Field incident response: the first 90 minutes

It’s 11pm in Singapore. A CEO has just realized his laptop is no longer in his bag. He calls me in a panic. First question I ask: “Do you remember last seeing it 5 minutes ago or 5 hours ago?” He thinks. Five hours. First rule of incident response: the time elapsed since the incident is as important as the incident itself.

The common trap

“I’ll deal with it when I get back.”

That’s the most dangerous sentence you hear after a field incident. It’s understandable — you’re exhausted, you have a flight in 8 hours, you’re hoping the laptop is just under the taxi seat. But the first 90 minutes after an incident determine the actual extent of the damage. Every minute of delay widens the exposure window: active tokens, open sessions, unrevoked access.

What follows is not theory. It’s a decision tree. Three scenarios, prioritized actions, and what you absolutely must not do.

---

Scenario A: Lost or stolen device

The first decision to make is not “how do I get it back” — it’s “are my data exposed right now?”

The key question: was the device encrypted AND powered off at the time of the loss?

If yes (encrypted + powered off at the time of loss)

Data urgency is low. An encrypted, powered-off laptop is a block of metal. Decryption keys are not in memory. Without the decryption password, the content is inaccessible — given current attack capabilities, a proper implementation of BitLocker or FileVault holds. You have time to act correctly without panicking.

Priorities in order:

1. Trigger a remote wipe if the feature was configured (Find My for Apple, Find My Device for Android, Intune or corporate MDM for managed devices)
2. Notify the IT security team so they can activate their infrastructure-side procedure
3. File a police report within 24 hours (required for insurance, and necessary to document the incident properly for GDPR purposes)

If no (not encrypted, or powered on and unlocked)

Maximum urgency. Whoever has that device potentially has access to every open session, every password saved in the browser, all synchronized email. There is no time to waste.

Immediate actions — in this exact order, from another device:

1. Change the password on your primary email account. This is the recovery account for everything else. If you do only one thing in the first 10 minutes, make it this.
2. Revoke all active sessions. Google: Security → Your devices → Sign out all. Apple ID: Settings → your name → each listed device → “Sign Out”. Microsoft: account.microsoft.com → Security → Sign-in activity → close sessions.
3. Remote wipe if available and configured. Note: on an unencrypted device, a wipe can technically be bypassed by a skilled attacker before it executes, but it significantly slows down exploitation and reduces the surface.
4. Call the IT security team. Not email — call. They need to revoke access on the corporate infrastructure side: VPN, server access, API tokens, business tool access.
5. Block the SIM if it’s a phone: call your carrier. A stolen phone can be used to intercept two-factor authentication codes sent by SMS.
6. File a police report within 24 hours.

What you don’t do: wait, minimize, “see if it turns up in the morning,” continue using your accounts from another device without having revoked the sessions from the lost device.

---

Scenario B: Seized device

Seizure by an authority — customs, police, judiciary, administrative services of a foreign country — is fundamentally different from theft. The critical difference: a seizure implies a forensic extraction potentially in progress at this very moment.

A seized device is not just lost. It’s in the hands of people who have the time, the tools, and often the legal authority to exploit it completely. The time buffer is gone: extraction can start within minutes of seizure, using commercial tools like Cellebrite or Oxygen Forensic Detective.

Immediate actions

1. Notify the IT security team and the company’s legal counsel immediately. Even if your phone is seized. Memorizing 2 to 3 key numbers before departing on a mission is precisely for this scenario. If you no longer have any device: borrow someone’s phone, use the hotel phone, find a solution. Notification must go out within the first hour.
2. Do not attempt to discreetly unlock the device to delete files or wipe data during the seizure. In most jurisdictions, attempting to destroy evidence under duress is a standalone criminal offense, often more serious than the original grounds for the seizure.
3. Request a seizure receipt. You have this right in virtually all rule-of-law jurisdictions. This document specifies what was seized, by whom, under what legal authority, and opens your rights to legal recourse. Without this document, you have no legal leverage.
4. From another device (or via a trusted contact): revoke corporate access tokens, change passwords on critical accounts, alert IT security for preventive suspension of access.

After the return of the device

Even if the device is returned to you “intact,” “sealed,” or “unopened,” treat it as fully compromised. A complete forensic copy can be made in minutes with the right equipment. A software implant may have been installed without your knowledge. The rule is non-negotiable: a seized device never goes back into service without a complete reimage, carried out by IT security or a specialist forensic provider.

What you don’t do: lie to authorities about device contents, attempt to delete data under duress, refuse to sign the seizure receipt (refusal doesn’t protect you and may worsen your situation).

---

Scenario C: Compromised device

This is the hardest scenario to identify in the field, and potentially the most serious: you still have the device in your hands, it appears to work normally — but it is no longer under your control.

Warning signs

• Abnormal behavior: sudden unexplained sluggishness, spontaneous reboots, apps opening on their own
• Battery draining abnormally fast even without heavy use — a frequent signature of active spyware
• Unknown applications installed without your action, or known apps suddenly requesting unusual permissions
• Unexpected network connections visible in system logs or via a network monitoring app
• Notification received on another device: account access from an unknown device or location
• You left your device unattended, even briefly, in a risk context: unsecured hotel room, borrowed office, VIP airport lounge in a high-tension country

Immediate actions

1. Isolate the device from the network immediately. Disable Wi-Fi, mobile data, Bluetooth, NFC. Airplane mode if you’re not sure how to do it otherwise. The goal is to cut communication between the potential implant and its command-and-control (C2) server.
2. Do not power off the device if you can avoid it. RAM memory contains forensic artifacts — active processes, established connections, encryption keys in use — that disappear immediately and permanently on shutdown. These elements are valuable for subsequent investigation.
3. Call the IT security team from another device. Do nothing more on the suspect device.
4. Stop using this device for any action whatsoever, even “just checking an email.” If a keylogger is active, everything you type is being transmitted in real time.

After isolation: forensic investigation by a specialist. If compromise is confirmed: complete device reimage, rotation of all passwords and tokens used from this device in the weeks preceding detection.

---

Real preparation happens before you leave

Everything above assumes you have the right reflexes at the right moment. That’s not natural under stress, exhausted, alone in a shifted time zone. It takes preparation.

Before each mission, especially for risk destinations:

• Memorize 2 to 3 phone numbers. IT security (or CISO), company legal counsel, a trusted close contact. These numbers need to exist in your memory — not just in the phone that was just seized.
• Verify that remote wipe is configured and active on your laptop and phone before leaving. On iOS: Find My → Find My iPhone → enable. On Android: Settings → Security → Find My Device. On managed Windows: verify with IT that Intune is configured for remote wipe.
• Know how to revoke your own sessions. Open the security settings for Google, Apple, Microsoft once, understand where things are, memorize the path. This is not the moment to learn at 11pm under stress.
• Have a minimal second device. Not necessarily a high-end smartphone: a basic travel phone with a local eSIM lets you make emergency calls if your primary device is lost, seized, or compromised.

---

The mistakes that make everything worse

In order of frequency observed in the field:

1. Waiting until you’re back. Eight hours of flight with unrevoked active sessions is 8 hours of total exposure.
2. “I’ll see if it turns up.” Even if it does, the incident happened. Physical recovery of the device changes nothing about the potential exposure during the delay.
3. Continuing to work from an untrusted device. The hotel business center computer, the personal unmanaged tablet: these devices amplify the risk rather than resolving it.
4. Not notifying IT security out of fear of consequences. An undeclared incident is always worse than a declared one. IT security can do nothing without information. And from a liability standpoint, silence can constitute negligence.
5. Powering off a compromised device to “stop the attacker.” It’s the opposite: you destroy forensic evidence in RAM, and you don’t stop the attacker who is likely operating from a command server somewhere else in the world.

---

• N1 Know how to revoke Google/Apple/Microsoft sessions from another device
• N2 Have the IT security team number memorized (not just saved in your phone)
• N2 Have a company legal counsel number memorized for risk missions
• N2 Enable Find My / remote wipe before each mission departure
• N2 Verify that disk encryption is active (BitLocker / FileVault)
• N2 Know how to request a seizure receipt in countries visited
• N2 IT security protocol documented and accessible for field incidents
• N3 Second emergency communication device for high-risk missions
• N3 Dedicated clean travel device for high seizure-risk destinations
• N3 Annual blank-run incident procedure test (simulation)