Types of incident investigation analysis
Digital investigations are not all the same. There are a variety of reasons that a Computer Security Incident Response Team (CSIRT) will stop an investigation based on the time allowed, the type of incident, and the overall goal of the investigation. It makes no sense for two or three CSIRT analysts to spend a full day investigating a small-scale malware outbreak. On the other hand, a network intrusion where the adversary has been in the network for three months will require a much more detailed examination of the evidence to determine how the adversary was able to gain access, what information they aggregated and exfiltrated, and what the impact on the organization has been.
The result is that there are several different types of incident investigations conducted by various individuals within an organization. Figure 4.2 shows the five layers and the personnel involved, along with the corresponding time and the necessary investigative resources...