Logical Storage

00:00

in this lesson, we'll talk about a suggested structure for storing case data

00:05

and why having such a structure is important.

00:09

Should all members of a security team store case data in the same way?

00:16

The answer is, of course, they should. Standards are the best way of keeping things organized, so that case is run smoothly and have positive outcomes.

00:26

So in my experience, where a lot of security teams tend to see a lot of issues seems to be the storage off data related to their cases.

00:36

Different team members have developed different ways of storing their case data over the years, and so there are a multitude of different methods being used,

00:45

or what's even worse is everyone just saves their data to the desktop.

00:50

Ideally, we want to actually manage case data and in such a way that every team member is able to quickly and easily locate the data they need when they need it.

01:00

And her standard as agent

01:03

having a standard fold structure and storage location for case related data should form part of your company policies related to security case management

01:14

case data should never, ever, ever be saved to the desktop or the system.

01:19

Instead,

01:21

configure an internal drive or partition specifically for case. Data

01:26

cases and analysis data should be separated from case evidence, so evidence like forensic images should be stored on a drive separate to the cases and analysis data.

01:38

The main reason for this is speed

01:40

Reading the evidence from one disk or partition and simultaneously writing the case and analysis data to a separate disk is faster than attempting to read and write simultaneously to the same disk.

01:53

Obviously, it will be up to you and your team organization to determine the best folder structure to use. But here is a simple example to get you started

02:05

at the top. We have the route case folder

02:07

named with the case name and potentially a reverse date,

02:10

representing the date when the case was initiated.

02:15

This provides everyone with a very straightforward, unambiguous way to name their case folders and find what they need quickly

02:23

within this brute fold. Oh, we have a number of sub folders.

02:28

First of all, we have cases now.

02:30

This is where the literal case files from whichever tools are being used. I e. N case cases, X rays cases. I F cases, etcetera will be stored.

02:40

So I suggest having a further child folder

02:44

for each of the tools used as well.

02:46

So dumping case files from multiple tools in a single location results in a mess and causes problems, which are really easily avoided.

02:54

Next, we have the evidence folder,

02:58

so I say this next part for the sake of simplicity. But

03:01

cases and evidence should be stored together, at least at the beginning and end of a case

03:07

while an investigation is ongoing and processing is being performed,

03:12

cases and evidence should be on separate drives.

03:16

Then we have the analysis folder.

03:19

This is where I would suggest putting any data used for the investigation.

03:23

For example,

03:24

files which have been recovered from a case spreadsheets containing tool output, that kind of thing.

03:30

So keeping your case data organized like this will make your life so much easier, especially when multiple people are working on the same security case.

03:39

If someone is working on a case and goes on holiday for four weeks,

03:45

clearly managing your case data will allow the remaining team members to easily continue the investigation. In the absence,

03:53

you might even write a batch script to create this folder structure automatically at the beginning of a case to make it even easier for people to follow. The same process

04:02

should case data and evidence be stored in the same location.

04:09

Standard computer science answer applies. It depends.

04:12

So in most cases it's better to store these materials separately,

04:15

particularly when processing storing them in the same location will encourage speed penalty.

04:23

In this lesson, we covered how best to store case data and case evidence