This scenario was much broader than most, and notice how that invited many more responses and a great diversity in paths to pursue. Sometimes the most challenging of an investigation is knowing which initial #InvestigationPath to take.
https://twitter.com/chrissanders88/status/1595070232426467328
Something we know from research is that the initial path (“opening move”) matters.
I shared some of this research in this blog post: chrissanders.org/2016/09/effect….
That effect is a product of the path itself and the evidence being examined.
I shared some of this research in this blog post: chrissanders.org/2016/09/effect….
That effect is a product of the path itself and the evidence being examined.
There is often a best opening move in a scenario, but in those like the one I’ve shared here, there isn’t an obvious opening move without gaining more information first.
When you forecast for this event, one strategy might be an exfil investigation; trying to find data being moved. That could mean exfil by email, USB, file storage site upload, remote access, or some other mechanism.
Another path mentioned a lot might be understanding what the user accessed in the time window preceding their departure. Looking at authentications, file and object access, etc.
An approach that wasn't mentioned much was looking for staging actions like the creation of archive files to make data easier to move. I chose Vikas (on LinkedIn) as the response of the week for mentioning this idea. It’s not always a home run, but it’s quick to investigate. 
Lots of great responses. A parting thought for this scenario — how would the investigation be different if the scenario changed from an insider stealing information to an external attacker stealing information?
• • •
Missing some Tweet in this thread? You can try to
force a refresh
