When looking at documenting an incident, it is not very difficult to ascertain what should be documented. Following the five W's, and sometimes How, is an excellent foundation when considering what to document during an incident. Another good piece of wisdom when discussing documentation, especially when discussing the legal implications of security incidents, is the axiom if you didn't write it down, it didn't happen. This statement is used to drive home the point that proper documentation is often comprised of as much detail that the incident response analyst can bring. Analysts may be involved in an incident that ends up in a civil proceeding. The wheels of justice often move slowly, and an analyst may be called to the ...