Azure AD (Entra ID) Audit Logs

Credential and Account Lockdown

contain

Log Preservation and Snapshot

preserve

Azure AD Sign-In and Audit Log Collection

collect

Detect OAuth and Consent Phishing Abuse

analyze

Revoke Cloud Sessions and Tokens

contain

Comprehensive Persistence Mechanism Sweep

eradicate

Cloud Tenant Configuration Snapshot

preserve

Phishing Remediation: Purge, Reset, Revoke

eradicate

Review Cloud Hardening Gaps After Identity Compromise

post-incident

Legal Requesting Preservation Conflicts with Containment

Legal counsel has issued a preservation hold requiring that certain systems, mailboxes, or data stores remain untouched. This directly conflicts with containment actions like reimaging hosts, resetting accounts, or blocking network segments.

Unknown Scope of Credential Compromise

One or more accounts are confirmed compromised, but it is unclear how many additional credentials the attacker has obtained. Resetting only known-compromised accounts may be insufficient, while a mass reset disrupts operations.

Attacker Using VPN/Tor -- Cannot Determine True Origin

The threat actor is connecting through VPN services, Tor exit nodes, or residential proxy networks. Source IP addresses rotate frequently and do not reveal the actual origin, limiting geographic attribution and IP-based blocking.

Suspected Insider Still Has Access -- Investigation Must Be Covert

The primary suspect is a current employee or contractor who still has active credentials and system access. Overt containment actions (account lockout, visible monitoring) would tip off the suspect and risk evidence destruction or acceleration of harmful activity.

Regulatory Notification Deadline Approaching

A regulatory reporting deadline (GDPR 72-hour, SEC 4-day, state breach notification, HIPAA) is imminent and the investigation has not yet determined the full scope of data exposure. The team must balance thorough investigation against mandatory disclosure timelines.

Incident Responder Credentials Compromised

The attacker has compromised credentials belonging to a member of the incident response team or to privileged tooling used for the response (EDR console, SIEM, forensic-evidence storage). This is a worst-case blocker: the adversary may be monitoring the response in real time and can exfiltrate evidence or alter it.

Critical Logs Rotated/Overwritten Before Collection

Key log files (Security EVTX, web server access logs, syslog) have been rotated out or overwritten due to aggressive retention settings, high volume, or attacker manipulation. The evidence window for those sources is now closed.

SIEM Not Ingesting Relevant Log Sources

The SIEM does not ingest logs from the affected systems, applications, or network segments. Correlation, alerting, and historical search capabilities are unavailable for the evidence sources most relevant to this incident.

Attacker Used Timestomping, Log Clearing, or Other Anti-Forensics

Evidence of deliberate anti-forensic activity has been found: timestamps modified, event logs cleared, prefetch/shimcache wiped, or tools designed to defeat forensic analysis were executed. Standard timeline analysis may be unreliable.

Cloud or Container Logging Coverage Missing

The investigation depends on cloud-control-plane or container telemetry that was never enabled, was retained too briefly, or was routed to an unavailable destination. This creates blind spots around identity misuse, cluster administration, and workload behavior.

Host Wiped Before Forensic Acquisition

The compromised host has been zeroed or securely wiped (DBAN, `dd if=/dev/zero`, `sdelete`, `shred`) before forensic imaging could begin. Traditional filesystem-carving techniques recover limited content; the investigation must pivot to peer-host artifacts, network telemetry, and cloud/identity records that survived the wipe.

Evidence Chain of Custody Compromised

Evidence handling has gaps or integrity issues (missing hash verification, broken custody log, unauthorized access to evidence storage, transfers without documented handoffs). Evidence may still be technically useful but legal admissibility is compromised; pivot to secondary preservation and early legal assessment.

Law Enforcement Requested Investigation Pause

A law-enforcement agency (FBI, Secret Service, Europol, national police cybercrime unit) has requested that the organization pause or slow-walk active investigation, containment, or notification steps while they pursue their own investigation. This creates tension between legal obligations to customers/regulators and cooperation with LEA.

Deep Anti-Forensics: Timestomping, Rootkits, Secure Delete

The attacker has employed anti-forensic techniques: timestomping ($MFT/$STANDARD_INFORMATION manipulation), log clearing (Security.evtx wiped, journalctl truncated), NTFS alternate data stream hiding, rootkits, file-attribute masking, or secure-delete of specific indicators. Standard forensic analysis produces incomplete or misleading results.

Investigation Requires Air-Gapped Network Access

The affected systems are on an isolated network segment with no connectivity to standard IR tooling (EDR management plane, SIEM, evidence-transfer channels). Acquisition and analysis must happen via physical media or through carefully-controlled trusted-transfer workflows that do not breach the air gap.

SaaS Audit Logging Not Enabled or Not Licensed

The investigation depends on SaaS audit evidence that was never enabled, is unavailable under the current subscription tier, or requires a higher-privilege admin role than the response team currently has. This creates blind spots for identity abuse, collaboration-platform misuse, and source-code access.

SaaS Audit Retention Expired Before Collection

The response started after the native retention window for Google Workspace, Okta, Slack, GitHub, or similar SaaS evidence had already passed. The necessary events are no longer available in the vendor UI or API even though the underlying accounts and content may still exist.

Attack Delivered via Legitimately Signed Update

The malicious artifact carries a valid signature from the vendor's real signing key, so traditional allow-by-signature controls (Authenticode policy, Cosign verification, macOS notarization) do not flag it. Detection must pivot to behavioral indicators, reputation, and anomaly-based signals.

Mining Incident Treated as Low Priority by Stakeholders

Stakeholders frame unauthorized mining as "just a resource cost" and push for immediate process-kill and closure rather than a full investigation. This under-scoping routinely leaves the entry vector open and misses secondary compromise (webshells, backdoors, credential theft) the attacker installed alongside the miner.

Fileless Malware With Minimal On-Disk Footprint

The suspected malware runs primarily in memory with minimal or no on-disk persistence. Traditional file-hash IoC hunts return empty, and disk-image analysis misses the active payload. Response must pivot to memory forensics, ETW, PowerShell script-block logging, and AMSI telemetry.

Attacker Living Off the Land with Native Binaries

The attacker relies on legitimate system binaries (PowerShell, certutil, bitsadmin, regsvr32, rundll32, mshta, wmic) for execution and lateral movement. File-reputation and signature-based detection fails because the binaries are legitimate; detection must shift to behavioral anomaly, parent-child process analysis, and command-line context.

FTK Imager Full Disk Image

windows — physical

EnCase Forensic Full Disk Image

windows — physical

dd / dc3dd Raw Disk Image

windows — physical

Guymager Full Disk Image

windows — physical

FTK Imager Logical Image (AD1)

windows — logical