tag:blogger.com,1999:blog-9518042.post1898891645135921724..comments2024-03-19T07:46:20.437-05:00Comments on Windows Incident Response: DocumentationUnknownnoreply@blogger.comBlogger6125tag:blogger.com,1999:blog-9518042.post-66360099378716826412011-10-03T15:45:09.407-05:002011-10-03T15:45:09.407-05:00Case notes are definitely essential. Besides inter...Case notes are definitely essential. Besides internal teams, they could also be used to teach the entire DFIR community if client-specific information is sanitized.<br /><br />I actually write mine down on paper as I find it helps me spell out & organize information better than copy/pasting things into some software app.Andrew Casehttps://www.blogger.com/profile/11014708860635242525noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-12304165102509294882011-10-03T05:20:43.392-05:002011-10-03T05:20:43.392-05:00Heartily agree with Harlan's views, which repr...Heartily agree with Harlan's views, which represent opnion of the vast majority of (IMO) subject experts. From personal experience (part-time internal corporate) I'm likely to never end up testifying in court. But I WAS disposed (via video-conference) on one particular matter more than a year after the original incident, and I have to say the notes I made at the time were confusing. Thankfully the perpetrator owned up and my notes were never questioned but it did bring it home to me that accurate and clear notes are necessary.<br />I've now set up CaseNotes along similar lines to HarlanCults14https://www.blogger.com/profile/09327353424676993241noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-77651402265918681892011-10-01T18:45:10.064-05:002011-10-01T18:45:10.064-05:00I've already read all of this somewhere before...I've already read all of this somewhere before I'm sure, what a waste of your time to write it and my time to read it again. <br /><br />j/k - It was well written and can be used as a pep-talk for better documentation efforts in many disciplines.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-90052449419635974352011-10-01T12:56:03.387-05:002011-10-01T12:56:03.387-05:00You make some great points Harlan, one thing I hav...You make some great points Harlan, one thing I have found is that the court appearance is just as likely to be four years later as one. In this case the chances of actually remembering the exact tools you used is going to be challenging to say the least. My philosophy when writing notes is that you need to be writing them for someone else to understand. Because when you come back to them four years from now you will be a different person from the one you are today.Mikehttps://www.blogger.com/profile/15724474073007319196noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-32337999704727039782011-10-01T09:13:08.446-05:002011-10-01T09:13:08.446-05:00Documentation is key...I honestly believe that a g...Documentation is key...I honestly believe that a great deal of valuable intel is lost due to a lack of documentation.<br /><br />Documentation can lead to processes that speed up initial analysis, as well as increase the overall knowledge base of a team of analysts. This leads directly to the competitive advantage...H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-27119373717561191872011-10-01T09:02:07.638-05:002011-10-01T09:02:07.638-05:00Great post as usual, Harlan. In conjunction with ...Great post as usual, Harlan. In conjunction with Chris's, this helps paint a very good picture of the working documentation during an investigation.<br /><br />It's hilarious, too, that you use phrases like, "if it isn't documented it didn't happen" and, "if you get hit by a bus" as my boss is constantly saying those exact things to a coworker of mine, who just hasn't quite grasped the significance yet.Little Machttps://www.blogger.com/profile/16829704053692764714noreply@blogger.com