TXHunter ondemand agent is designed for post incident invetigation. It is super easy to operate and fast. Login the TXHunter web portal, goto download page, select your organization and download the ondemand agent. It's a simple zip package file. You can unzip it into any folder, and select txhunter.exe, run it as administrator. Let it run for about a few minutes. You can see its progress on web portal, 30%, then 70%, then done. Once it's completed, you can click on View to see the report.
For ransomware infection, click on past run program list, find the ransomware program (process), click on referred files to see what are files are encrypted by the ransomware. Each encrypted file should have some extra extension that ransomware uses to identify them. Those encrypted files usually are your data files. Understand what files have been encrypted is the key step to scope the problem.
TXHunter ondemand agent is deposiabl. After it completes investigation, it will delete itself and leave nothing in your system. It is perfect for one time incident invetigation need, no matter it's a physical computer system or cloud system. It is very light and super fast, and most important it always deliver accurate results.