First Response & Evidence Handling

Welcome to Day 02 of the Incident Management series. This interactive playbook translates the critical theories of cybersecurity first response into actionable steps. The overarching principle of this module is simple but unforgiving: The first hour decides everything. Explore the sections to understand how to preserve evidence, establish legal defensibility, and avoid catastrophic contamination.

The Core Philosophy

  • Bad Response: No clean evidence, ruined timeline, no regulatory defence.
  • Good Response: Chain of custody, reproducible analysis, court-admissible record.
Goal: Preserve, do not investigate. Tools change every two years; first-hour discipline does not.

Five Pillars of Defensibility

1. Triage
2. Chain of Custody
3. Order of Volatility
4. Documentation
5. Roles & Responsibilities

Lesson 1: The Triage Model

This section covers the immediate steps required upon detecting an incident signal. The goal is to decide within minutes if a signal is real and determine its scope. Interact with the 6-step flow below to understand the distinct actions required at each stage. Remember: the first ten minutes are about observing and preserving, not fixing.

Step 1: Verify the signal

Is it real?

  • An alert is a hypothesis, not a fact.
  • Cross-check at least two independent sources (e.g., SIEM + EDR, or direct observation).
  • False-positive triage saves the rest of the response from being wasted.
  • Never ignore a verified second source.
Key Takeaway: No incident is declared on a single signal alone.

Lesson 2: Chain of Custody

This section explores why technical evidence is legally useless without an unbroken, documented trail. You will learn the five non-negotiable principles of evidence handling. Use the interactive hashing tool to see firsthand why SHA-256 is the legal hinge of digital forensics.

The Five Principles

1

Identify: who collected what, where, when.

2

Hash: SHA-256 on collection, re-checked on transfer.

3

Seal: Tamper-evident bag with sequential number.

4

Log: Every transfer with timestamp, name, signature.

5

Preserve: Original is never analysed; use a copy.

What breaks the chain?

  • Gap in timeline (unaccounted time).
  • Unsigned transfers.
  • Hash mismatch on re-check.
  • Original used for analysis.

Interactive: The Legal Hinge

Type in the box below to represent collecting evidence. Notice how changing a single character completely alters the SHA-256 hash footprint. This hash is your seal.

SHA-256 Digital Fingerprint
calculating...

If the hash on the form doesn't match the hash of the file in court, the evidence is discarded.

Lesson 3: Order of Volatility

This section explains RFC 3227 guidelines. You will learn to differentiate between volatile and non-volatile evidence. The interactive chart below visualizes the "half-life" concept of data. Most attacker activity never touches the disk; if you pull the power plug before capturing memory, you destroy the truth.

Data Half-Life (RFC 3227 Spectrum)

Why Memory Matters More

  • ✦ Stolen credentials live in RAM.
  • ✦ Decrypted payloads live in RAM.
  • ✦ Open network sockets live in RAM.
  • ✦ Injected shellcode lives in RAM.

Disk imaging tells you *something* is wrong. Memory tells you *what*.

Memory Acquisition Tools

  • WinPmem: Open source (Velocidex), Windows.
  • Magnet RAM Capture: Free, Windows.
  • LiME: Linux Memory Extractor.
  • Volatility 3: Post-acquisition analysis.
RULE: Always write captures to external/removable media. Never the suspect host.

Lesson 4: Documentation

"If it isn't written down, it didn't happen." This section breaks down the contemporaneous documentation required during a response. The interactive cards below detail the 5W+H rule and tamper-evident concepts. A pristine record is the responder's alibi and the regulator's evidence.

The Golden Rules

UTC always. Quote literally. Name assumptions. Never delete (append only).

📝

The 5W+H Requirement

WHO

Person or tool

e.g., "Analyst J.Doe" or "WinPmem v3.0"
WHAT

Action taken

e.g., "Isolated host from network"
WHERE

Host/Path

e.g., "SRV-DB-01 / port 22"
WHEN

UTC Timestamp

e.g., "2026-04-25T14:32:01Z"
WHY

Reason/Auth

e.g., "Authorized by IC per Playbook A"
HOW

Command used

e.g., "ifdown eth0"

Click cards to see examples

Lesson 5: Roles & Responsibilities

Enthusiasm without coordination destroys evidence. This section defines clear boundaries using a RACI matrix to prevent multiple responders from colliding. Hover over the matrix rows to see how responsibilities are strictly divided.

Interactive RACI Matrix

R = Responsible (Does it) A = Accountable (Signs off) C = Consulted I = Informed
Task / Decision Inc. Cmdr (IC) Responder Legal Comms Scribe
Declare Incident A/R I I I R
Isolate Host Network A R C I I
Capture Memory A R - - I
Trigger 72h Regulatory Clock C - A/R C I
Maintain 5W+H Log A I - - R
Contamination Mode 1: Desktop tech opens malicious mailbox (overwrites timestamps).
Contamination Mode 2: Sysadmin restarts server (destroys memory).
Contamination Mode 3: Analyst browses C2 domain from corp IP (tips off attacker).

Reference & Regulations

Quick reference for standards, regulatory clocks, and critical anti-patterns. The chart visualizes the severe pressure of compliance notification windows.

Regulatory Notification Windows

The clock starts at awareness, not at understanding.

🚫 The Five Forbidden Moves

  • 1. Pulling power on a suspect host before memory capture.
  • 2. Running antivirus "cleanup" on the active machine.
  • 3. Browsing the attacker's C2 domain from a corporate IP.
  • 4. Logging into suspect host's mailbox to "see what came in".
  • 5. Documenting the response a week later from memory.

Foundational Habit

Submit every URL to VirusTotal before clicking. Treat any forwarded link as untrusted. This 10-second check prevents weeks of incident response.

Standards: NIST SP 800-61 Rev. 2 | IETF RFC 3227 | ISO/IEC 27037:2012 Requires strict written authorisation.