Just a reminder, if you are dealing with a security incident you really can't rush it. IR can take time. If you rush, you'll get it wrong.

Everyone gets stressed but good management is needed to ensure its a methodological process. This is the difference between win/lose here.
As one in my heroes said, and I often repeat:

"If you are moving too fast to keep detailed IR notes, you are moving too fast"

The more you rush the more mistakes will happen. This is not a sign of missing skill, it's basically a law of physics.
This isn't saying go slow and bill by the hour. Its saying be aware that things take time. Immature organisations will scream for fast action, but that's just panic. It will often be a rush to mess up & spend longer un-messing things.
Tl;dr: a steady, methodological approach is the ONLY sensible way to do DFIR. Don't panic- rush things.
You can follow @tazwake.
Tip: mention @twtextapp on a Twitter thread with the keyword “unroll” to get a link to it.

Latest Threads Unrolled: