in this lesson, we'll talk about a suggested structure for storing case data
and why having such a structure is important.
Should all members of a security team store case data in the same way?
The answer is, of course, they should. Standards are the best way of keeping things organized, so that case is run smoothly and have positive outcomes.
So in my experience, where a lot of security teams tend to see a lot of issues seems to be the storage off data related to their cases.
Different team members have developed different ways of storing their case data over the years, and so there are a multitude of different methods being used,
or what's even worse is everyone just saves their data to the desktop.
Ideally, we want to actually manage case data and in such a way that every team member is able to quickly and easily locate the data they need when they need it.
And her standard as agent
having a standard fold structure and storage location for case related data should form part of your company policies related to security case management
case data should never, ever, ever be saved to the desktop or the system.
configure an internal drive or partition specifically for case. Data
cases and analysis data should be separated from case evidence, so evidence like forensic images should be stored on a drive separate to the cases and analysis data.
The main reason for this is speed
Reading the evidence from one disk or partition and simultaneously writing the case and analysis data to a separate disk is faster than attempting to read and write simultaneously to the same disk.
Obviously, it will be up to you and your team organization to determine the best folder structure to use. But here is a simple example to get you started
at the top. We have the route case folder
named with the case name and potentially a reverse date,
representing the date when the case was initiated.
This provides everyone with a very straightforward, unambiguous way to name their case folders and find what they need quickly
within this brute fold. Oh, we have a number of sub folders.
First of all, we have cases now.
This is where the literal case files from whichever tools are being used. I e. N case cases, X rays cases. I F cases, etcetera will be stored.
So I suggest having a further child folder
for each of the tools used as well.
So dumping case files from multiple tools in a single location results in a mess and causes problems, which are really easily avoided.
Next, we have the evidence folder,
so I say this next part for the sake of simplicity. But
cases and evidence should be stored together, at least at the beginning and end of a case
while an investigation is ongoing and processing is being performed,
cases and evidence should be on separate drives.
Then we have the analysis folder.
This is where I would suggest putting any data used for the investigation.
files which have been recovered from a case spreadsheets containing tool output, that kind of thing.
So keeping your case data organized like this will make your life so much easier, especially when multiple people are working on the same security case.
If someone is working on a case and goes on holiday for four weeks,
clearly managing your case data will allow the remaining team members to easily continue the investigation. In the absence,
you might even write a batch script to create this folder structure automatically at the beginning of a case to make it even easier for people to follow. The same process
should case data and evidence be stored in the same location.
Standard computer science answer applies. It depends.
So in most cases it's better to store these materials separately,
particularly when processing storing them in the same location will encourage speed penalty.
In this lesson, we covered how best to store case data and case evidence
and why it's important that everyone in a security team follows the same process.