Incident investigation

Investigation

Not so much one of the phases

A process that could extend beyond containment and eradication

Usually done to answer questions from the business

A very common question

Usually very important to upper management

Helpful for eradication as well

This question may not be answered right aways

A good place to start asking it

What devices and resources are involved?

Logs (host, network, infrastructure, etc.)

People through interviews

Collected drive images, memory dumps and packet captures

Cloud service provider if applicable

Be sure to share with appropriate team members

Findings might help with phases of IR

Do not let this interfere with or stop IR response

Last updated 1 month ago