Incident Response First Hour: The Breach Evidence Checklist

Introduction: The First 60 Minutes Decide Everything

When an alert fires and a breach looks real, the clock that matters most is the first one. The incident response first hour is where evidence either survives or quietly disappears. Memory gets overwritten, attackers cover their tracks, a well-meaning admin reboots the box, and the single most important artifact is gone before anyone thought to save it. By the time the formal forensics engagement spins up days later, the question is no longer what happened but can we still prove it. This article is a practical, vendor-neutral playbook for SOC and DFIR responders: how to move fast without destroying the proof, and how to freeze each artifact with a hash and a timestamp so it holds up later. For the formal output of this work, see our companion guide on the incident response evidence certificate.

A First-Hour Checklist

Keep the first hour simple and repeatable. Under pressure, a short checklist beats memory every time:

1. Assess scope. Before touching anything, establish what is affected, what is still live, and how far it has spread. Note the wall-clock time and your starting facts.
2. Don't destroy volatile data. Resist the reflex to reboot, power off, or run cleanup. Memory, network connections and running processes vanish the instant a machine resets.
3. Capture before containing, where safe. If isolating or rebuilding a host would erase the proof, acquire the artifacts first — unless the active harm is bad enough that waiting is worse.
4. Hash and timestamp each artifact. The moment a file is captured, compute its cryptographic hash and apply a trusted timestamp so it is frozen to a known value at a known moment.
5. Document who did what. Keep a contemporaneous log of every action, actor and time, so the pack you hand off is defensible rather than disputable.

Order of Volatility, in Brief

Not all evidence dies at the same speed, so collect the most fragile first. In brief, the order of volatility runs from CPU registers and cache, to memory (RAM), to network state and running processes, to temporary files and swap, then to data on disk, and finally to remote logs and archived backups that are comparatively stable. Working top to bottom means you grab what disappears on reboot before you ever touch the durable storage. You don't need a memory-forensics PhD in the first hour — you need to recognise that anything held only in RAM or in a live connection is on borrowed time, and to capture it before any action that would clear it.

Preserve First, Analyze Later

The biggest first-hour trap is the urge to start investigating on the live system. Browsing the attacker's files, opening documents, running tools that write to disk, or logging in to "have a look" all change timestamps and overwrite the very artifacts you need. The discipline is to preserve, not analyze: get clean copies out, hash and timestamp them, and do your digging on the copies. The live host in the first hour is a crime scene, not a workbench. Analysis can wait an hour; the volatile evidence cannot wait a minute. Treat every keystroke on the affected system as something you will later have to explain.

Hand Off a Defensible Evidence Pack

When the first hour ends and the incident escalates to a larger team, legal, or law enforcement, what you hand off matters as much as what you collected. A defensible pack is the captured artifacts plus a cryptographic hash for each one, a trusted timestamp marking when each was frozen, and a contemporaneous log of who did what. That combination lets a later reviewer confirm nothing changed since collection. e-Dex (formerly Hash Calculator) produces the integrity layer of that pack — an evidence certificate listing each artifact's hashes (MD5, SHA-1, SHA-256, SHA-512 and BLAKE3) and an overall MATCH / MISMATCH verification result — so you hand off provable integrity, not just a folder of files. It runs fully offline on your own Windows machine, which matters when you are working on an isolated network during containment.

Common First-Hour Mistakes

Most lost evidence comes from a handful of avoidable errors. Rebooting or powering off the affected machine "to be safe" wipes memory and live state instantly. Running antivirus cleanup or deleting suspicious files destroys the malware sample you needed to analyze. Investigating on the live system rewrites timestamps and contaminates the scene. Forgetting to hash on collection leaves you unable to prove an artifact is unchanged months later. No contemporaneous notes turns a clean response into a he-said-she-said. And containing before capturing, when capture was safe, throws away recoverable proof. A short checklist and the habit of hashing as you go prevents nearly all of these.

Frequently Asked Questions

Why does the incident response first hour matter so much for evidence?
The first hour matters because the most fragile evidence disappears fastest. Memory, network connections, running processes and temporary files are overwritten by normal activity, and a single reboot or cleanup action can wipe them permanently. Containment steps such as isolating or reimaging a host can also destroy the very artifacts an investigation depends on. Decisions made in the first 60 minutes determine whether you still have provable, unaltered evidence later, so capturing and freezing artifacts early is the difference between a defensible case and a guess.

Should I capture evidence before or after containing a breach?
Where it is safe, capture before you contain. Containment actions like powering off, isolating or rebuilding a host can erase volatile memory and on-disk artifacts that are never recoverable afterwards. If the active harm is severe enough that waiting would cause real damage, contain first and document exactly why. The practical rule is to preserve what you safely can before destructive containment, follow the order of volatility, and hash and timestamp each artifact as you go so nothing collected can be questioned later.

What is the order of volatility in incident response?
The order of volatility ranks evidence by how quickly it disappears, so you collect the most fragile first. In brief, that means CPU registers and cache, then memory (RAM), then network state and running processes, then temporary files and swap, then data on disk, and finally remote logs and archived backups that are comparatively stable. Working top to bottom preserves the artifacts that vanish on reboot before you touch the durable ones. Once each item is captured you hash and timestamp it so its value is fixed.

Does e-Dex need an internet connection to hash and timestamp breach artifacts?
No. e-Dex runs fully offline on your own Windows machine, so hashing captured artifacts and generating the evidence pack all happen locally and your collected files never leave your computer. This matters during an incident when you may be working on an isolated network. The only step that uses the internet is applying an RFC-3161 trusted timestamp from a Time-Stamping Authority, which seals the exact moment each artifact was frozen; you can do that step once connectivity is safe.

What is in a defensible first-hour evidence pack?
A defensible evidence pack contains the captured artifacts, a cryptographic hash for each one, a trusted timestamp marking when each was frozen, and a contemporaneous log of who did what and when. Together these let a later reviewer confirm that nothing changed since collection and that the handling is accounted for. e-Dex produces the integrity layer of that pack — an evidence certificate listing each artifact's hashes and an overall verification result — so the responder can hand off proof of integrity rather than just a folder of files.

Conclusion

The first hour of a breach is short, chaotic, and decisive. You won't solve the case in those 60 minutes, but you can make sure the case is still solvable: assess scope, protect volatile data, capture before you contain where it is safe, hash and timestamp every artifact, and write down who did what. Do that, and the evidence survives the next handoff and the one after it. Build the integrity layer into your first-hour routine with e-Dex — the free, offline Digital Evidence Integrity Suite, and read the full playbook on turning captured artifacts into a court-ready record on our incident response evidence page.