InfoPol Logoinfopol
Sign In

Investigation Documentation

Track timeline, actions taken, and evidence systematically

Investigation Documentation

Incident investigation creates the audit trail proving your response was appropriate and effective. Document everything in real-time.

Investigation Timeline

Build chronological incident record:

  • Initial detection: When and how the incident was discovered
  • Containment actions: Steps taken to limit damage
  • Investigation activities: Forensic analysis, log review, interviews
  • Communication events: Who was notified and when
  • Resolution actions: How the incident was remediated
  • Verification: Confirmation that threat is eliminated

Every timeline entry is automatically timestamped.

[Screenshot: Incident Timeline] Placeholder: Chronological event log with timestamps

Evidence Collection

Gather supporting evidence:

  • System logs: Authentication logs, access logs, error logs
  • Screenshots: Suspicious activity, configuration changes, error messages
  • Network captures: Traffic analysis, intrusion detection alerts
  • Email communications: Phishing attempts, social engineering
  • Physical evidence: Photos of hardware tampering, access logs

Upload evidence files to the incident's evidence locker.

Investigation Notes

Document findings in structured updates:

  • What was discovered: Factual observations
  • How it was discovered: Investigation methodology
  • Significance: What this finding means for the incident
  • Next steps: Additional investigation needed

[Screenshot: Investigation Update Form] Placeholder: Add update dialog with evidence attachment

Root Cause Analysis

Identify why the incident occurred:

  • Immediate cause: What directly caused the incident
  • Contributing factors: Conditions that enabled the incident
  • Underlying causes: Systemic issues that need addressing
  • Control failures: Which security controls failed or were missing

Impact Assessment

Document incident impact:

  • Systems affected: List of compromised or impacted assets
  • Data exposure: What data was accessed or exfiltrated
  • Business disruption: Service downtime or operational impact
  • Financial impact: Direct costs and productivity losses
  • Regulatory implications: GDPR, NIS2, or other notification requirements

[Screenshot: Impact Assessment] Placeholder: Impact documentation form with affected entities

Chain of Custody

Maintain evidence integrity:

  • Who collected: Person who obtained the evidence
  • When collected: Timestamp of evidence collection
  • Storage location: Where evidence is secured
  • Access log: Who viewed or analyzed the evidence

This chain of custody proves evidence wasn't tampered with.

Next Steps