8.1. Digital Forensics and Investigations

💡 First Principle: An incident is a security event that compromises the confidentiality, integrity, or availability of information assets. Incident response is the structured process for detecting, containing, eradicating, and recovering from incidents — and learning from them to prevent recurrence. Without a defined process, responses are reactive, inconsistent, and typically make the situation worse (destroying evidence, escalating impact, missing containment windows).

The cost of an incident is not fixed — it is highly dependent on how quickly and effectively the organization responds. Dwell time (time from initial compromise to detection) is the single most impactful metric: attackers who have been inside the network for weeks have had time to exfiltrate data, establish persistence, and pivot to multiple systems. Effective detection and rapid containment compress dwell time.

Why this matters: The IR lifecycle phases and their correct sequence are directly tested. "Lessons learned" happens AFTER recovery, not during. Containment happens BEFORE eradication. Evidence preservation happens BEFORE remediation actions that might alter the system state.

⚠️ Common Misconception: "Eradicating the threat should be the first priority." Eradication before containment spreads the damage. If malware is communicating with a command-and-control server and you begin eradicating it on system A before containing the network, the attacker may have already pivoted to systems B, C, and D. Contain first (stop the bleeding), then eradicate (remove the threat), then recover (restore operations).