Brad Garnett

Welcome to my Digital Forensics and Incident Response (DFIR) oasis!

Digital Forensics, Incident Response, Threat Intelligence, and Information Security

Filtering by Tag: SANS

Report Writing for Digital Forensics: Part II

March 05, 2015  /  Brad Garnett

This blog post is a second edition and follow-up to Intro to Report Writing for Digital Forensics., which you've taken the time to review, digest, and dissect. How the digital forensic practitioner presents digital evidence to his/her intended audience (Regardless, of why we are preparing a digital forensic report), establishes proficiency of the digital forensic examination. Let's take it even a step further, how will you present your findings? Effectively reporting what you found during your forensic examination will aid you in presenting your report and the digital evidence to whomever your intended audience will be, which ultimately may be a jury in a criminal or civil proceeding. In this blog post, we are going to tackle some more report writing issues. Remember, YMMV depending on what hat you wear in digital forensics and who you will be reporting the findings to from your digital forensic examination...

Continue reading it here.

Author's Note: I originally wrote this article for the SANS Digital Forensics and Incident Response Blog. It has generated a lot of questions, feedback, and references over the past few years so I wanted to add it to my blog as well.

Comment
tags / SANS, Report Writing

Intro to Report Writing for Digital Forensics

March 04, 2015  /  Brad Garnett

So you've just completed your forensic examination and found that forensic gem or smoking gun in your case, so how do you proceed? Depending on where you fall as a forensicator (e.g., law enforcement, intelligence, criminal defense work, incident response, e-discovery) you will have to report your findings. Foremost, find out what type of work product you are going to be required to produce to the client, attorney, etc. This will be your guide for completing your report. While the report writing part of the digital forensic examination process is not as fun as the forensic analysis, it is a very important link in the chain...

Continue reading it here.

Author's Note: I originally wrote this article for the SANS Digital Forensics and Incident Response Blog in August of 2010. It has generated a lot of questions, feedback, and references over the past few years so I wanted to add it to my blog as well.

Comment
tags / SANS, Report Writing

DFIRSummit: FOR 408, DFIRNetWars, & DFIRSummit

June 07, 2014  /  Brad Garnett

I thought I would take a few minutes to share my thoughts regarding DFIR NetWars that SANS offers and a DFIRSummit prelude. For more information on DFIR NetWars visit http://www.sans.org/netwars

This week I am in Austin, Tx taking FOR 408 with Rob Lee. We are having a good week and have a good class. What I always enjoy most about attending a SANS course or event, is the plethora of talent in the DFIR community that attend these events and courses. Ovie, Rob, and Chad have put a lot into FOR 408. This course is NOT an introduction to Digital Forensics. It requires a core knowledge of Windows forensics. I have completed several courses in the SANS DFIR curriculum. When I first completed 508 six (6) years ago, 408 did not exist and focuses on core Windows forensic analysis. Just as David Cowen points out in this week's Forensic Lunch, there is so many Windows artifacts that still require further testing and research. No matter if you are a veteran forensic examiner or new to the DFIR field, you will learn a lot from the FOR 408 course.

Day 1 of DFIRNetWars was earlier this evening and just a few quick comments. This experience was an eye opening experience for me and others  that I spoke to afterwards...many of whom were competing in DFIRNetWars for the first time, including myself. After Day 1, @CdtDelta is leading the competition (good job Tom). DFIRNetWars is a fun, challenging competition that covers hosted-based forensics, network forensics, malware, and memory analysis. Early on in the competition, game stress got the best of me and I dropped out of the top 10 (it's a marathon, not a sprint). I found out quickly that I needed to slow down and get in my zone. Even if you have been doing forensics for years, competing in a cyber competition (like DFIRNetWars and others) is a great way to grade your current skill-set and get an idea of what you need to do to improve your forensic and IR processes. Smooth is fast...fast is smooth. 

The SANS @ Night talks have also been great. I plan on completing a review in the form of a blog post and will share it right here.

If you are traveling later this weekend to the Summit, the XGames is going on here in Austin through the weekend. Follow #XGamesAustin, #DFIRNetWars of course #DFIRSummit

Comment
tags / DFIR, DFIRSummit, DFIRNetWars, Digital Forensics, SANS, FOR 408