If the sys­tem is pow­ered off:

• Cre­ate image of all stor­age devices. 
  • If encrypt­ed: Try to get the (back­up) encryp­tion keys and make an image of the decrypt­ed image too.

If the sys­tem is active:

• Per­form live analysis 
  • Process Hack­er 2
• Per­form mem­o­ry dump, if possible.
• Per­form net­work analy­sis, if possible. 
  • On anoth­er net­work device.
  • Or wire­shark
  • Or at least some net­work com­mands, e.g. lsof -i, netstat, …
• Check if hard dri­ve can be analysed after shutdown.

If the sys­tem is a VM:

• Deter­mine hypervisor
• Cre­ate snapshot 
  • of hard drive
  • of RAM/memory, if possible
• Export data/snapshots (not just the last one!)

Oth­er systems:

• If oth­er net­work devices are log­ging some­thing (fire­walls, prox­ies), store/save/lock it.
• If there is a SIEM, store/save/lock data from it.
• If there is a cen­tral log­ging serv­er, store/save/lock the data.

Ques­tions:

• How do I could con­clude that there was no incident?
• How should I priotorize?
• What are indi­ca­tors of com­pro­mise (IOC) for which I should look for?