Conducting Breach Investigation Forensics

Overview

When a personal data breach is confirmed, a thorough forensic investigation is essential to determine the breach scope (which personal data and data subjects were affected), the attack vector, the timeline of unauthorized activity, and the root cause. The investigation findings directly feed into the Art. 33 supervisory authority notification, the Art. 34 data subject communication, and the post-breach remediation plan. This skill provides the complete forensic investigation workflow, evidence handling procedures, and analysis techniques.

Evidence Preservation Protocol

Golden Rule: Preserve First, Analyze Second

The first priority upon breach confirmation is to preserve volatile evidence before it is overwritten or destroyed. Evidence must be collected in order of volatility:

1. CPU registers and cache — captured via live memory acquisition tools (Volatility, WinPmem, LiME).
2. Memory (RAM) contents — full memory dump of affected systems. Contains running processes, network connections, encryption keys, and malware artifacts that may not exist on disk.
3. Network connections and routing tables — current active connections may reveal command-and-control (C2) infrastructure or ongoing data exfiltration.
4. Running processes and services — process trees, loaded DLLs, open file handles, and user context.
5. Disk contents — forensic disk images (bit-for-bit copies) of affected system storage. Use write blockers for physical media.
6. Log files — system logs, application logs, security logs, database audit logs. Prioritize logs that may be subject to rotation or overwrite.
7. Network traffic captures — packet captures (PCAP) from network taps, SPAN ports, or inline capture points.