Incident investigation
7MB
Incident Response Stage 4: Investigation.pdf
pdf
Investigation
Not so much one of the phases
A process that could extend beyond containment and eradication
Usually done to answer questions from the business
What was accessed?
A very common question
Usually very important to upper management
Helpful for eradication as well
What is the root cause?
This question may not be answered right aways
A good place to start asking it
What devices and resources are involved?
Investigation data sources
Logs (host, network, infrastructure, etc.)
People through interviews
Collected drive images, memory dumps and packet captures
Cloud service provider if applicable
Sharing findings
Be sure to share with appropriate team members
Findings might help with phases of IR
Do not let this interfere with or stop IR response
Last updated