SANS Digital Forensics and Incident Response Blog: Author - elwood

NCS vs DRN - Taking Notes

Intro to Notes

If computer forensics is to be taken as a science, a key requirement is that results be repeatable. A key part of repetition is the quality of your notes.

Notes are an important aspect of an investigation. No matter how good of a memory you have, something is bound to slip through the cracks at some point. Take the size of some investigations, the length of time it may take before anyone takes action on your report, and the size of many case loads and a lack of notes can be a recipe for disaster. On the other hand, note taking style is a big matter of personal preference with no industry standard way of approaching the situation. I thought we might talk a bit about different options and problems that come from note taking, and hope that some others will chime in with how they approach the problem.


First question that comes up with note taking, is where do you want to do it? Low tech has some

... Continue reading NCS vs DRN - Taking Notes

The Exam Before Christmas

I wrote this as a joke for my local HTCIA chapter. Hope you all have a Merry Christmas.

Twas the night before Christmas, when all through the lab
Not an examiner was working, except this tired crab.
All the evidence was filed and the forms were all signed,
In hopes that my work would soon be off my mind.

The drives were all wiped and in their special order,
With care taken not to be located next to the audio recorder.
I had documented I wrote to each sector a zero,
Knowing if it came up in court I would be a big hero.

When out of nowhere the doorbell did ring,
And I ran to the door opening it with a mighty swing.
It was my boss delivering me a brand new case,
And wanted it handled with utmost haste!

I hooked up the evidence to my write blocker,
I was moving so quick, just like a punk rocker.
Every action I took that was worthy of note,
Into my notebook the