This is my mental model for an investigation:
while there are more leads: generate more leads from the existing leads
For example, say you're forensically analyzing a hard disk.
- You typically start off with a lead
- You generate additional leads by doing keyword searches and timeline analysis
- You repeat this process until you run out of leads
INCIDENTS supports this mental model by letting you mark a ticket as a lead.
Once you do this, you can view all an incident's leads on one page: