Appendix C: Investigative Workflow

Introduction

The logical flow from the time the initial event occurs requires organizations to follow a consistent and repeatable process that encompasses several stages of information (i.e., preserving digital evidence, conducting interviewing) gathering, communication (i.e., stakeholder reporting, escalations), and documentation (i.e., SOPs, incident/case management knowledge base).

The goal of following a logical investigative process is to reduce the possibility of quick and uninformed decisions being made at any time. However, with the understanding that the context of every investigation can be uniquely different, the logical workflow should still provide organizations with the ability to make the best and most educated decisions related to what actions are to be performed next.

The investigative workflow illustrated in Figures AC.1, AC.2, AC.3, AC.4 encompasses each business risk scenario as discuss further in Chapter 7, “Defining Business Risk Scenarios.” While the specific business risk–naming conventions have not been used in the workflow that follows, the methodology and approach take into consideration the workflow and activities required to address each risk scenario as it occurs.

Figure AC.1 Investigative workflow—process initiation.

Figure AC.2 Investigative workflow—volatile data process.

Figure AC.3 Investigative workflow—targeted forensics process.

Figure AC.4 Investigative workflow—broad audit process.