THE FORENSICS INCIDENT RESPONSE PLAYBOOK
A field guide for business owners, attorneys, and IT leaders facing a suspected breach. What to do in the first 60 minutes, how to preserve evidence for law enforcement and insurance, and when to bring in a Licensed Digital Forensic Examiner. Written by Craig Petronella (DFE #604180), who has worked SIM swap, crypto theft, pig butchering, ransomware, and business email compromise cases for 24 years.
Written for the people who pick up the phone at 2 a.m.
This playbook is built for anyone who just discovered (or suspects) their business, their client, or their family has been attacked. It is not legal advice. It is a practical checklist of steps that preserve your options before the evidence disappears.
The first 60 minutes decide the next 6 months.
Most of the evidence that proves what happened lives in volatile memory, authentication logs, and endpoint telemetry that roll off within hours. The wrong first move destroys it permanently. Here is the short version of what the playbook covers in detail.
First-hour triage checklist (excerpt)
Do, in this order
- Write down the time you noticed and what you saw.
- Isolate affected machines from the network. Unplug the cable or disable Wi-Fi. Leave them powered on.
- Preserve logs before they roll. Email gateway, firewall, EDR, identity provider, cloud audit trail.
- Notify your attorney and your cyberinsurance carrier. The carrier may require a specific incident-response firm.
- Call a licensed forensics team before anyone re-images or restores.
Do not, no matter how tempting
- Power off the affected machine. You lose memory evidence.
- Re-image or factory-reset anything.
- Pay a ransom or contact the attacker directly before counsel is on the line.
- Call the phone number the attacker gave you. It routes to them.
- Post about it publicly before insurance and counsel approve a statement.
What the PDF covers, chapter by chapter.
Every chapter is a real incident class we have worked. Each one ends with a checklist, a list of evidence to preserve, and a short sample of the questions a Licensed Digital Forensic Examiner will ask.
The first 60 minutes after you suspect a breach
A calm, sequenced checklist: isolate, preserve, notify, document. What to touch, what to freeze, and why re-imaging the box is the most expensive mistake in incident response.
SIM swap triage and carrier lockdown
How to recognize an active SIM swap, the exact language to use when you call the carrier fraud line, how to get the port reversed, and the recovery window for bank and exchange notifications before the money moves offshore.
Crypto theft triage and chain tracing
Wallet hygiene after a compromise, how to snapshot transaction history before the attacker drains more, when on-chain analytics can actually help a recovery, and how to pair a forensics report with a civil or law-enforcement referral.
Pig butchering scam response
The fake investment app pattern, how to preserve screenshots and chat logs in a form investigators will accept, how to file with IC3 and state attorneys general, and what realistic recovery looks like versus what the secondary scammers promise.
Ransomware triage and the restore-vs-pay math
How to verify backups are actually restorable before the pressure starts, the decision framework for whether to engage a ransomware negotiator, sanctions and OFAC checks, and what a defensible no-pay decision looks like in writing.
Business email compromise and wire fraud recovery
Forensic email-header analysis, how to identify the inbox rule the attacker planted, the Financial Fraud Kill Chain for wire recall, and what to hand the FBI so the recall request actually moves the money.
Network forensics basics
What packet capture, NetFlow, and log correlation can and cannot prove. How timeline reconstruction works, what insider-threat tracing looks like, and the difference between a report that survives a Daubert challenge and one that does not.
When to bring in a Licensed DFE and expert witness
Chain of custody that holds up in court, Federal Rule of Evidence 902(14) hash verification, expert witness declarations, and how to brief a forensics team so the first hour of billable work is not spent repeating what you already know.
Insurance claim preparation and what cyberinsurance wants
The timeline-of-events format carriers expect, which invoices they reimburse and which they argue about, how to document business interruption, and the evidence a panel counsel will ask for before they authorize forensics spend.
Most firms handle one of these. We handle all of them.
Incident response is fragmented. Data-recovery shops take a disk. Ransomware negotiators handle the negotiation. Crypto tracing firms do chain analytics. Pure law firms advise on disclosure. Petronella Technology Group covers the triage, the forensics, the expert report, and the coordination with counsel and insurance in one engagement.
Few teams cover SIM swap, crypto theft, pig butchering, ransomware, and business email compromise under one roof with a licensed examiner on staff. That is the gap this playbook speaks to.
