Determining scope of damage:
compromised data (loss of integrity)
compromised systems: common OS, services, network, or admin more likely to have been exploited by a common vulnerability.
compromised services, often external (ISP, messaging, credit card procesing)
Determining length of the incident
Determining the cause: repair it so won't happen again.
how the incident occurred, what the motive was, why it was not deterred:
Determining the responsible party can be difficult.
often what, how, when, from where but not who.