Which phase of the incident response process involves identifying indicators of compromise and determining the scope of an attack?