I was mulling over a principle of incident response today and wondered what others in my field might think.
Yes or no: "To operate effectively, incident responders need to be able to obtain at least the same level of access to a system as the attacker has potentially obtained."
@amuse Yes. But potentially with different side effects.
If the attacker has accessed PII and bypassed auditing, I may need, in very limited circumstances, to access the same PII. But auditing must remain on for me. I go through the front door always.
@bassthang I definitely didn't mean to imply unaudited access 😁
But this is a great use case. If the attacker potentially accessed pii, then you need your response team to access the pii so that they can notify people that their pii may have been accessed!
Matt Linton 
Jon Wilson