During a forensic examination, it’s beneficial to keep a high-level log of pending and completed activity. Pending tasks turn into completed tasks, and completed tasks make up the examination’s historical record. Often while working, you’ll think of a task that you need to address sometime in the future or a task you’ve completed and should note. Making quick notes and more comprehensive task lists becomes increasingly valuable as the length of the examination grows (possibly to many hours, days, or longer) or when more than one examiner is involved.
Maintaining a list of pending and completed tasks during an examina-tion is important for a number of reasons:
• Helps ensure nothing was forgotten
• Avoids duplicating work already done
• Improves collaboration and coordination when working in teams
• Shows compliance with policies and procedures
• Facilitates accounting, including billing
• Helps produce documentation and reports (formal incident reports or forensic reports)
• Allows for post-incident review to identify lessons learned and support process optimization
• Helps to maintain a longer-term historical record of completed activity
• Supports learning and education for new team members
• Serves as a guide to remember complex procedures
• Provides information for troubleshooting problems and getting support
• Maintains a record of work done by external and third-party examiners
Many commercial task managers and investigation management tools are available, but the focus in this section is on simple task management that you can do from the command line. Using the command line permits you to quickly track tasks and activity without leaving the terminal to access some other graphical or web-based application.
Many open source command line task managers are available and can be used to manage a forensic examiner’s activity. The most important crite-ria include reliable task recording and a detailed timestamp (not just dates).
Taskwarrior
Taskwarrior is a popular task manager with many features for managing large task lists in a quick and efficient manner. You’ll find more information about Taskwarrior at http:// taskwarrior.org/ . The following examples show Taskwarrior commands in practical use in a forensic lab context.
To add several pending tasks:
$ task add acquire PC disk and transfer to evidence safe due:friday Created task 1.
$ task add have a meeting with investigation team to plan analysis Created task 2.
To list the current task list (task infowill show times and more detailed information):
$ task list
ID Due Age Description
1 2015-06-05 1m acquire PC disk and transfer to evidence safe
2 3s have a meeting with investigation team to plan analysis
2 tasks
To complete a task on the task list:
$ task 2 done
Completed task 2 'have a meeting with investigation team to plan analysis'.
Completed 1 task.
To log a completed task without placing it on the task list:
$ task log requested history of PC use at the firm Logged task.
Taskwarrior is useful for managing large numbers of tasks. It pro-vides reports, searching, sorting, and various levels of customizable detail.
Taskwarrior maintains timestamps and unique identifiers (UUID) for each task, manages prioritization of pending tasks, and keeps a history
of completed tasks. The ability to create user-defined attributes makes it customizable for specific settings, such as a forensics lab or examination process.
Todo.txt
You can also maintain a list of completed tasks and pending work by edit-ing a simple text file. An example is the todo.txt file format by Gina Trapani (see http:// todotxt.com/ for more information). The todo.txt system defines a file format for task creation and completion dates, priorities, projects, and contexts. It also provides a shell script to manage the todo.txt file. Although thetodo.shscript performs all the necessary operations on the todo.txt task list, the file format can be managed using a regular text editor. The notation indicates priority with parentheses ((A),(B), and so on), context keywords with@, and project keywords with+. Completed tasks are prefixed with anx. Here is an example todo.txt file:
(A) Sign chain of custody forms @reception
(B) Start forensic acquisition +Disk_A @imagingstation Discuss analysis approach with investigation team @meetingroom x 2015-05-30 08:45 upgrade ram in imaging PC @imagingstation
The todo.txt apps don’t use timestamps, only dates. If you use this system, you must manually include the time with the completed task.
Shell Alias
You can also maintain an examiner activity log of completed tasks without the use of task management software. For example, here is a simple shell alias that redirects a short description into a file with a timestamp:
$ alias log="echo $2 \`date +%FT%R\` >> ~/examiner.log"
You can customize the log filename and date format as desired. Mak-ing a quick note of activity or viewMak-ing past activity takes a simple one-line command, which you can enter anytime during the examination process.
When something significant or notable occurs, enterlogfollowed by the short description of the action taken. For example:
$ log removed hdd from PC and attached to examiner machine ...
$ log started forensic acquisition of the disk ...
$ log acquisition completed, disk sealed in evidence bag ...
$ cat ~/examiner.log
2015-05-30T09:14 informed that seized PC was enroute to forensic lab 2015-05-30T10:25 PC arrived, chain of custody forms signed
2015-05-30T10:47 removed hdd from PC and attached to examiner machine
2015-05-30T15:17 acquisition completed, disk sealed in evidence bag 2015-05-30T16:09 disk transferred to evidence safe for storage
Simple systems for managing tasks are useful for staff who spend much of their time working on the command line. They are also advantageous for remotely working on systems with secure shell (ssh).