Incident investigation
Last updated
Last updated
Not so much one of the phases
A process that could extend beyond containment and eradication
Usually done to answer questions from the business
A very common question
Usually very important to upper management
Helpful for eradication as well
This question may not be answered right aways
A good place to start asking it
What devices and resources are involved?
Logs (host, network, infrastructure, etc.)
People through interviews
Collected drive images, memory dumps and packet captures
Cloud service provider if applicable
Be sure to share with appropriate team members
Findings might help with phases of IR
Do not let this interfere with or stop IR response