>>
13-October-2022, min readtime

Help, where is the evidence?

Why the reconstruction of a security incident is needed

After the discovery of a cyberattack, organisations would like to know in detail what happened. How did the attackers get in? What actions did the attackers take? Has (sensitive) data from the organisation been viewed or stolen?

These questions are asked from the desire to be reassured: “there is limited damage” or “the attackers have not stolen any data”. But also to determine follow-up actions.

Follow-up actions depend on what exactly happened. Should a report be made to the Dutch Data Protection Authority due to a data breach? Or should we inform our customers? In order to answer the questions, we search for evidence of the cyberattack together with the victim organisation.

What is evidence?

If a physical burglary has taken place within an organisation, detectives are asked to figure out happened. They collect information about the current situation and investigate traces that might be related to the burglary. Examples of this information are fingerprints, images from the surveillance cameras and prints of traces in the grass.

After a digital burglary, information about the security incident is collected and traces are secured. This evidence can be used for police investigations and in court.

Lisa de Wilde, Business Unit Director - Incident Response

The same is done after a digital burglary within an organisation. The Incident Responder starts collecting information about the incident and secures traces. This is done in a way that minimises the impact on the organisation's operations, does not affect the evidence and can potentially be used for police investigations and in court.

We collect logs from the IT environment. When everything is properly configured, these logs contain all actions that were executed on a particular system. An example of these logs are firewall logs; these contain information about the connections between internal and external systems, including those of the attackers. In this way the investigator can figure out from which moment the attackers have been active in the digital environment of the organization and better scope the investigation.

In addition, we can make exact digital copies of digital systems, such as the hard disk of a laptop. A digital copy contains traces of both legitimate users and attackers. These traces indicate what has happened on the system. By means of analysis, deviant behavior can be determined, and it quickly becomes apparent which actions were (presumably) performed by the attackers. The logs can, for example, prove that an admin account was created at 3 a.m.

How is an investigation executed?

As explained in our last blog, there is no one set way that attackers use to hack organisations. But there are patterns in the way attackers operate. This ensures that we can optimise our research methods and answer research questions better and faster.

During an investigation, we try to make the puzzle as complete as possible based on available incident information. For this, we create a timeline and try to go back to the first action of the attackers. In other words, we map the route the attackers have taken along with dates and times.

The reconstruction of a security incident at an affected organization leads to additional security measures to prevent a recurrence.

Lisa de Wilde, Business Unit Director - Incident Response

After an investigation has been conducted, I like to explain step-by-step to organisations which actions the attackers have taken in the IT environment. In this way we can determine follow-up actions together. These follow-up actions can relate to how to become operational again, but also what additional security measures can be implemented to prevent a new attack.

Unfortunately, it is not always possible to provide a complete puzzle. For example, I was recently asked to investigate an incident that occurred about four weeks ago. When collecting the logs, I figured out they only had a seven-day retention period. I regularly experience that the logs are not available or only available to a limited extent. As a result, the attack cannot be fully reconstructed. And the research questions cannot be fully answered. This can lead to assumptions about, for example, the scope of the data exfiltration on the basis of which it is decided which subjects are informed.

What are the attackers doing?

Also, less information about the attack may be available because the attackers have put effort into covering their traces. The attackers do this to remain undetected in the environment of the organisation for as long as possible, and try to stay one step ahead of the organisation. When logs are not centrally stored, and the attackers have access to the system, it may be possible to delete the logs, modify them or disable the saving of the logs.

What can I do?

During the conversations I have with organisations to prepare for an incident, the availability of evidence is also discussed:

  • For which systems are logging capabilities set up?
  • What log information is stored?
  • What is the retention period of the logs and is it sufficient?
  • Where are the logs stored?
  • Who can access the logs?
  • Is there a backup of the logs?
  • Who can make a copy of a digital system?
  • How do you ensure that the evidence is available to the department or party that will conduct the investigation?

These are questions that any organisation can answer for itself before an incident to ensure that the evidence is available after a security incident. Let's make sure you get used to the preparation for a security incident.


Lisa de Wilde advises and supports organisations that would like to prepare for security incidents and crises and/or that have become victims of cyber criminals.

This website works best with JavaScript enabled