Examination Notes and Analysis Documentation

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
or

Already have an account? Sign In »

Time
1 hour 49 minutes
Difficulty
Intermediate
CEU/CPE
2
Video Transcription
00:00
our final lesson for module to
00:03
his examination notes and analysis documentation.
00:07
In this video, we're gonna talk about the value of examination notes when examination notes might be a good thing. Might be a bad thing
00:15
and the various pieces of analysis documentation that you're going to want to generate as part of your process.
00:24
So
00:25
let's talk about verifiable process because forensics has to be a repeatable, verifiable process.
00:34
Computer data must be collected in accordance with pre defined standards.
00:39
What are pre defined standards? Will pre defined standards? They're gonna be standards that have been agreed to by the entire industry?
00:46
They could be NIST Standards, National Institute of Standards and Technology. They could be standards that have been accepted or have been put out by an organization. Noted this Suid D E, or the Scientific Working Group for digital evidence.
01:02
They could be standards that are just commonly known throughout the industry and have been learned through experience.
01:11
This is where
01:12
the money meets rubber meets the road, and the money really comes in.
01:19
It is an examiner, a professional, an expert
01:23
who's going to know the standards and who's going to abide by the standards
01:29
again. As part of the verifiable process, all examination of computers or peripherals
01:34
must be made on forensic images, not on the original evidence.
01:38
Original evidence should always always, always be maintained pristine as well as your golden image.
01:46
All examinations and findings must be documented and repeatable by an opponent's expert.
01:53
If I can't repeat your process and I can't get the same results, it's not a verifiable process.
02:00
It's not a repeatable process, and the defense ability of that process may come into play.
02:05
All evidence gathered must be authenticated and must be admissible in a court of law.
02:10
This goes back to that admissibility.
02:13
Authentication comes into play based on chain of custody documentation that you've done
02:20
to ensure that you can
02:23
demonstrate
02:24
that
02:25
the data that you collected is Theo exact copy. Is that golden image?
02:32
What are the typical documentation that you're gonna maintain in a forensic collection? Well, you're gonna document acquisition logs thes we're gonna be logs off the specific data that's been collected.
02:43
The
02:44
make model serial number of the hard drive the size of the hard drive, the MD five hash hash value or Shaw one, or Shaw to 56 hash value that was obtained. That shows that the evidence is the same as the original.
02:59
It's going to show the time and date in the tool that was used to collect the data. Who actually did the collection?
03:07
Your chain of custody documentation, which we've talked about this is going to document again the process and the path that that evidence is taken from collection
03:16
through to storage
03:19
and case notes.
03:21
Now, with case notes, you have to be very careful. You Onley want to document your facts and findings.
03:28
You don't wanna be adding in
03:30
knowledge or information that might be
03:35
extraneous.
03:36
You don't want toe
03:38
input your opinions or editorialize the findings.
03:43
You don't wanna put a note that says, you know this person was really stupid and they did this,
03:49
Um, your notes can be discoverable,
03:52
especially if you're gonna use your notes to draw conclusions and to generate your report. Those notes
03:59
can and often do become discoverable,
04:02
and it's important as well to be careful about case notes that air put into your billing system
04:09
when you're billing for your time. That
04:13
billing time in that amount of billing will be asked about during collect during testimony.
04:20
And if you have case notes in your
04:24
billing system, those we're gonna become and may become discoverable
04:29
and could in fact cause more trouble
04:32
than they're worth, they may draw out what processes you followed
04:36
and what processes maybe you excluded.
04:41
And you also want to be very careful that your case notes properly document exactly what you did,
04:47
but that you again stick on Lee to fax and findings.
04:53
In this video, we covered the value of examination, notes and analysis documentation and the different types of analysis documentation that may exist.
Up Next
DFIR Investigations and Witness Testimony

This course discusses the role of the expert witness, the process an expert should follow from collection of digital data to reporting, the act of testifying in court, the rules that govern experts and the do’s and don’ts of good testimony.

Instructed By