Skip to main content
Join the Agentforce Hackathon on Nov. 18-19 to compete for a $20,000 Grand Prize. Sign up now. Terms apply.

Conclude Forensics Investigation

Learning Objectives

After completing this unit, you’ll be able to:

  • Explain the importance of writing a cyber defense forensics investigation report.
  • List the sections of a cyber defense forensics report.
  • Explain the importance of an after-action meeting.

Write a Cyber Defense Forensics Investigation Report

You’ve transformed information into evidence—now it’s time to turn that knowledge into action in the reporting phase. For example, criminal prosecutors or incident responders can use the information you uncover and document as evidence or for incident mitigation. 

Your role now is to document what transpired during the investigation and communicate the findings of the analysis in a report. The report is an official document of what took place during the investigation, what was uncovered, how it was uncovered, and by whom. As a cyber defense forensics analyst, you detail all actions you took throughout the investigation process including your steps to capture and analyze evidence. 

Sections of a Cyber Defense Forensics Investigation Report

Note

The cyber defense forensics investigation report sections listed below are for you to use as a guide for informational purposes only. You should follow whatever format your organization uses. 

A cyber defense forensics report typically consists of seven sections: executive summary, objectives, evidence, forensics analysis, relevant findings, conclusions, and appendices.

Executive Summary 

The typical audience for the executive summary is executives and managers. Although the executive summary is the first part of the report, you typically write this section last, as a synthesis of the information that is easily digestible by an executive audience. Here are some best practices to keep in mind when you write the report.

  • Summarize the investigation including whether the investigation is currently open or closed and why a forensics investigation was necessary. Note whether a warrant was required.
  • Identify who was involved in the investigation including who authorized it and other investigative parties.
  • List findings and their relevance to the investigation.
  • Conclude with the results and why they matter.

Objectives

Audience: Business owners, forensics investigators, legal counsels, and senior managers

Goals: Outline what tasks the organization asked you to do as part of the investigation. Legal counsel or the decision makers of your organization should have approved these tasks at the beginning of the investigation. Include your hypothesis and the expected outcome of the investigation.

Evidence

Audience: Same as above

Goals: Provide a short description of the evidence in a table or list format containing the descriptive details of the physical items submitted (hard drives, mobile devices, and more). A typical evidence listing may include details such as make, model, serial numbers, description, condition, hash values, and custodian information.

Forensics Analysis

Audience: Legal counsels, systems owners, and investigators

Goals: Detail your interaction with digital evidence and the steps you took to preserve and collect evidence. Summarize what you did, including a description of any tools you used, and how you recovered evidence.

Relevant Findings

Audience: All those involved (business owners, forensics investigators, legal consoles, senior managers, systems owners)

Goals: Report findings in a simplistic manner, so that is accessible for both technical and non-technical audiences. Include all artifacts and relevant findings obtained during the analysis portion of the investigation, and link directly to the objectives and hypothesis of the investigation. Examples include:

  • Specific files related to the initial request for forensics analysis
  • Internet-related evidence (chat records, email, log files)
  • Techniques used to hide data such as encryption or steganography

Conclusions

Audience: All

Goals: Summarize the activities of the investigation. Discuss what happened and who performed which tasks. List significant investigation findings.

Appendices

Audience: Your organization’s legal team, as well as investigators and other forensics analysts, and business system owners

Goals: Include long lists like audit logs and copies of all time-stamped documents, such as the chain of custody. Other documents to include are investigative notes from analysts, screenshots, and relevant artifacts.

Integrate the Investigative Process into the Report

Keep in mind that you should record all activities during an investigation. This will make your task much easier when it’s time to write the report. Document interactions with those requesting the investigation and any steps you take to conduct the investigation. You should document and timestamp every step you take from your initial involvement to the investigation’s conclusion (remember, these documents can be used in a court of law if the organization decides to pursue legal persecution). 

As you work, enter information tied to each piece of digital media you collect into a tracking database. You should use a database to maintain records regarding the full status of the investigation. This enables you to more efficiently track investigated devices and the tools used to perform the investigation. The tracker should include information on: 

  • Current status of the investigation
  • Detailed list of evidence
  • Correlation data to incidents
  • Actions taken
  • Chain of custody documents
  • Impacted systems
  • Contact information
  • Investigator notes
  • Next steps

Keeping a record of the dates and times that people worked on an incident, including the time needed to recover systems, can also help calculate the costs of damages. Also, handling evidence in a forensically sound manner puts decision makers in a position where they can confidently take the necessary action. Be sure to keep this tracker’s access limited to only authorized personnel and make sure it’s encrypted if possible. 

Summarize Conclusions

The report should tell the story of what happened, while providing detailed analysis to back up the facts. In summarizing conclusions, be sure to describe what happened and why the event occurred, including who was involved and when the event happened. Explain in detail the actions the perpetrator took to conceal evidence. 

In supporting your conclusions, be sure to include demonstrative materials, such as figures, graphs, and outputs of tools, as well as supporting documents, such as chain of custody documentation. When an event has two or more plausible explanations, it’s a good idea to give each due consideration in the reporting process. And it’s a best practice to use a methodical approach to attempt to prove or disprove each proposed explanation.

In presenting your conclusions, consider the audience. An incident that involves law enforcement requires highly detailed reports of all information gathered and may also require copies of all evidentiary data obtained. A system administrator might want to see network traffic and related statistics in great detail. Senior management might simply want a high-level overview of what happened, such as a simplified visual representation of how the attack occurred, and an explanation of how to prevent similar incidents. 

In summarizing conclusions, you should also detail what other actions the organization needs to perform, such as forensically examining additional data sources, securing identified vulnerabilities, or improving existing security controls. Finally, you should provide recommendations for improvements to policies, procedures, tools, and other aspects of the forensics process.

Hold an After-Action Meeting

In the after-action meeting, you report on lessons learned and provide a clear review of the entire incident and forensics investigation process. Attendees at the after-action meeting should include: 

  • Cyber defense forensics analysts
  • Incident managers and support staff who worked on the issue
  • Legal counsel
  • Service owner(s) of impacted system(s)
  • Representatives from the business function

In the meeting, review the incident and the forensics investigation. Be sure to cover these topics:

  • The evidence and how you collected it
  • The challenges (if any) of engaging support staff
  • The required escalations
  • The tools available and if they were sufficient to investigate the incident
  • The decisions made during the incident, who made them, and how they reached them
  • The actions you took to reconstruct the events of the incident
  • The gaps in the forensics investigation, if any

An analyst presents the results of an investigation to other analysts, incident managers and legal counsel, pointing to a white board with different color sticky notes.

The results of this discussion are usable for future meetings as a benchmark for comparison, or for training opportunities.

Sum It Up

In this module, you’ve been introduced to preparing for and conducting a cyber defense forensics investigation. You've learned how to identify and preserve evidence during a forensics investigation and what actions are necessary to extract evidence from a computing system in order to understand and reconstruct the event. In addition, you were introduced to writing a cyber defense forensics report and the importance of convening an after-action meeting to capture lessons learned.

Along with the information you reviewed in the Cyber Defense Forensics module, you should now have a better understanding of what it takes to be a cyber defense forensics analyst. Interested in learning more about cybersecurity careers? Head on over to the Cybersecurity Learning Hub to explore other roles and hear from real security practitioners. 

Resources

Share your Trailhead feedback over on Salesforce Help.

We'd love to hear about your experience with Trailhead - you can now access the new feedback form anytime from the Salesforce Help site.

Learn More Continue to Share Feedback