1 hour 49 minutes
our final lesson for module to
his examination notes and analysis documentation.
In this video, we're gonna talk about the value of examination notes when examination notes might be a good thing. Might be a bad thing
and the various pieces of analysis documentation that you're going to want to generate as part of your process.
let's talk about verifiable process because forensics has to be a repeatable, verifiable process.
Computer data must be collected in accordance with pre defined standards.
What are pre defined standards? Will pre defined standards? They're gonna be standards that have been agreed to by the entire industry?
They could be NIST Standards, National Institute of Standards and Technology. They could be standards that have been accepted or have been put out by an organization. Noted this Suid D E, or the Scientific Working Group for digital evidence.
They could be standards that are just commonly known throughout the industry and have been learned through experience.
This is where
the money meets rubber meets the road, and the money really comes in.
It is an examiner, a professional, an expert
who's going to know the standards and who's going to abide by the standards
again. As part of the verifiable process, all examination of computers or peripherals
must be made on forensic images, not on the original evidence.
Original evidence should always always, always be maintained pristine as well as your golden image.
All examinations and findings must be documented and repeatable by an opponent's expert.
If I can't repeat your process and I can't get the same results, it's not a verifiable process.
It's not a repeatable process, and the defense ability of that process may come into play.
All evidence gathered must be authenticated and must be admissible in a court of law.
This goes back to that admissibility.
Authentication comes into play based on chain of custody documentation that you've done
to ensure that you can
the data that you collected is Theo exact copy. Is that golden image?
What are the typical documentation that you're gonna maintain in a forensic collection? Well, you're gonna document acquisition logs thes we're gonna be logs off the specific data that's been collected.
make model serial number of the hard drive the size of the hard drive, the MD five hash hash value or Shaw one, or Shaw to 56 hash value that was obtained. That shows that the evidence is the same as the original.
It's going to show the time and date in the tool that was used to collect the data. Who actually did the collection?
Your chain of custody documentation, which we've talked about this is going to document again the process and the path that that evidence is taken from collection
through to storage
and case notes.
Now, with case notes, you have to be very careful. You Onley want to document your facts and findings.
You don't wanna be adding in
knowledge or information that might be
You don't want toe
input your opinions or editorialize the findings.
You don't wanna put a note that says, you know this person was really stupid and they did this,
Um, your notes can be discoverable,
especially if you're gonna use your notes to draw conclusions and to generate your report. Those notes
can and often do become discoverable,
and it's important as well to be careful about case notes that air put into your billing system
when you're billing for your time. That
billing time in that amount of billing will be asked about during collect during testimony.
And if you have case notes in your
billing system, those we're gonna become and may become discoverable
and could in fact cause more trouble
than they're worth, they may draw out what processes you followed
and what processes maybe you excluded.
And you also want to be very careful that your case notes properly document exactly what you did,
but that you again stick on Lee to fax and findings.
In this video, we covered the value of examination, notes and analysis documentation and the different types of analysis documentation that may exist.