Repeatable Analysis Steps for Statusing

Posted by Paul Bobby on March 19, 2009

A frequently asked question in class and on forensic forums is “What steps should I take when conducting analysis?” I have blogged on this before, and provided several approaches to case analysis.

This time, let us consider the requirement of case status. Whether in law enforcement or in the corporate realm there is a dual-role requirement for investigations. This dual role separates the investigator from the examiner; typically one investigator, and one or more examiners. The dual role provides a separation of duties, but also permits the agency or corporation to maintain expertise in investigations separate from expertise in forensic examination. I consider these to be highly valued skills, and the individual capable of performing on both to excellence is held in high regard.

The timeframe for corporate investigations is much shorter when compared to law enforcement often days or weeks versus months or years. Regardless of the timeframe, the investigator has an insatiable appetite for progress and status. How does the examiner provide adequate status to the investigator?

One method is to leverage the concept of repeatable forensic analysis steps and combine those with a standard 0% through 100% qualifier:  we have the beginnings of a repeatable status metric.

  • NA: Task not applicable
  • 0%: Task not yet started
  • 33%: Task started
  • 66%: Data collected
  • 100%; Ready for final report

What tasks? Well, look at my previous investigation posts and the Microsoft Onenote I use to support investigations. These contain a variety of ideas for repeatable forensic analysis.

What are your thoughts?


