@mattnotmax recently posted a blog on "contemporaneous notes".
But wait...there's more.
I agree with what Matt said regarding notes. 1000%.
I've been on engagements where things have gone sideways. In one instance, I was assigned by the PoC to work with a network engineer to get access to network device logs. We walked through a high-level network diagram on a white board, and at every point, I was told by the network engineer that there were no logs available from that device, nor that one, and definitely not that one. I took a picture with my cell phone of the white board to document my "findings" in that regard, and when I met with the PoC the following morning, he seemed bothered by the fact that I hadn't gotten anywhere the previous day. He called in the network engineer, who then said that he'd never said that logs were not available. I pulled up the photo of the white board on my laptop and walked through it. By the time we got to the end of the engagement, I never did get any logs from any of the network devices. However, I had documented my findings (written, as well as with the photo) and had a defensible position, not just for myself, but also for my boss to take up the chain, if the issue ended up going that far.
As a side note, I make it a practice that if I get the sense that something is fishy, or that an engagement could go sideways, I'll call my boss and inform my management chain first, so that they hear it from me. Better that, than the first they hear of any issue is an angry call from a client. This is where notes really help...IR engagements are highly stressful events for everyone involved, and having notes is going to help you when it comes to who said/did what, and when.
One of the questions Matt addresses in his blog post is the 'rules' of the notes; whenever I've been asked about this, the question has always been, "what's the standard?" My response has always been pretty simple...reproduceability. You need to write your notes to the point that 6 months or a year later, you (or more importantly, someone else) can take the notes and the data, and reproduce the results.
In fact, I have been asked the question about the "standard" so much over the years that it's become a high-fidelity indicator that notes will not be taken. So far, every single time I've been asked about the "standard" to which notes should be taken, note have not been kept.
When I started with ISS in 2006, I was provided dongles for AccessData FTK, as well as for EnCase 4.22 and 6.19. When I performed work, I noted which application I used right along with what I did...because that was important. When we (our team) determined that one of the built-in functions for a commercial tool was not, in fact, finding all valid credit card numbers (kind of important for PFI work...), we worked with Lance Mueller to get our own function working, and made the use of the result script part of our standard operating (and repeatable) procedure.
Part of the PFI work at the time also included a search for hashes, file names, and a few other indicators. Our notes had to have the date of the work, and our SOP required that just prior to running the searches for those indicators that we pull down the latest-and-greatest copies of the indicator lists.
Why was this important? Well, if someone found something in the data (or on the original system) six or eight months later, we had clear and concise documentation as to what steps were taken when. That way, if the analyst was on leave or on another engagement, a team lead or the director could easily answer the questions. With some simple, clear, and concise notes, the team lead could say, "Yes, but that case was worked 8 months ago, and that indicator was only made available as part of last month's list." Boom. Done. Next.
Another question that comes up is, what application should I use? Well, I started with Notepad, because it was there. I loved it. When I received a laptop from a client and had to remove the hard drive for imaging, I could paste a link to the online instructions I followed, and I could download the instructions and keep them in a separate file, or print them out and keep them in a folder. URL link or printed out, I had an "appendix" to my notes. When I got to the point where I wanted to add photos to my notes, I simply used Write or Word. Depending upon your requirements, you may not need anything schmancy or "high speed, low drag"...just what you've got available may work just fine.
If you're looking for something a little more refined when it comes to keeping notes, take a look at ForensicNotes.
Many of us say/talk about it...we keep notes because at some point in the future, someone's going to have questions. I was in a role where we said that repeatedly...and then it happened. Fully a year after working an engagement, questions came up. Serious questions. Through corporate counsel. And guess what...there were no notes. No one had any clue as to what happened, and by "no one", I'm only referring to those who actually worked the case. Look, we say these things not because we're being silly or we're bored or we just want to be mean...we say them because they're significant, serious, and some of us have seen the damage that can occur to reputation of a company or an individual when notes aren't maintained.
Even with all of this being said, and even with Matt's blog post, there is no doubt in my mind that many DFIR folks are going to continue to say, "I don't want my notes to be discoverable, because a defense attorney would tear them/me apart on the stand." According to Brett Shavers, that's going to happen anyway, with or without notes, so better to have the notes and be able to answer questions with confidence, or at least something more than, "I don't know". The simple fact is that if you're not keeping case notes, you're doing yourself, your fellow analysts, and your client all a huge disservice.
With great suffering comes the development of great note-takers.
All it takes is one time to realize that you will never ever never not take notes again. Practically, you could take notes on everything you do for an entire career and never need the notes. But that is playing the odds, which are pretty much stacked against you over time.
I've had to take over a case from another (outside) examiner, where no notes were taken at all. Or at least no notes were given to me as required by the clients. I had to re-do the entire casework from scratch because the folders containing exported files were meaningless without some documentation of the importance of the files. Client got soaked with two bills for one job.
Post a Comment