Logo
RSS Feed

👈🏼 Back to
Incident Investigation 🔎 🥷

💼 Sample Cases

IR Cases 💼

Investigation Tips

Determine the investigation type since it will influence the data you need, the scope, extent and strategy.

⚠️ It’s a very important thing to note in case of IP (intellectual property cases). Ensure, that data and devices of the suspect are IMMEDIATLY preserved and not accessed by anyone. I guess that’s because of the timestamps.

  • What is the case about?
  • What evidence do we expect to recover?
  • Where is the evidence most likely located?
  • What are the legal restrictions?
  • Who is involved and what’s their role?

Develop a plan to collect the data. Each type of data will require separate plan. This plan should prioritise the sources and the order. For example, if you are dealing with a system that is turned on, first, take photos of the screen, then collect the volatile data (RAM) and them make a copy of a hard drive. Then turn it off and send to the lab in a safety bag. Maintain chain of custody.

Forensic Cases 💼

In this section I’ll collect all cases I’ve heard or read about. My own cases will be listed under Blog section.

https://www.youtube.com/watch?v=QiDpGezol0o

https://learning.oreilly.com/videos/digital-forensics-and/9780134693644/9780134693644-DFKL_01_01

https://resources.infosecinstitute.com/topic/computer-forensics-investigation-case-study/

https://thedfirreport.com - many interesting DFIR cases, for example, https://thedfirreport.com/2022/09/26/bumblebee-round-two/.

CTFs Walkthroughs