Mastodawn

Great opening.
We aren’t taught to investigate. We are taught to analyze. These are not the same.

Structure is needed.

If they ask how long, tell them what you plan to do. Shows you have a plan.

Forensics means it’s done. IR means ongoing.
Not sure I agree, this is more philosophical.

Don’t just move from unknown to known. You have to move further to provable.

Scientific method.
Observe.
Question.
Hypothesize.
Test.
Conclusion.

Best use of Mitre Att&ck - common taxonomy.
Consistent vocabulary.

ADAPT

Approach
Disco
Association
Profile
Timeline

Cisco guy loves acronyms

Approach

Have a plan. Ruskies don’t take dumps without a plan (even if it’s dumb).

Identify win conditions. Win co dictions are different for different teams.

Ask the right questions.

Plan your documentation structure.
Build templates.

Assign a scribe. (Like this. Because I already do it).

Doc method - cloud or local, txt or word doc, etc.

Know where to look. Prioritize evidence sources.

Logs
Sec tools
Threat Intel
Forensic analysis
Triage