I don't accept "AV is breaking backups" as a conclusion — that's a hypothesis. I translate it into testable statements: did AV quarantine a file? Did it cause I/O contention? Did it block a process? I only close the claim when I can show the exact mechanism and a timeline that actually fits.

The timeline is the spine of every investigation. I anchor on first known good, first known bad, policy change times, automation execution windows, and system event timestamps. Then I look for cause-worthy adjacency — a symptom that begins inside the plausible window of a high-privilege action. If the timing doesn't fit, the theory doesn't hold.

Even when I'm not doing a legal forensic acquisition, I behave like I might need to defend my findings later. Raw log excerpts with timestamps and source context. Screenshots when GUI evidence matters. Hostnames, versions, policy IDs, agent versions — all noted. I also separate what I observed directly from what was reported to me. The goal isn't lots of notes. It's high-signal notes that stand on their own.

This is where most troubleshooting writeups fail. Correlation is easy. Mechanism is harder. If AV is suspected I look for quarantine logs, remediation events, detection names, file paths, and process lineage. If automation is suspected I identify the exact job, the specific actions it performed, and whether I can map each one to a symptom. I don't call something "interference" unless I can show the full chain from action to impact.

Every fix I make is controlled, reversible, and verified. Pre-checks confirm the condition exists and capture a before state. The remediation is the smallest viable change. Post-checks confirm it's resolved and record the after state. Rollback steps exist before I touch anything. I'm not going to close one outage and open a different one because I moved too fast.

My ticket notes are structured so a peer can pick up the case without any tribal knowledge. Facts observed. Evidence and where it came from. Hypotheses considered and why they were accepted or rejected. Tests and results. Root cause with a mechanism. Remediation, verification, rollback plan, and residual risk. Closing the ticket is not the finish line. Closing it in a way that survives audit is.