When investigating a virus, what is the first step?

Documenting the incident and preserving evidence up front creates a record of what was observed, when it was observed, which assets were affected, and what logs or artifacts existed at that moment. This establishes a timeline and maintains a defensible chain of custody, both of which are essential for effective analysis, containment decisions, and potential escalation or legal considerations. By capturing the initial state first, you also protect the integrity of the investigation; actions that alter the system can erase clues and complicate later discovery. Why this approach fits best is that it sets a solid foundation for everything that follows—containment, eradication, and recovery—without risking loss of evidence. The other options risk destroying or obscuring artifacts: removing the virus or isolating without documentation can change the system state and mask how the infection occurred, while a full system restore would wipe logs, malware artifacts, and other indicators needed to understand the incident’s scope and lineage.