Digital investigators would benefit from understanding techniques used in a traditional physical crime scene investigation. Too often, investigators obtain the known compromised systems, examine them, and neglect the surrounding network — and consequently the larger crime scene.
That is why I encourage a new, more thorough forensic method, developed through years of hands-on investigations with major network breaches, and adapted from traditional forensic techniques. I call it the "Three-Phase Forensic Method."
Phase One involves the use of conventional forensics. Use conventional forensic techniques to obtain data that is attributable to the attacker. Use the logs and audit systems to conduct the investigation to its conclusion.
In Phase Two, create an attacker profile using the information collected in Phase One. This includes: filenames, checksums, binary strings, specific sequences of bytes — anything that can be attributed specifically to the attacker.
Finally, use the attacker profile to see all the other systems within that logical network segment for evidence matching the profile during Phase Three.
While this type of full-network investigation may seem intimidating, there are both open source and commercial tools that can make it much easier — and they are making improvements all the time.