Friday, August 12, 2011

Investigation Plans

I presented Sniper Forensics at two different conferences this past week and I am honestly, still alarmed by the number of investigators that still don't create an investigation plan at the beginning of a case. So, to sound like a broken record...If you are currently working cases, and NOT creating an investigation plan..START.

Here is what I do...

First, I open Case Notes and open my custom tab that I have labeled, "Investigation Plan".

Second, I sit back and think about what it is that I have been asked to do. This will obviously change from case to case, agency to agency, and person to person, but the general goal should be the same. You have been asked to identify something for some reason. You are not conducting the investigation for the sake of the investigation itself.

Once I have my overall goal, I write it down in my Case Notes..."I have been asked to confirm blah.

Third, I brainstorm on the "stuff" I will likely need to accomplish my goal. Will I need logs, will I need to interview customer (victim) employees, will I need timeline data, registry data...whatever.

Fourth, I use my tab that I have labeled, "Questions", and I ask myself questions that based on the data I just brainstormed, should help me to accomplish my overall goal. Throughout the investigation, I answer my questions. These answers will either terminate my line of thinking in that area and provide me with a new theory, or support my theory, enabling me to continue down the same path.

Following this brief but very useful exercise will give clarity to my investigation as well as provide success indicators so that I know I have found what I am looking for! Without a clear idea of what you have been asked to do, an investigator can easily become lost in the, "Fog of Forensics" and his case can grind to a stand still.

If you are using Investigation Plans...Good on you! If you are not...start...I promise you will see significant and immediate benefits!

Now...that pretty much concludes

1 comment:

  1. Funny that I find this post just as I look away from a Case that has got away from me. Its is snowballing as I dig further into it. And the fact that I took a week off from it..and that I did not IMAGE the drives..just exported the data due to drive size. Leaves me confused and a bit lost. I have to start again clean..just to figure out where I was..and where I currently AM. Maybe a Gameplan or Investigation Plan would be in order..