Forensics are performed
Forensic analysis is how you answer the questions that matter most after an incident: how did the attacker get in, what did they do once inside, and is there anything left behind? Organizations that skip forensics or perform it carelessly may remediate the visible symptoms of an attack without addressing the root cause, leaving the attacker with a persistent foothold. Forensics also generates the evidence chain required if law enforcement involvement or legal action is ever needed.
Implementation steps
- 1
Preserve evidence before containment actions destroy it
Forensic evidence is volatile: rebooting a machine clears memory, overwriting files destroys artifacts, and aggressive containment actions can eliminate the very evidence needed to understand what happened. Train responders to capture memory images, take disk snapshots, and collect relevant logs before performing containment actions that might destroy evidence. For cloud infrastructure, take snapshots of affected instances before terminating them.
crowdstrikeawsgcpazurevelociraptor - 2
Conduct timeline reconstruction from available evidence
Forensic analysis centers on timeline reconstruction: when did the attacker first gain access, what did they do and in what order, which systems did they touch, and what data did they access or exfiltrate? Use log data, file system timestamps, memory artifacts, and network flow data to reconstruct the sequence of events. Document the timeline in the incident record. The timeline drives root cause analysis and remediation scope.
splunkelasticvelociraptormagnet-axiomvolatility - 3
Identify the root cause and initial access vector
The most important forensic finding is the initial access vector: how did the attacker get in? Was it a phishing email, an unpatched vulnerability, stolen credentials, or a compromised third-party? Understanding the initial access vector is essential because it must be closed to prevent re-entry, and it may indicate whether other organizations are at risk from the same attack. Document findings in a post-incident report.
crowdstrikesplunkelasticvelociraptor
Evidence required
Forensic capability and process documentation
Evidence that forensic capabilities exist and are integrated into incident response procedures.
- · Incident response runbook sections defining forensic evidence collection procedures
- · EDR or forensic tool deployment confirming forensic capability
- · Evidence preservation policy defining when and how to capture artifacts
Forensic analysis records
Evidence that forensic analysis is performed during incidents.
- · Post-incident reports containing timeline reconstruction and root cause findings
- · Forensic analysis notes from a past incident investigation
- · Chain of custody documentation for forensic artifacts from a significant incident
Related controls
Investigate contributing factors to confirmed incidents
Incident Analysis
Actions performed during an investigation are recorded, and the records' integrity and provenance are preserved
Incident Analysis
Incident data and metadata are collected, and their integrity and provenance are preserved
Incident Analysis
The impact of the incident is understood
Incident Analysis