It is widely accepted that technical people don't document their work. That has proven, annecdotally, to be true among the techs with whom I work. If documentation gets done at all by techs, it is the very last thing completed, and usually needs to be reworked a few times before it's usable. However, forensics requires good documentation. Legal expects and needs most the thing we often would like to put off or skip entirely.
Michael R Anderson, of New Technologies, Inc., a forensics services firm, writes that "proper documentation of the steps taken during the evidence processing ranks... as a top priority." Not only must it be complete and accurate, but it must be totally devoid of any opinion. "Just the facts, ma'am." Here is a place for advice from legal.
Everything is Discoverable
Before you commit something of which you are uncertain to a final report, discuss the items in question with the legal team. This is important because all the documentation is discoverable for trial (in the UK it's subject to disclosure). Even the earlier versions of what the forensics examiner writes could end up in the hands of the opposing counsel. With that in mind, you need legal on your side. They can help you make or break their case.
Supporting Documentation
For 'how NOT to document,' I found an interesting look from the defense's viewpoint. Kim Kruglick, wrote on the importance of acquiring all forensic documentation for destroying the opponent's case. Although Kruglick wrote about blood, DNA, skeletons, etc., he speaks indirectly to the world of computer forensics as well. How careful are you to write down your "bench" notes, as he called them? Do your notes support your final conclusions? Does your legal team agree with you on that? Better ask ?em.
Remember that, while documentation may not be our forte, it is vitally important to attorneys. You might even find a lawyer very grateful that you asked their advice before writing something that would make their (your?) life difficult in the courtroom.
J. Michael Butler, GCFA Gold #56 is an Information Security Consultant employed by a fortune 500 application service provider who processes over half of the approximately $5 trillion of U.S. residential mortgage debt. He also authored his company's enterprise wide information security policies.
