With literally dozens of areas of Digital Forensics (and Incident Response) that we would discuss, what would be key topics or questions you would want to ask someone who currently practices in the Digital Forensics field?
For me, I would like to hear how other people handle the following:
My listed is in a ranked priority because I think forensic tools should comeĀ after good habits are developed. But that’s just me.
What would top your list of things to learn more about from local practicing forensicators?
Report writing – I posted a PDF example report to the Win4n6 group on Yahoo sometime ago. Oddly enough, a lot of folks in the community want to see how to do it, but don’t want to share any of their own materials. Report writing starts with your other documentation…you know, that stuff no one does, like keeping case notes? Do it right, and the report writes itself.
Forms – easy-peasy. Everyone’s got these already. The really big issue is not using them.
You’ve touched on a pet-peeve of mine – report writing. I may not be the best at keeping case notes, but I hope practice makes me better. While handling a case I can honestly say I agonize over nearly every word in my written reports. I write what I find, draw conclusions based on those findings and offer opinions of how any certain activity may have occurred. Then, as time permits, I set my report aside for at least a day so I can come back to it and read it from a critical point of view, like someone might who is on the opposing side of my case so I can see where gaps may exist. Then I strive to fill the gaps – whether they be completeness, accuracy or understanding of my written words. WHY do this? Quite frankly I’ve grown into this habit; however the driving force for doing so is you never know how sobering your report may sound until you hear parts of it extracted and read back to you in a legal proceeding. The first time this happened to me, I had chills go up my spine simply because inflection of words I wrote made my written report sound different than I intended. (Shame on me.) Now I try to get another set of eyes to review my written (and notarized) words prior to submission because, for me, the best time to explain what I mean is by saying it properly the first time. (And I’m still practicing that skill every single day!)