I did a few talks covering “Analysis without Paralysis” over the past year, and every time I finished I immediately thought I need to get this documented. Well, today I’ve taken the first step.

I’ve always struggled to learn and teach others how to analyze and think through an investigation. You have likely seen several examples on how to analyze specific forensic artifacts, scenario-based playbooks or usage of specific tools. However, those resources seem to miss out on a fundamental aspect of analysis which is how it folds into the larger investigation.

There is always a reason you are analyzing something, and we are seldom taught what to do with the results of our analysis. Beyond that, we are infrequently taught how to decide what to analyze in the first place.

Herein lies the problem, we are never taught how to investigate.

So I’ve taken my experience, to create a framework that organizes your brain when performing analysis of any evidence source. I wanted to create a way of thinking that is human-centric not technology first. At the end of the day, the tools and artifacts will change, but a human provides the input. Everything I describe is heavily-biased from the incident response (IR) perspective, but I hope you see how it can apply to any investigation. I want to teach you to ADAPT.

Investigations unravel chaos. If done well, they move us from “something feels off” to “here’s what happened, when, and why.” The challenge is that most of us are trained to analyze artifacts, not to investigate systematically. That’s where ADAPT shines, a human-centric framework that adds structure without slowing you down:

• Approach
• Discovery
• Association
• Profile
• Timeline

Approach: Set the stage before you rush in

Approach is about intent and organization. You define objectives, outline the plan, and decide how and what evidence to capture. The goal is to avoid “jumping in,” which leads to missed context and burnout. A good Approach establishes what success looks like, asks the right questions, and creates a way to take notes you can maintain under pressure. It’s less about tools and more about clarity and knowing where to look.

Discovery: Gather and interpret the evidence

Discovery is your systematic interpretation of the available evidence sources. You collect what’s relevant and record your findings in a way others can understand. This is the information gathering phase, start answering those questions you have and build a written database of what you “see”. Your notes are crucial and you must ensure you capture what happened, where you saw it, and when. Discovery builds your foundation: consistent timestamps, clear descriptions, and enough context to make sense of the events.

Association: Connect events into a narrative

Association turns individual findings into a story. You stack events side by side, compare what fits, flag what doesn’t, and begin to see the chain of events. Normalization helps keep consistent time formats and terminology so you aren’t comparing apples to oranges. Association is where patterns emerge helping you separate noise from findings and prepare for reporting.

Profile: Add intelligence to sharpen the narrative

Profile introduces relevant knowledge without trying to be encyclopedic. You capture what is known about the behaviors and indicators you’ve observed. Utilize threat intelligence and existing documentation to answer whether we have we seen this before, does it map to a common technique, and does any intelligence change our interpretation? The point isn’t to classify everything, but to give your analysis context from the outside, increase confidence, guides searches, and inform decisions.

Timeline: Present the chain of events clearly

Timeline is where the work pays off. You lay out events in time order, annotate who, what, and where, and make the sequence easy to digest. A strong timeline is the backbone of your final report. It shows progression, impact, and resolution without forcing the reader to wade through blocks of text. By this stage, you’re no longer piecing things together you’re communicating what happened.

Why ADAPT works

ADAPT keeps you focused and consistent. It helps you avoid blind spots, reduce rework, and produce artifacts (notes, indicators, timelines) that can be reused across cases. Most importantly, it makes your findings credible and your reporting fast. Follow it, and your final deliverables are already 80% done as you work. I know reading this may feel lacking, so I promise I will be sharing much more detail and examples of how to put all of this together. If you are interested to learn more about it sooner, check out my slides from past talks I’ve done about “Analysis without Paralysis”.

What’s next

In the coming posts, I’ll dive deep into each step, showing how to set practical objectives in Approach, structure notes for Discovery, link events in Association, fold in intelligence during Profile, and turn everything into a crisp Timeline. If this sounds familiar it should, this is a continuation to my original Investigation Framework, with a particular focus on the Analysis step.

ADAPT isn’t about perfection. It’s about giving the human behind the keyboard some structure. Start with the framework, and your analysis gets sharper, your narratives get cleaner, and your outcomes become provable.