SANS Digital Forensics and Incident Response Blog: Author - jmbutler1

Lawyers Can Help You Document

Notebook photo courtesy of adulau at

photo courtesy of adulau at flickr.comIt is widely accepted that technical people don't document their work. That has proven, annecdotally, to be true among the techs with whom I work. If documentation gets done at all by techs, it is the very last thing completed, and usually needs to be reworked a few times before it's usable. However, forensics requires good documentation. Legal expects and needs most the thing we often would like to put off or skip entirely.

Michael R Anderson, of New Technologies, Inc., a forensics services firm, writes that "proper documentation of the steps taken during the evidence


EnCase and Checkpoint PointSec - I'm Not Feeling the Love!

[caption id="attachment_242" align="alignright" width="240" caption="Hard Disk photo courtesy of Jeff Kubina at"]//[/caption]

EnCase cannot directly access PointSec encrypted hard drives. I understand that PointSec (owned by Checkpoint) may be talking to EnCase and working on a decryption solution. Today, however, there is no seamless way to forensically access PointSec encrypted data without going through a decryption of the hard drive first. More information may be found at