.