Investigation reporting and documentation is one of critical task of any security operation. When we think about reporting findings as the result of an investigation, we might envision filing formal documents to be used in court proceedings, or we might think about testimony under oath in a court of law. But reporting and documentation is also important internally, for the investigative team. It’s often overlooked, but we can involve personnel affected by the incident by looking back to what worked well and what didn’t. So maybe in our incident response, something could have been done more efficiently or effectively. In terms of evidence collection, maybe there was something that was overlooked; a specific technique or procedure that could have saved 20 hours. So in the end, we’re looking at identifying areas to improve. That might also include response time in preparing evidence, or communicating information between appropriate parties.
Reporting and Documenting
The reporting and documenting processes should include a debriefing and feedback phase which is often overlooked but very important. Debriefing and feedback should include members from the investigation and should possibly also include personnel affected by the incident. A review of the investigation should consider areas of improvement in the incident response and evidence collection. Other areas of improvement could be response time including preparation and communication.
As a result, we might update policies and processes related to things like evidence gathering. We can also use some of those lessons learned for training requirements for staff, to improve – things like reporting, technical skills, and legal issues that might have occurred in the past that could help us in the future. Metrics allow us to track performance of some kind by measuring something, and they can be derived from a debriefing. So we could have a formalized process for capturing all of this data – and there is specialized software that is designed to do just that, when it comes to forensic analysis. Metrics that we might be interested in include things like the amount of time or money spent in an investigation, especially as it relates to that specific type of incident. These metrics can then be used when determining things like budget allocations.
The debriefing and feedback phase might necessitate updating policies and processes, or identify training requirements for staff including reporting, technical skills and legal issues.
Metrics are sets of meaningful data derived from a debriefing. They are used to develop and track performance and also formalize the process for capturing data. Metrics might include the time and money spent on a project as well as the type of incident handled.
They can be helpful when determining budget allocations for investigations.
For example, maybe a case involving identity theft, using credit cards, might take an average of 30 hours to collect evidence at an average cost of $150 per hour. So we might know this by having gathered those metrics in the past. So then, that’ll help us in the future for budget allocations. We might also think about personnel requirements, so that we have the correct people, with the correct expertise, involved in certain types of cases. We also want to make sure that we do our due diligence, and reasonableness, when we gather evidence. Make sure we follow the confines of the law related to that, and also when we present our findings. Bear in mind that when we report findings in a court of law, it’s up to the other counsel to poke holes in our argument. So we need to make sure that we’ve really done our due diligence, and followed the law specifically. In this video, we discussed investigation reporting, and documentation.
Metrics also help to determine personnel requirements, baselines, due diligence and reasonableness in investigations as well as being used for statistical purposes.