Use your computer fearlessly.




Mission Services Articles Research





business: response, Part 7: Evolution


Incident Response to Data Breach, Part 6: Investigation

by Brent Kirkpatrick

(Date Published: . Revised: 5/1/2018.)



Investigation complements recovery efforts.



Recovering evidence is most properly done last. The chain of custody must be preserved by preventing hacking of the evidence during the investigation. The technical steps taken to contain the hacking are response, not investigation.

Responding to a breach requires blocking the intrusion routes. While this is a technical step, it is done with haste, with little documentation, and often imprecisely. It may sometimes seem as if this technical response is an investigation, but it is not.

A proper investigation uses secured computers. The chain of custody must be well documented and the evidence unhacked during the investigation. If the evidence is hacked, the hackers could plant false evidence. Therefore chain of custody must be established during breach response. Before an investigation.

Your organization has several options for conducting an investigation. If crime was committed, the FBI may conduct an investigation. If credit card data was involved, compliance may require a PCS-DSS investigator. Private investigations can also be conducted.

Many times an investigation is not done, because it is cost-prohibitive to find the trace evidence that may or may not reveal the identities of the hackers. Investigation can involve the use of digital forensics to rigorously obtain evidence of the facts. Log files are examined, after they are secured. Computers are scanned for traces of known exploits. Rarely, first-principles are used to isolate and examine foreign machine code. This last is rare due to the expense and technical skill involved.


Clean-Up. Incident response driven by data.


Business Articles:

Incident Response, Part 1: Planning
Incident Response, Part 2: Response
Incident Response, Part 3: Coordination
Incident Response, Part 4: Strategy
Incident Response, Part 5: Recovery
Incident Response, Part 6: Investigation
Incident Response, Part 7: Evolution

Cascading Data Breaches
Incident Response Plan
Why Clean-Up Hacking?
Rapid Containment of Intrusions













What Is New? | Contact | Tips


© 2015, 2016, 2017, 2018 Intrepid Net Computing. All rights reserved.