Skip to main content

Cornell University

Protect Evidence of a Possible Data Compromise

If you believe your computer or file server has been compromised, take steps to protect evidence.

This article applies to: Security & Policy

On This Page

If you haven't already reported the incident, do so now. Work with technical support to contain the system (as outlined below) while you gather and provide incident details to the IT Security Office.

Do not

  • Scan the system with antivirus software.
  • Attempt to clean off any malicious software.
  • Run a backup.

Doing so can destroy relevant forensics data and hamper investigations.  

Contain the System Immediately

If possible:

  • Keep the system running with the malware running in the state it was when detected.
  • Remove the system from the network (unplug ethernet cords and turn off Wi-Fi).
  • *Only when directed to do so by an IT security liaison or staff,* turn off and physically isolate the system (if it is a desktop system, remove it from the work environment and put it in a secure area).

If IT Security detects a security problem on your computer before you are aware of it:

  • Your network access may be restricted.
  • Both you and your department’s technical support staff will receive an email notification.
  • Your web browser may redirect you to an online version of the notification.

If critical university business prevents you from removing the system completely from the network, it should be isolated as much as possible. Work with the IT Security Office to restrict access to the system to the local subnet or in such a way that university business can be performed while still protecting other areas of campus and the data held on the system.


To share feedback about this page or request support, log in with your NetID

At Cornell we value your privacy. To view
our university's privacy practices, including
information use and third parties, visit University Privacy.