Investigation Overview

The goal of any computer security incident investigation should be to determine whether an incident occurred, and if so, how it was able to occur. Once the investigator has determined that an incident has occurred, the root cause of the incident must be determined. This way, not only can the victim system be patched and appropriately reconfigured, but other systems can also be protected.

How the investigation is conducted is entirely up to the organization. In some cases, the “investigative staff” of the organization may consist of a single administrator or a small group of administrators tasked with providing security expertise in addition to their day-to-day system administration function. Regardless of the size, each ...

Get Windows Forensics and Incident Recovery now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.