Ransomware Evidence Collection: What to Capture Before You Restore

Introduction: Don't Wipe and Restore First

When ransomware hits, the instinct under pressure is to get the business running again as fast as possible — wipe the infected machines, reimage them and restore from backup. That instinct is dangerous. The moment you wipe, you destroy the artifacts that explain how the attackers got in, what they touched and which strain you are dealing with. Sound ransomware evidence collection takes a short, deliberate window before the restore, and it pays for itself many times over: it protects your insurance claim, your law-enforcement report, your root-cause analysis and even your chance of decrypting data later. This guide is written for IT and incident-response teams who need a practical checklist of what to capture, why and how to preserve it defensibly with e-Dex (formerly Hash Calculator).

What to Capture Before Restoring

Five artifacts matter most, and you want them before anything is reimaged. First, the ransom note in its original file form — not just a screenshot of it, but the actual dropped file, because its filename, contents and embedded identifiers help pin down the strain and the attacker's payment channel. Second, at least one encrypted sample file; pairing an encrypted file with its original (if you have a clean copy in backup) is exactly what a decryptor or analyst needs. Third, the relevant logs — Windows security and system event logs, application logs, firewall and VPN logs, and any endpoint or authentication records that frame the timeline of intrusion. Fourth, the malicious binary itself, if it can be safely isolated, since the sample is often what identifies the family and any known weaknesses. Fifth, screenshots of the on-screen ransom message, the encrypted directories and any unusual processes, captured while the state is still live. Together these five answer the questions every later party will ask.

Why Preserve It at All

Each artifact maps to a concrete need. Your cyber-insurance claim will almost always require proof of what happened, and an insurer that cannot see the evidence may reduce or deny the payout. A report to law enforcement is far stronger when it includes the note, samples and logs rather than a verbal account after everything was wiped. Root-cause analysis depends on the logs and timeline to find the entry point — patch the same hole the attackers used, or they simply come back. And a decryptor for the specific strain may be published weeks or months later; without preserved encrypted samples and the note that identifies the family, you cannot use it. Preservation is not bureaucracy — it is keeping every recovery and accountability option open.

How to Preserve It Safely

Safety and integrity go together. Start by isolating the affected systems from the network so the infection cannot spread while you work, but resist the urge to wipe them. As you collect each artifact, compute a cryptographic hash for it with e-Dex and record the value — a hash is a fixed-length fingerprint of the file's exact contents, so a matching hash later proves nothing was altered. Handle the malicious binary only when it can be contained, ideally on isolated or write-blocked media. Where feasible, take a full encrypted disk image of an affected machine and store it on encrypted media as a master copy you never work on directly; all analysis happens on copies. For a deeper primer on why hashing is the backbone of all of this, see our guide to the incident-response evidence certificate.

Documenting Custody and the Certificate

Hashes prove a file is unchanged; the chain of custody proves who handled it and when. Record, for each artifact, who collected it, from which machine, at what time and by what method, and keep that record alongside the recorded hashes. e-Dex then generates an evidence integrity certificate that binds the multi-algorithm hashes to an explicit MATCH / MISMATCH verdict, so an insurer, investigator or court can re-verify any artifact independently. Everything runs fully offline on your own Windows machine — which matters when affected systems are isolated — and you can optionally attach a PAdES digital signature and an RFC-3161 trusted timestamp to seal the exact moment of collection. If you are still in the opening minutes of the incident, our walkthrough of the first 60 minutes of a breach covers how this fits into the wider response.

Then Restore From a Verified Clean Backup

Only once evidence is preserved should you rebuild. Restore from a backup you have actually verified is clean — confirm its integrity by hash against a known-good baseline, and be certain it predates the compromise so you are not reintroducing the attacker's foothold or a dormant payload. A backup that silently carries the infection forward turns a recovery into a second incident. Verifying the backup's hashes before you trust it is the same discipline you applied to the evidence, and e-Dex handles both with the identical MATCH / MISMATCH check.

Frequently Asked Questions

Why should I collect ransomware evidence before restoring from backup?
Wiping and restoring destroys the artifacts that explain how the attack happened and who may be responsible. You will almost certainly need that evidence for a cyber-insurance claim, for any report to law enforcement, and for root-cause analysis so the same entry point is not left open. A decryptor for the specific strain may also become available later, and without preserved samples you cannot use it. Spending a short, deliberate window on ransomware evidence collection before restore protects all of those options.

What ransomware artifacts should I capture first?
Prioritise five things: the ransom note in its original file form, at least one encrypted sample file, the relevant system, security and application logs, the malicious binary if it can be safely isolated, and screenshots of the on-screen ransom message and affected directories. Together these let an investigator identify the strain, reconstruct the timeline and confirm what was encrypted.

How do I preserve ransomware evidence safely without spreading the infection?
Isolate the affected machines from the network first so nothing spreads while you work. Handle the malicious binary only if it can be safely contained, ideally on isolated or write-blocked media. Compute a cryptographic hash for each artifact as you collect it, and where feasible take a full disk image and store it on encrypted media as a master copy you never modify.

Do I need an internet connection to hash and certify ransomware evidence?
No. e-Dex runs fully offline on your own Windows machine, which matters during an incident when affected systems are isolated. Hashing each artifact, recording the values and generating the evidence integrity certificate all happen locally, so nothing leaves your control. An internet connection is only needed if you choose to apply an RFC-3161 trusted timestamp from a Time-Stamping Authority.

How does hashing help prove ransomware evidence was not altered?
A cryptographic hash is a fixed-length fingerprint of a file's exact contents. If you hash each artifact at the moment of collection and record the value, anyone can later recompute the hash and compare. A MATCH proves the artifact is byte-for-byte identical to what you captured; a MISMATCH shows it changed. That gives an insurer, investigator or court a verifiable basis to trust the evidence rather than taking your word for it.

Conclusion

A ransomware recovery feels like a race, but the few minutes you spend on evidence before you wipe are the minutes that protect everything afterward — the claim, the report, the root-cause fix and the chance to decrypt later. Capture the note, a sample, the logs, the binary and the screenshots; isolate, hash and document; then restore from a backup you have verified is clean. You can produce a defensible, hash-backed evidence integrity certificate for every artifact in minutes, offline, on a single Windows machine. Learn more on our incident-response evidence page and download e-Dex — the Digital Evidence Integrity Suite, free, before the next incident makes the choice for you.