Collecting Artifacts

• Through out the incident response process SOC may investigate various portals and

documents. As a best practice Information Security would like to ensure that artifacts

collected while performing your investigation are done so in a standardized manner.

o Images:

• <company> has purchased licenses of SnagIT, a screen capture tool, for capturing

and annotating screen captures. Any screenshots that are taken should be included in

the [[Incident Folder]]

• If necessary utilize SnagIT's annotation tool to add context. Context could be arrows

pointing to specific log entries, or context can be text overlaid on explaining key details

done during your analysis.

• Image files should be named accordingly: INCIDENT-NAME-FIGURE-#

• Ex. MITM-USERNAME-Figure 1

• When referencing images in your incident report it is sufficient to only reference the

Figure # and not the entire file name.

• DO NOT paste the image in the incident document, as Microsoft Word will format the

image to fit the page and there will be a loss in image quality.

o CSV/Excel File:

• It will be common to download many CSV files that represent logs taken at the moment

of an incident from the user or device timelines. Any CSV downloaded during the course

of an incident should be placed in the [[Incident Folder]] so that we can reference it

back at a later point.

• Any items that are reviewed in the logs and used to determine malicious activity should

be highlighted red.

• It would be best to also take a screenshot of such evidence as well.

o Emails:

• Downloaded emails should be in their .eml filetype no edits should be done on them. If

screenshots are taken please reference

o Customer Testimony:

• Customer interviews should be noted as meticulously as possible.