When an incident takes place, the CIRT must decide whether they plan to pursue legal action against the offender. If it does, certain steps must be taken to ensure the forensic evidence gathered will be admissible in court. Before the decision is made, they should progress with the assumption that action will be taken.
Incident investigators should attempt to answer the same questions that journalists investigating a story pursue:
Who is responsible for the incident? An insider or an outsider?
What type of incident took place? Was it a Web site defacement? Denial-of-service attack?
When did the incident take place?
Why did the incident take place? What was the motivation of the hacker?
Where did the ...