If you can see it, you can get to it.
When I think through the parts of an event analysis, I look to put things in order and in perspective on my way from a hypothesis to a conclusion. Putting together a thought outline that works for me was a good excuse to test out LucidChart.
In my example, I start by enumerating the actor’s profile and the activity that generated a signal. If I can source, trace, and verify the details pulled out of the logs to connect activities to an IP or a piece of hardware or an application or a procedure or an owner, I can work to build out the story and resolve my questions. When the case requires input from an investigation partner like human resources, you’ll have a solid frame of notes and findings to rely on for that discussion.
One of the reasons I chose this scenario as an example is because I believe a successful analysis is a complete analysis. Thorough, of course – to your personal quality level, but not necessarily ending the the proving out of malicious activity. Vetting that activity can be anomalous and still acceptable is a decent outcome.
You don’t have to catch a bad guy to do a good job.
Build a structure that works for you. Once you establish your flow and create a template, you’ll start to save some time without sacrificing quality. Find your flow and go catch yourself some answers.