Summary
In this chapter we covered the various steps that should be taken in the investigation stage of IR. This includes identification of the threat via common indicators of compromise and the collection of volatile data, which is particularly important in cloud systems. We demonstrated how to produce a memory dump of key system information on Windows, Linux, and macOS, as well as providing some suggestions for creating a disk image or clone to replicate hard disk data.
We then moved on to a phishing example and learned all about how to investigate a cyberattack that has happened via email. The chapter went through email IR essentials, and we discovered some key tools that you can use during an email incident to help you resolve any issues.
In the next chapter we will learn how to report the findings of the investigations that we learned about in this chapter.