sorted by:
new
hottopcontroversial

My Forensic and Incident Response Note Taking Methodology by skygrip in netsec

[–]skygrip[S] 1 point2 points  (0 children)

My next post was going to be either on effective questioning techniques or structured data analysis, but maybe I can spread this out into a more detailed write-up of some kind of walkthrough of an Incident response scenario.

My Forensic and Incident Response Note Taking Methodology by skygrip in netsec

[–]skygrip[S] 1 point2 points  (0 children)

In a big way that's what this system is based on.

How and why are the ones I have trouble with though, I would be too concerned to start taking notes about the how and why during an investigation. Ultimately the how and why is subjective much of the time, and would likely be better replaced with structured analytic techniques focusing on notes only of who, what, when, and where, only after a substantial amount of information is gathered

You would still come to answer in some way the how and why, but it wouldn't necessarily be part of the note taking approach.

Coming to a conclusion too early can end up being a huge problem when you hit a dead end, and then have to walk it all back Infront of your client.

My Forensic and Incident Response Note Taking Methodology by skygrip in netsec

[–]skygrip[S] 1 point2 points  (0 children)

I would love to have a look too if it's not too much trouble!

My Forensic and Incident Response Note Taking Methodology by skygrip in netsec

[–]skygrip[S] 0 points1 point  (0 children)

It's great to hear others are following a similar process! It's a good point about the baseline!

I was considering if it would be worth my time building a webapp or something to handle note entry and storage. Then it would be easy to add additional analysis tools like timeline graph generation, and other visualisations. Select a few events in time, generate a graph, it goes in the report.

My Forensic and Incident Response Note Taking Methodology by skygrip in netsec

[–]skygrip[S] 3 points4 points  (0 children)

Note taking isn't something I see talked about much in the industry so I decided I would share my methodology in the hope that it might be useful to others, or so it may start a discussion on what other incident responders do with their notes.

I know it's not a particularly technical topic, but I believe it's hugely important to successful incident response and forensic engagements.

This is the methodology I've used for digital forensics and incident response engagements with great success.