Six Core Investigation Questions
framework
Core idea
Every blockchain/OSINT investigation exists to establish clarity out of noisy, fragmented, often-obfuscated data. Whatever the case, it ultimately answers one or more of six questions, and all of them serve a single purpose: enabling informed decision-making.
Components
- What happened?: establish facts, timelines, events
- Who is involved?: attribution, personas, infrastructure, behaviour
- How did it occur?: mechanism, vulnerability, method
- Where did assets or data move?: fund movements, digital footprints, threat activity
- What risks remain?: ongoing exposure, further loss potential
- What actions should be taken?: recovery, freezing, reporting, mitigation
When to use
At the outset of any case, to anchor why you are investigating before choosing goals or scope; use it to frame the written objective the client signs off on.
Example
A drained-wallet case answers “what happened” (the drain), “where did assets move” (the trace to a CEX deposit), “who is involved” (attribution where KYC-linkable), and “what actions” (a properly-formed LE request to freeze).
Related
Five Investigation Goal Types, Translate Stakeholder Wants into Investigable Questions
Last updated on