In this chapter, we will discuss the first of three overall phases of an investigation. As we pointed out in the last chapter, broadly speaking, an investigation can be broken down into launch activities, incident analysis, and evidence analysis. In Chapter 2, we discussed a framework for conducting an investigation. There, we laid out a set of seven steps for you to follow. You may recall that those steps include:
1. Eliminate the obvious 2. Hypothesize the attack 3. Collect evidence, including, possibly, the computers themselves 4. Reconstruct the crime 5. Perform a traceback to the suspected source computer 6. Analyze the source, target, and intermediate computers 7. Turn your findings and evidentiary material over to corporate inves-
tigators or law enforcement for follow-up
Let’s begin this chapter by fitting those steps into the three basic phases of the investigation.