1 hour 34 minutes
In this lesson, we'll discuss case and evidence naming conventions
the importance off those things, as well as using names to record case and evidence. Metadata.
What makes a good naming convention or scheme? Four cases and evidence.
There are a few components to consider when answering this question, but the three main components are uniqueness. Understand, ability and scalability.
First and foremost, the name for each case must be unique.
If a name is able to be repeated, it can lead to a lot of confusion and difficulty during an investigation.
Evidence names should be derived from the name of the case,
one so that the evidence can be easily identified as belonging Toa one case or another
and two because this approach lends itself to also creating unique evidence names and embedding metadata about the evidence inside the evidence name.
case names must be easily interpreted and understood.
This is similar to the difference between I P addresses and domain names.
I pay addresses are great because they're typically unique within a network,
but they can be very difficult for humans to reliably remember
domain names, on the other hand, much easier to remember
if your case name resembles an empty five hash and consists off, say, 32 alpha numeric characters.
Then, yes, it will be unique, but it will be impossible to remember or interpret,
so there are a lot of ways to name cases and evidence.
But to generally accepted and effective ways of naming cases are reversed. Eight.
Such as Why, Why, why, MM dd
and project names or code names such as Zombie Butterfly.
Clearly each of these has pros and cons.
Both methods result in easily recognizable names for a case.
Depending on your organization, you may find that project names can be considered unprofessional or that there can be too much information given away by the name,
depending on the sensitivity off the case.
Reverse states solved both of these potential issues and allow for easy sorting
and also contain metadata about the case itself, which allows for easy identification off cases, end evidence.
One more thing, which should really be considered when creating a naming scheme for both cases and evidence is scalability.
Your scheme needs to work equally well for case number one, as it does for Case 10,000 and one.
If it doesn't, this will cause difficulties in the longer term case management strategy.
Ultimately, though, it's up to you and your organization to define the naming scheme, which works best for you.
So let's assume that you've decided to name your cases using reverse dates,
for example 2019 or nine o 1-0 1 dash X 001 Destiny one
Where the first part 2019 or 901
Tessera one is the reverse date route Case name
Following that x 001 Destiny. A one
is thesis affix identifying in evidence item or data source belonging to that case.
So in 2019 0901 is the date that case was opened.
The following 01 indicates that this was the first case that was opened that day.
For example, 2019 or nine or 102
would be the second case that was opened that day, and so on.
Chances are there will be multiple sources of evidence in most enterprise investigations,
such as a laptop, a desktop, maybe multiple mobile devices, USB devices like an external hard drive, etcetera.
So now we need to decide how to name each evidence item
and in such a way that it's immediately clear
to which case the evidence belongs.
One method to achieve this, and arguably the best method
is to just augment the case number with additional metadata about the evidence source,
2019 or nine or 1-1 Dash L one dash over one
where 2019 0901 again is the reverse date. Case name,
then Dash 01 is the case number four that day,
followed by a dash l 001 or X 001 which could be the location where l is the lab, for example.
And 001 at the end is Theo item number, which might relate to a specific device such as a laptop.
the final 01 is the data source from that device, meaning the first internal hard drive. If there was more than one
will be ill. 001 industrial one and then an image off the memory off. That same device would be the second data source, which would be l dash 00102 and so on
again. It's entirely up to you and your organization to find the solution, which best fits your processes and work flows. But keep in mind that these are the names which you will use to refer to cases and case evidence for the foreseeable future.
And the better able you are to reference these terms,
the better the outcomes you can expect from your investigations.
What are three considerations which need to be made when defining case and evidence naming conventions?
Uniqueness? Because overlapping case or evidence names result in bad outcomes for all stakeholders
easily interpreted and understood, so esoteric case names
can lead to lost time if metadata needs to be looked up and time lost during any investigation is never a good thing.
And finally, being able to identify at a glance what a case or evidence item is
is invaluable in enterprise security case management,
then scalability names need to work just as well for case one as they do for Case 10,000 and one.
Otherwise, there will be potentially disastrous problems in the long term.
In this lesson, we covered a few methods for naming both cases and the evidence related to them.
We also talked about why it's important to choose a naming convention that results in
unique, easily understood and a scalable names four cases and evidence.
And finally we discussed the benefits of naming evidence in such a way as to also record metadata for that evidence in the name.