Five Investigation Output Types
framework
Core idea
Defining outputs early is overlooked but critical: if the client doesn’t know what they’re getting, the investigation drifts, expands, or becomes unusable. Anchoring outputs before analysis sets expectations, determines scope, and prevents scope creep. Once outputs are fixed, methodology, priorities, and stakeholder management all sharpen.
Components
- Narrative summary: executive-readable, plain-English, chronological account of what happened, who was involved, and key findings up front with evidence cited inline. Usually the first thing a stakeholder or legal team reads.
- Fund-flow diagram: visual trace of asset movement across addresses, chains, and endpoints; shows obfuscation points (mixers, bridges) and likely endpoints (CEXes, cash-outs). Without a visual, stakeholders miss the complexity of a trace.
- Attribution / intelligence profile: blends OSINT (usernames, domains, social footprints, linked infrastructure) with on-chain behaviour (wallet clusters, behavioural signatures). Useful even when attribution isn’t achievable but intelligence supports a decision.
- Evidence pack & legal documentation: screenshots, file hashes, reproducibility steps, chain-of-custody records, methodological notes; every claim backed by a reproducible artefact. For litigation, subpoenas, RFIs, disciplinary processes.
- Risk assessment / mitigation recommendations: prioritised, time-bound, decision-ready actions (freeze access, block counterparties, notify regulators, patch exposures) aimed at reducing immediate harm rather than proving a case.
When to use
At intake/scoping, to fix the deliverable(s) before any analysis begins.
Example
A compliance client’s case is scoped to a risk assessment with prioritised freeze/block recommendations, not a court-grade evidence pack, so the trace stops at actionable exposure rather than exhaustive attribution.
Related
Five Investigation Goal Types, Intake Triage Checklist, Five Evidence Preservation Principles
Last updated on