Start with compromised instance, take snapshot, mount it to lab and then run detailed investigation. Performed containment and remediation at the end.