EN, Windows Incident Response

Analysis Process

Now and again, someone will ask me, “…how do you do analysis?” or perhaps more specifically, “…how do you use RegRipper?” 

This is a tough question to answer, but not because I don’t have an answer. I’ve already published a book on that very topic, and it seems that my process for doing analysis is apparently very different from the way most people do analysis. 
Now, I can’t speak to how everyone else goes about analyzing an endpoint, but when I share my process, it seems that that’s the end of the conversation. 

My analysis process, laid out in books like “Investigating Windows Systems“, is, essentially:


1. Document investigative goals. These become the basis for everything you do in the investigation, including the report.


Always start with the goals, and always start documentation by having those goals right there at the top of your case notes file. When I was active in DFIR consulting, I’d copy the investigative goals into the Executive Summary of the report, and provide 1-for-1 answers. So, three goals, three answers. After all, the Executive Summary is a summary for executives, meant to stand on it’s own.


2. Collect data sources.

This article has been indexed from Windows Incident Response

Read the original article: