Determining scope of damage:
compromised data (loss of integrity)
compromised systems: common OS, services, network, or admin more
likely to have been exploited by a common vulnerability.
compromised services, often external (ISP, messaging, credit card
procesing)
compromised privileges
Determining length of the incident
Determining the cause: repair it so won't happen again.
how the incident occurred, what the motive was, why it was not
deterred:
exploited vulnerability.
bypassed safeguards
avoided detection
Determining the responsible party can be difficult.
often what, how, when, from where but not who.