SecureArtisan

My Road to Digital Forensics Excellence

Repeatable Analysis Steps for Statusing

Posted by Paul Bobby on March 19, 2009

A frequently asked question in class and on forensic forums is “What steps should I take when conducting analysis?” I have blogged on this before, and provided several approaches to case analysis.

This time, let us consider the requirement of case status. Whether in law enforcement or in the corporate realm there is a dual-role requirement for investigations. This dual role separates the investigator from the examiner; typically one investigator, and one or more examiners. The dual role provides a separation of duties, but also permits the agency or corporation to maintain expertise in investigations separate from expertise in forensic examination. I consider these to be highly valued skills, and the individual capable of performing on both to excellence is held in high regard.

The timeframe for corporate investigations is much shorter when compared to law enforcement often days or weeks versus months or years. Regardless of the timeframe, the investigator has an insatiable appetite for progress and status. How does the examiner provide adequate status to the investigator?

One method is to leverage the concept of repeatable forensic analysis steps and combine those with a standard 0% through 100% qualifier:  we have the beginnings of a repeatable status metric.

  • NA: Task not applicable
  • 0%: Task not yet started
  • 33%: Task started
  • 66%: Data collected
  • 100%; Ready for final report

What tasks? Well, look at my previous investigation posts and the Microsoft Onenote I use to support investigations. These contain a variety of ideas for repeatable forensic analysis.

What are your thoughts?

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: