Clients often expect a hacking investigation to look like the movies. In practice it looks like disciplined evidence work, with the same rhythm as any other forensic instruction.
The stages
- Intake: understanding what happened, what the client fears, and what needs to be protected first.
- Preservation: images of affected devices, exports of account logs, isolation of compromised accounts.
- Analysis: identifying the vector, the timeline and the material accessed or taken.
- Attribution, where possible: linking activity to accounts, infrastructure or individuals.
- Reporting: a written report that supports internal action, insurance claims or proceedings.
What the report will tell you
A good report will say what is known, what is likely, and what cannot be determined from the available evidence. It will resist the temptation to overclaim attribution, which is where most cyber reports fall over on cross examination.

