SANS Digital Forensics and Incident Response Blog: Tag - preparation

Intro to Report Writing for Digital Forensics

So you've just completed your forensic examination and found that forensic gem or smoking gun in your case, so how do you proceed? Depending on where you fall as a forensicator (e.g., law enforcement, intelligence, criminal defense work, incident response, e-discovery) you will have to report your findings. Foremost, find out what type of work product you are going to be required to produce to the client, attorney, etc. This will be your guide for completing your report. While the report writing part of the digital forensic examination process is not as fun as the forensic analysis, it is a very important link in the chain as Dave Hull summed it up here in a tweet.

As digital forensic examiners/analysts, we must report and present our findings on a very technical discipline in a simplistic manner. That may be to a supervisor, client, attorney, etc. or even to a judge and jury who will read and interpret your

...


You will be hacked, will you be prepared?

"Hope for the best, prepare for the worst." — English proverb

"Before anything else, preparation is the key to success." — Alexander Graham Bell

Forensic analysts and the organizations employing them can simplify and expedite the forensic analysis process with preparation. If you accept that system compromise is a matter of when not if, then prepare your systems in advance for forensic analysis.

Before moving systems into production, grab a copy of Jesse Kornblum's MD5Deep from http://md5deep.sourceforce.net and create MD5 checksums of all the files on the system. Have your desktop folks incorporate this into their image building process. If you're really diligent, update your hashes after applying patches.

Astute readers will say, "I can download known hashes from NIST's

...