Skip to Content
Casework MethodSix Core Investigation Questions

Six Core Investigation Questions

framework

Core idea

Every blockchain/OSINT investigation exists to establish clarity out of noisy, fragmented, often-obfuscated data. Whatever the case, it ultimately answers one or more of six questions, and all of them serve a single purpose: enabling informed decision-making.

Components

  • What happened?: establish facts, timelines, events
  • Who is involved?: attribution, personas, infrastructure, behaviour
  • How did it occur?: mechanism, vulnerability, method
  • Where did assets or data move?: fund movements, digital footprints, threat activity
  • What risks remain?: ongoing exposure, further loss potential
  • What actions should be taken?: recovery, freezing, reporting, mitigation

When to use

At the outset of any case, to anchor why you are investigating before choosing goals or scope; use it to frame the written objective the client signs off on.

Example

A drained-wallet case answers “what happened” (the drain), “where did assets move” (the trace to a CEX deposit), “who is involved” (attribution where KYC-linkable), and “what actions” (a properly-formed LE request to freeze).

Five Investigation Goal Types, Translate Stakeholder Wants into Investigable Questions

Last updated on