Skip to the main content.

1 min read

The Ninth Step to Forensic Readiness: Incident response documents and reporting

Featured Image

The purpose of an investigation is never just to find the source of damage and place a quick repair. An investigation is in place to find out how it happened, document it, and fix those circumstances so they don’t occur again.

The main idea behind this step is to apply event reconstruction to determine and analyze who was responsible for the event, the time and place of the events, a list of all stakeholders involved in the incident management team, and which steps have been taken to resolve the incident. 

“The questions go along the lines of who, what, why, when, where and how” [Endorf 2003]. According to IJDE, the following are possible components of a case file;

  • Incident description – what happened? How was it detected?

  • The hypothesis –how was the incident caused? Has the perpetrator been identified? Located?

  • The evidence – includes the location of appropriate digital records, paper files, details of interviews, signed witness statements, physical evidence, etc.

  • The argument – shows that the evidence ‘proves’ the hypothesis 

  • The impact: damage or potential damage to the organization – including any evidence to support the damage assessment. 


DFIR Guide

Download our DFIR Guide and learn more how you can elevate your incident response processes.


Revealing the “big picture”

In order to see how the event unfolded, event reconstruction can involve the timeline analysis of the event (time and sequence), human factor analysis (list of all stakeholders who were involved from the moment the incident occured), and infrastructure analysis (assessment of system and devices).

Before starting event reconstruction, the analysis team sets a hypothesis concerning the case and performs all following event reconstruction steps to prove or disprove the working hypothesis. The results of the analysis are documented in a report. The report should be stored in a secure place with implemented access control just as is the case with digital evidence as well.

This is the essential framework the report should include:

  • Honest and precise documentation

  • Visual representation (figures, graphs, images)

  • Supporting documentation (chain of custody, digital evidence list)

  • Detailed explanation of used methods

  • Stated errors or uncertainties

  • Limitations of finding (if present)

If the event reconstruction team finds any loopholes in the investigation process they should be highlighted and presented as an opportunity to improve the security posture of the organization by fixing those security holes.