Forensic Analysis and Evidence Preservation Playbook

December 16, 20234 min read

Playbook Objectives:

  • To enhance the capabilities of the security team in identifying, collecting, and preserving digital evidence following a cyber incident.
  • To ensure proper forensic analysis protocols are followed during and after an incident to maintain evidence integrity.
  • To simulate a realistic cyber-attack scenario allowing team members to test their response strategies and sharpen their forensic skills.
  • To evaluate the effectiveness of current incident response plans and improve upon them for future incidents.

Difficulty Level:

  • Advanced


  • Company Name: FinTech Secure Inc. Location: San Francisco, CA Industry: Financial Technology
  • Background Story: In recent weeks, FinTech Secure Inc., a leading financial technology company that provides digital banking solutions, has noticed an uptick in suspicious network activity. The company prides itself on maintaining robust security measures, but its internal security team has uncovered a series of irregularities that suggest a potential compromise. The anomalies detected involve unusual outbound traffic patterns and spikes in database read requests during off-peak hours.
  • The company’s primary data center, holding sensitive financial records and proprietary algorithms, experienced a sudden and significant surge in data exfiltration attempts. Suspicious login attempts have also been recorded on the administration panel of their payment gateway system. Given the criticality of maintaining customer trust and upholding industry regulations, FinTech Secure Inc. has decided to carry out a comprehensive Cyber Range exercise focusing on Forensic Analysis and Evidence Preservation.
  • John Doe, the Chief Information Security Officer (CISO), has instructed the cyber response team to conduct a thorough forensic investigation and prepare all personnel for future incidents through hands-on experience in a controlled environment. The CISO emphasizes the importance of meticulous evidence preservation for legal compliance and post-incident review.
  • The team’s primary goal is to identify the origin of the breach, the method of intrusion, the scope of the data compromised, and to ensure all digital evidence is properly collected and preserved. The company aims to enhance its network security by running this lab exercise.


  • Cybersecurity Forensics

Exercise Attack Steps:

  • Step 1: Simulate an external threat actor gaining unauthorized access to the company’s network by exploiting a vulnerability in a third-party payment processing application.
  • Step 2: Enact the unauthorized transfer of sensitive files from the internal servers to an external location controlled by the threat actor.
  • Step 3: Fabricate signs of the threat actor attempting to cover their tracks by deleting logs and using anti-forensic techniques.
  • Step 4: Alert the cyber response team to initiate the forensic analysis protocol, beginning with the identification of the breached application.
  • Step 5: Execute a step-by-step network forensic investigation, identifying artifacts and anomalies indicative of a malicious presence.
  • Step 6: Isolate affected systems and execute proper evidence preservation techniques which include creating bit-for-bit copies of affected drives and maintaining a chain of custody for all evidence collected.
  • Step 7: Perform a detailed log analysis to uncover the timeline of events, including the detection of deleted logs and any obfuscation attempts.
  • Step 8: Analyze network traffic to pinpoint exfiltration attempts and determine the scope of data leakage.
  • Step 9: Utilize malware analysis techniques to study any malicious code used in the breach.
  • Step 10: Generate a comprehensive incident report, documenting all findings, methods used for analysis, and recommendations for preventing future incidents.