Last week, while tech editing/reviewing a chapter in a book that I believe is destined to be one of the most widely used books in digital forensics, I read a short but important point: ‘know what you want to do before you start’ (paraphrased), along with an example of making this point. Perhaps this simple suggestion in forensic work is way understated.
SQLite Forensics book editors feedback: "Technically understandable and also educationally entertaining" Thanks @Brett_Shavers :) #DFIR
— Paul Sanderson (@sandersonforens) May 23, 2017
Over the past years when I started getting into ‘computer’ forensics at the time when the resources of information were slim, training practically non-existent, and the tools far and few between for much of a choice to use, looking for evidence was pretty much going on fishing trips in data. For the training courses I did attend in the beginning, the most common approach taught was to; 
-Take a full image of everything
-Ingest the images into “name-your-tool” of which you had only a few choices
-Take all the data and process it, index it, sort it, extract it, view it, search it, filter it
-Find the evidence from what you processed by looking at virtually everything…
This method doesn’t work today. The amount of data is too much. The common hard drive was less than 50GB way back then, but today you can rarely find a laptop with less than 500GB. Today’s tools are certainly capable of processing this data way more efficiently than the tools (or the versions) of yesterday. But even being able to process data faster only means you have more data to fish through in attempts to find evidence. I don’t remember the last case where I had less than 1TB of data that potentially held evidence.
We have come a long way in training today including improved processes. When given terabytes of data and asked to find the evidence, no longer do we expect that the terabytes of data to examine will turn into four or ten times the size after we ‘process’ it, because we do it better now. We are smarter than before. We ask better questions. We know more about where the evidence lives within the data. We have demanded tool-makers develop tools that pinpoint exactly what we are looking for in a quick and efficient manner. We now;
-Ask “Specifically, what is the problem?”
-Target the places we know the evidence to that problem lives
-Use tools that are narrowly specific to what we want to do
-Follow the evidence we find (one thing points to another, etc…)
-And solve the problem (find the evidence, validate it)
I write this because I still hear requests to ‘ find something on that computer to make this case ’, and each time I kindly remind that fishing for evidence in a hard drive is not only expensive in both time and money, but unproductive without targeting the problem * .
*A problem could be finding a specific user created document, a downloaded image, or an unauthorized access to a computer system.
The point to all of this being, before you push that button, or hit enter on a command line, or even connect a write-blocker to a hard drive, first ask yourself, “what is it that I want to accomplish”. The next thing you do may either give you weeks of work in vain or solve the problem before dinner time.
