Collecting Artifacts
• Through out the incident response process SOC may investigate various portals and
documents. As a best practice Information Security would like to ensure that artifacts
collected while performing your investigation are done so in a standardized manner.
o Images:
• <company> has purchased licenses of SnagIT, a screen capture tool, for capturing
and annotating screen captures. Any screenshots that are taken should be included in
the [[Incident Folder]]
• If necessary utilize SnagIT's annotation tool to add context. Context could be arrows
pointing to specific log entries, or context can be text overlaid on explaining key details
done during your analysis.
• Image files should be named accordingly: INCIDENT-NAME-FIGURE-#
• Ex. MITM-USERNAME-Figure 1
• When referencing images in your incident report it is sufficient to only reference the
Figure # and not the entire file name.
• DO NOT paste the image in the incident document, as Microsoft Word will format the
image to fit the page and there will be a loss in image quality.
o CSV/Excel File:
• It will be common to download many CSV files that represent logs taken at the moment
of an incident from the user or device timelines. Any CSV downloaded during the course
of an incident should be placed in the [[Incident Folder]] so that we can reference it
back at a later point.
• Any items that are reviewed in the logs and used to determine malicious activity should
be highlighted red.
• It would be best to also take a screenshot of such evidence as well.
o Emails:
• Downloaded emails should be in their .eml filetype no edits should be done on them. If
screenshots are taken please reference
o Customer Testimony:
• Customer interviews should be noted as meticulously as possible.