Craig Petronella founded Petronella Technology Group in 2002 in Raleigh, North Carolina. He holds Digital Forensic Examiner license #604180, is a CMMC Registered Practitioner, and has worked financial-fraud, crypto-theft, SIM-swap, and ransomware cases for law firms, family offices, and small and mid-sized businesses across the Triangle and nationally. He is a Dale Carnegie graduate and has authored books on compliance and cybersecurity for small business.
Petronella Technology Group is a CMMC-AB Registered Provider Organization (RPO #1449), a BBB Accredited business with an A+ rating since 2003, and a PPSB accredited firm. The broader team is CMMC-RP certified. We speak lawyer: chain of custody, discovery prep, expert witness declarations, and Federal Rule of Evidence 902(14) hash verification are part of how we deliver, not an afterthought.
What the playbook teaches about preserving evidence.
Most of the work a forensics team does on day one is recovery of information that the business could have preserved itself if someone had known to try. The playbook is explicit about what to capture, where it lives, and how long you have before it rolls.
Memory and live system state
Running processes, open network connections, decrypted keys in RAM, and malware that lives only in memory. Disappears the moment the machine is powered off. The playbook covers when and how to capture a memory image before isolating.
Authentication and identity logs
Microsoft 365 unified audit log, Google Workspace admin log, Okta and Duo sign-in telemetry. Default retention is often only 90 days and some events roll off in 30. Export on day one or they may be gone by the time the legal timeline matters.
Network telemetry
Firewall flow logs, EDR process trees, DNS query logs, VPN session records. Retention is sized for troubleshooting, not for a six-month legal timeline. Preserve early, preserve wide, decide later what you need.
Disk images and mailbox exports
Full forensic disk images with SHA-256 hash verification, full mailbox PST exports including deleted items, and cloud storage snapshots. These are the deliverables that survive a Daubert challenge and that cyberinsurance panel counsel will ask for.
The calls you will have to make, and how to make them.
Every incident has a half-dozen decision points where the wrong answer costs real money or real evidence. The playbook gives you a written decision framework for each one so you are not making six-figure calls from memory at 11 p.m.
The frameworks that appear in the PDF
Decision points covered
- Restore from backup or attempt negotiation. The math that decides.
- Engage a ransomware negotiator or run it in-house.
- Notify customers now or wait for counsel. The triggers for each.
- Open the insurance claim now or try to quietly remediate first.
- Involve the FBI, Secret Service, local detective, or all three.
- Attempt a wire recall or pursue civil recovery.
Common mistakes the PDF warns against
- Paying the ransom without running the OFAC sanctions check first.
- Restoring from the only backup before a forensics image is taken.
- Letting a panicked executive call the attacker directly.
- Terminating the compromised user before the audit trail is preserved.
- Publicly disclosing before the disclosure obligations are actually triggered.
- Waiting three days to open the insurance ticket and losing reimbursement.
Straight talk about scope
We are a digital forensics and incident response firm. We are not private investigators, we do not perform physical surveillance, and we do not handle traditional e-discovery document review. Our focus is network forensics, SIM swap, crypto theft, pig butchering scams, ransomware triage, and business email compromise. If your matter is outside that scope, we will tell you on the first call and refer you to a partner in our trusted network.
We also integrate with the wider Petronella cybersecurity and compliance team. If the incident triggers a HIPAA or CMMC breach-response obligation, the same firm that collects the evidence can also run the notification workflow, the regulatory response, and the post-incident remediation.
Free download. No sales call required.
Enter your email to receive the full Forensics Incident Response Playbook as a PDF. If you are actively in an incident, skip the form and call (919) 348-4912. A licensed forensics engineer is on the rotation 24 hours a day.
Questions we get on the first call.
I think I was just breached. Should I read a PDF or call someone?
My bank says the wire was fraudulent. Is it recoverable?
Do I need a licensed examiner or will any IT person do?
What does a forensics engagement actually cost?
Will you work with our attorney or insurance panel?
Can you help if the victim is a family member, not a business?
Quiet, private, and billed by the matter, not by the hour of panic.
A 30-minute confidential call with a licensed examiner. Bring what you have, leave with a clear next-step plan. No obligation, and nothing you say on the call leaves the room.