Gary's House Gets Burgled.
Six phases. Gary lives through every one. The lesson at the end is the most important: recovery is not the same as restoration.
Gary's a careful bloke. He's put locks on every door, installed a Ring doorbell, written the police number on a sticky note by the phone, and hidden a spare key under a rock. Nothing's happened yet. He's just getting ready.
That's Preparation — controls, monitoring, plans, backups. Before anything goes wrong. The phase that makes every other phase possible.
3am. The Ring doorbell pings. Gary checks the footage — someone's trying the back door. He watches closer. They're inside. Going room by room. He's figuring out: who is this, how'd they get in, how bad is it?
That's Detection and Analysis — alerts fire, you investigate, you scope the damage. Don't act yet. Understand first.
Gary doesn't chase the burglar. He quietly locks the bedroom door from outside, trapping them in. Then he moves his laptop and wallet to the car.
That's Containment — isolate the threat, preserve what matters. Short-term containment (trap them in one room). Long-term containment (move valuables to safety).
Evidence collection follows the order of volatility: grab the CCTV footage first (volatile — gets overwritten), then the broken lock (physical — stays put). RAM first, disk second, logs third, physical last. Most fragile first.
Police take the burglar. Gary checks — the back door lock was a cheap one from Poundland. He rips it off and installs a proper deadbolt. He also finds the burglar left a backpack — he bags it for the police.
That's Eradication — remove the attacker's tools AND fix the weakness they exploited. Blocking an IP is containment. Fixing the bad lock is eradication. Both are required.
Gary moves the laptop back. He walks through every room — nothing missing, nothing broken. He tests the new deadbolt — locks it, unlocks it, locks it again. He watches the Ring footage for a few days, just in case.
That's Recovery — restore, verify the fix works, monitor for a while. Recovery includes VERIFICATION. Don't just restore — prove the fix works.
A week later, Gary's at the pub. "Back door lock was rubbish, should've replaced it ages ago. And I need motion sensors, not just a doorbell. Oh, and the spare key under the rock — terrible idea."
That's Lessons Learned — what went wrong, what to improve. Always the LAST phase. Meeting while memory is fresh.
The police also make Gary fill out a form: who found the evidence, when, how it was handled, where it's stored now. Unbroken chain from Gary's house to the courtroom. That's the chain of custody.
Recovery is not the same as restoration. You don't just put the laptop back. You prove the new deadbolt works. You watch the footage for three days. Then, and only then, is it recovery. — Story 05 · Incident Response