Individual artifacts (a Registry key or value, a Windows Event Log record, etc.) may be a high fidelity indicator, but lack the context we usually find in artifact clusters. Artifact clusters, or "clusters of clusters", are
During active IR, we have to be aware of artifact or evidence "oxidation", as the elements of the clusters begin to dissolve over time. (2/n)
Not grasping the full scope of the artifact clusters, and understanding (3/n)
As responders/analysts, we have to remember that the finding we provide are very likely going to be used by someone (4/n)
If you "like" it, share why.