Let’s say we’re looking at a cyber crime scene comprised of several still powered on computers. When the forensic investigator arrives, what does his workflow look like? An experienced forensics examiner is about to testify in court for the first time. How does he talk about his work? These are some of the topics addressed by Jess Garcia in an interview with Help Net Security. He talks about the practical side of computer forensics, takes a look back at a decade of evolution and offers advice for those that want to know more about the field.
This is a field I am looking to get into. I have done several audits of system images available online using Sluethkit with Autopsy on Linux. Unfortunately the article was rather vague. The biggest hurdle I have encountered is proper note taking and organization of evidence. I know what files and changes are relevant to the investigation but I’m not sure if there is a standarized practice when it comes to taking notes about each file or change and storing the evidence digitally. There seems to be very little information about it even on digital forensic websites. A walk through somewhere would be nice. I know how to use the software and find intrusions, etc but a good background on digital evidence storage, handling, and note taking would be beneficial to all looking to get into the field.