Recovery Guidance
After threat containment: (1) Perform full forensic analysis of compromised employee laptop and all systems with lateral movement indicators; preserve artifacts for legal hold. (2) Conduct cryptographic key rollover ceremony for all hot wallets with witness attestation and chain-of-custody documentation. (3) Execute post-incident lessons-learned session within 30 days with IR team, engineering, and security leadership to document control gaps and implement mitigations; map findings to NIST CSF and 800-53 control baselines. (4) Schedule penetration test focused on credential theft and lateral movement TTPs within 90 days to validate compensating controls.
Key Forensic Artifacts
Windows Event Logs: Security (4688 Process Creation, 4624 Logon, 4720 Account Creation), System (1000 System Error), Application (exceptions). Linux: /var/log/auth.log, /var/log/secure, /var/log/audit/audit.log (auditd events for file access, system calls).
SSH server logs (sshd debug output if available), SSH public key files (~/.ssh/authorized_keys with timestamps), SSH client config and known_hosts files, SSH key material (private keys if seized).
Process execution logs: Windows Sysmon Event 1 (ProcessCreate), Linux auditctl rules for execve syscalls, command history (.bash_history, .zsh_history, PSReadLine history on Windows).
Network flow data: NetFlow v5/v9 records, sFlow, tcpdump PCAP files from production subnets, DNS query logs, firewall connection logs (source/dest IP, port, protocol, duration).
Backup and snapshot metadata: backup job logs, snapshot creation/modification timestamps, access logs for backup storage systems (S3, NAS, tape), backup retention policies and disposal records.
Credentials and secrets: grep output from config files (/etc/app.conf, ~/.bashrc, .env files), environment variable dumps, database connection strings, API key references, encrypted credential storage metadata (key ID, encryption algorithm).
Hot wallet and encryption key metadata: blockchain transaction logs (timestamp, sender, recipient, value), wallet signing event logs (key accessed, operation performed), database encryption key access logs (who accessed, when, from where), key generation and rotation audit logs.
