8.1.1. Evidence Types, Collection, and Chain of Custody
💡 First Principle: Incident response is a lifecycle, not a checklist. Each phase has specific objectives and produces outputs that the next phase depends on. Skipping or rushing phases creates compounding problems: inadequate preparation means poor detection; poor detection means late containment; late containment means wider eradication scope; incomplete eradication means reinfection.
NIST SP 800-61 Incident Response Lifecycle (4 phases):
Phase 1 — Preparation:
- Develop and maintain the IR plan (roles, escalation paths, communication procedures, legal contacts)
- Form and train the Incident Response Team (IRT): security analysts, forensic specialists, legal, communications, business unit liaisons
- Deploy detection and response tooling: SIEM, EDR, forensic workstations, evidence storage
- Define incident categories and severity levels with escalation thresholds
- Establish relationships with external resources: law enforcement contacts, forensic firms, cyber insurance carrier, legal counsel
- Conduct tabletop exercises to test the plan before a real incident
Phase 2 — Detection and Analysis:
- Identify the incident through alerts, user reports, threat intelligence, or anomaly detection
- Confirm it is a real incident (not a false positive) and determine initial scope
- Classify severity and activate appropriate response team and resources
- Begin evidence collection and timeline reconstruction — but do not alter systems before forensic preservation
- Escalation criteria: what triggers moving from Tier 1 analyst → Tier 2 → IR team → executive notification?
Incident classification examples:
| Category | Examples | Severity |
|---|---|---|
| Ransomware | Systems encrypted; ransom note present | Critical |
| Data breach | PII exfiltrated or confirmed exposed | High-Critical |
| Malware infection | Single endpoint; no lateral movement | Medium |
| Insider threat | Unauthorized data access by employee | High |
| DDoS | Availability impact; no data compromise | Medium-High |
| Phishing | Email delivered; no user interaction | Low |
| Phishing with compromise | User clicked; credentials entered | High |
Phase 3 — Containment, Eradication, and Recovery:
Containment — stop the spread without destroying evidence:
- Short-term containment: isolate affected systems (network quarantine, segment isolation)
- Evidence preservation: forensic image before any remediation actions
- Long-term containment: implement workarounds to maintain business operations during investigation
Eradication — remove the threat:
- Remove malware, close backdoors, delete attacker accounts
- Patch vulnerabilities exploited during the incident
- Address the root cause (not just the symptom)
Recovery — restore to normal operations:
- Restore systems from clean backups or rebuild from known-good images
- Monitor closely for re-compromise during the recovery window
- Verify system integrity before returning to production
Phase 4 — Post-Incident Activity:
- Conduct a lessons-learned meeting (within 2 weeks of incident closure, while memory is fresh)
- Document: what happened, what the IR team did well, what they did poorly, what would be done differently
- Update IR plan, playbooks, detection rules, and preventive controls based on findings
- Produce incident report for management, legal, and regulatory notification if required
Key IR plan components:
- Mission and scope
- Roles and responsibilities (who does what, who has authority to take systems offline)
- Communication plan (internal escalation, external notification, media response)
- Incident classification and severity matrix
- Evidence handling procedures
- Legal and regulatory notification requirements and timelines
- Contact list (law enforcement, forensic vendor, legal counsel, insurance carrier)
- Recovery procedures and BCP/DR coordination
⚠️ Exam Trap: The order of operations in Phase 3 is critical on the exam. Correct sequence: CONTAIN (stop spread) → PRESERVE EVIDENCE (forensic image) → ERADICATE (remove threat) → RECOVER (restore operations). Many questions present an incorrect sequence as a distractor. Also: life safety always precedes asset protection — if the incident involves physical safety (e.g., ICS/SCADA attack affecting safety systems), human safety comes before evidence preservation or system isolation.
Reflection Question: At 2 AM, a SOC analyst detects that 15 servers are encrypting files and communicating with an external IP. The analyst's instinct is to immediately shut down all affected servers to stop the encryption. What is wrong with this immediate reaction, what is the correct first action, and what sequence of steps should the analyst follow over the next 60 minutes?
