Online Courses
Cyber Incident Response
Online Courses
Cyber Incident Response
  • Cyber Incident Response
  • Incident Response Fundamentals
    • Introduction to Incident Response
    • Why is incident response needed?
    • Incident Response Phases
    • Business Continuity and Disaster Recovery roles
    • Building an IR playbook
    • Building and IR team
    • Quiz
  • Stages of Incident Response
    • Incident definitions and severity criteria
    • Identifying threats and vulnerabilities
    • Incident Response assets inventory and identification
    • Incident identification
      • Incident Response classification levels
      • Communication/notification of an incident
      • Identification tools and techniques
    • Incident containment
      • Determining status of infected/affected computing resources
      • Containment actions
      • Containment tools and techniques
    • Incident investigation
      • Investigation data sources
      • The role of Digital Forensics
    • Incident eradication
      • Cleanup and verification
      • Notification
      • Eradication tools and techniques
    • Incident recovery
      • Service and System restoration
      • Certification and validation of Business Continuity
      • Recovery and restoration tools and techniques
  • Follow Up / Lessons Learned
    • Assessing the team and processes' effectiveness
    • Implementing improvements
    • Feedback from other teams in the organization
    • Quiz
  • Understanding the Incident Response process and tools quiz
Powered by GitBook
On this page
  • Investigation
  • What was accessed?
  • What is the root cause?
  • Investigation data sources
  • Sharing findings
  1. Stages of Incident Response

Incident investigation

PreviousContainment tools and techniquesNextInvestigation data sources

Last updated 9 months ago

Investigation

Not so much one of the phases

A process that could extend beyond containment and eradication

Usually done to answer questions from the business

What was accessed?

A very common question

Usually very important to upper management

Helpful for eradication as well

What is the root cause?

This question may not be answered right aways

A good place to start asking it

What devices and resources are involved?

Investigation data sources

Logs (host, network, infrastructure, etc.)

People through interviews

Collected drive images, memory dumps and packet captures

Cloud service provider if applicable

Sharing findings

Be sure to share with appropriate team members

Findings might help with phases of IR

Do not let this interfere with or stop IR response

7MB
Incident Response Stage 4: Investigation.pdf
pdf