My interview on CyberSpeak is now available.
Thanks to Ovie Carroll and George Starcher for taking the time to interview me! I hope your ratings don't drop too much =).
This Blog is dedicated Digital Forensics and Incident Response, tools, techniques, policies, and procedures.
Monday, August 29, 2011
Tuesday, August 16, 2011
CyberSpeak Interview
I just finished an interview with Ovie Carroll on CyberSpeak! It should be posted in about two weeks! Give it a listen!
Talked about Sniper Forensics and how it rocks the hizzie!
Friday, August 12, 2011
Investigation Plans
I presented Sniper Forensics at two different conferences this past week and I am honestly, still alarmed by the number of investigators that still don't create an investigation plan at the beginning of a case. So, to sound like a broken record...If you are currently working cases, and NOT creating an investigation plan..START.
Here is what I do...
First, I open Case Notes and open my custom tab that I have labeled, "Investigation Plan".
Second, I sit back and think about what it is that I have been asked to do. This will obviously change from case to case, agency to agency, and person to person, but the general goal should be the same. You have been asked to identify something for some reason. You are not conducting the investigation for the sake of the investigation itself.
Once I have my overall goal, I write it down in my Case Notes..."I have been asked to confirm blah.
Third, I brainstorm on the "stuff" I will likely need to accomplish my goal. Will I need logs, will I need to interview customer (victim) employees, will I need timeline data, registry data...whatever.
Fourth, I use my tab that I have labeled, "Questions", and I ask myself questions that based on the data I just brainstormed, should help me to accomplish my overall goal. Throughout the investigation, I answer my questions. These answers will either terminate my line of thinking in that area and provide me with a new theory, or support my theory, enabling me to continue down the same path.
Following this brief but very useful exercise will give clarity to my investigation as well as provide success indicators so that I know I have found what I am looking for! Without a clear idea of what you have been asked to do, an investigator can easily become lost in the, "Fog of Forensics" and his case can grind to a stand still.
If you are using Investigation Plans...Good on you! If you are not...start...I promise you will see significant and immediate benefits!
Now...that pretty much concludes
Here is what I do...
First, I open Case Notes and open my custom tab that I have labeled, "Investigation Plan".
Second, I sit back and think about what it is that I have been asked to do. This will obviously change from case to case, agency to agency, and person to person, but the general goal should be the same. You have been asked to identify something for some reason. You are not conducting the investigation for the sake of the investigation itself.
Once I have my overall goal, I write it down in my Case Notes..."I have been asked to confirm blah.
Third, I brainstorm on the "stuff" I will likely need to accomplish my goal. Will I need logs, will I need to interview customer (victim) employees, will I need timeline data, registry data...whatever.
Fourth, I use my tab that I have labeled, "Questions", and I ask myself questions that based on the data I just brainstormed, should help me to accomplish my overall goal. Throughout the investigation, I answer my questions. These answers will either terminate my line of thinking in that area and provide me with a new theory, or support my theory, enabling me to continue down the same path.
Following this brief but very useful exercise will give clarity to my investigation as well as provide success indicators so that I know I have found what I am looking for! Without a clear idea of what you have been asked to do, an investigator can easily become lost in the, "Fog of Forensics" and his case can grind to a stand still.
If you are using Investigation Plans...Good on you! If you are not...start...I promise you will see significant and immediate benefits!
Now...that pretty much concludes