Generate Comprehensive Incident Report

Post-Incident ReviewP2180 min

IR AnalystSwitch roles in the top navigation to see different perspectives.

Compile all evidence, create a final timeline, document IOCs, and write the technical narrative for the comprehensive incident report.

1.Write the technical narrative covering: initial detection, investigation scope, evidence collected, attacker TTPs, impact assessment, containment actions, eradication steps, and recovery.
2.Create the final incident timeline with all key events in chronological order.
3.Compile the IOC appendix: file hashes, IP addresses, domains, email addresses, user agents, and other indicators.
4.Document the evidence inventory with chain of custody references.
5.Prepare executive summary (1-2 pages) and detailed technical report (full length) as separate sections.

Compile all queries used during the investigation for the report appendix.

The incident report should be factual and evidence-based. Avoid speculation and clearly label any assumptions or limitations.
Reports may be shared with legal counsel, regulators, insurance providers, and law enforcement. Write accordingly.

Where to Go Next

Report complete, address remaining improvements

Lessons Learned

FTK Imager Full Disk Image

windows — physical

EnCase Forensic Full Disk Image

windows — physical

dd / dc3dd Raw Disk Image

windows — physical

Guymager Full Disk Image

windows — physical