
… that did not initially produce the expected result — subsequently — might have different outcomes. As a best practice, the initial hypothesis, the investigation technique and the lessons learned should become part of an internal knowledge base to be used to drive future investigations.
What is the layout of the network? What operating systems are running in the network? What tools and services are running on the operating systems? What (or where) are the critical assets in the network? (Use questions like these to determine what is normal and abnormal in the network.)