Procedure: Mounting an EnCase E01 Image with FTK Imager

My previous post detailed a template that I use when creating procedures. As promised, in this post I have taken the template and created a procedure using its framework. The procedure itself is quite rudimentary, mounting a forensically created image, however, the focus for the purpose of this post is on the framework, not the content. Using this framework, by providing a consistent format with clear details and instructions, you can start to build a valuable library of procedures that can be referenced and repeated, even by the noobs.

Take a look below and provide any feedback if you wish. As I stated in my first post on this blog, I want feedback, and look forward to peer review. The procedures moving forward from here will be more technical and provide some great examples of different approaches in getting work done.

The procedure can be accessed from this link via Google Drive. 

Enjoy, Mr. Orinoco

A Procedure Template

In my previous post, I discussed what I believe are the required elements when creating a procedure. Using a set of standard elements in every procedure you create ensures consistency in your approach and final product. If one item above all must be achieved when creating procedures, it is consistency. As I mentioned in an earlier post, the one item I find the most frustrating with procedure documentation is continued inconsistency of an individuals approach to creating procedures. In short, their lack of standardization. 

For example, before I started in DF, I worked in Technology. I recall being incredibly frustrated over the haphazard way in which procedure documents were not only created, but the way they were stored and maintained. Everybody and their mother were creating procedures; they were stored all over the environment and infrequently, if at all, updated to reflect recent changes in IT. In addition, people would leave the company; as a result, the procedures would disappear because it was on the local drive that desktop just re-imaged!

In this post, I am providing a template (Google drive link below) that I use for every procedure I create. Not only does it provide standardization for individuals creating the procedure, it also documents a number of other items.

First, there is a Procedure Name, a Category, and if needed, a Sub-Category.

Second, there is a Procedure Number. This number, along with the procedure name is entered into a master database, a spreadsheet that tracks all your procedures.

Third, Procedure Development. Who owns the development of the procedure?

Forth, Procedure Document. Who own this document? (this could be the same person who developed the procedure).

Fifth, my favorite, Version Control. As the procedure changes a new version number is issued and the previous version is archived.

Once last item, to ensure auditing of your procedures, the MD5 hash value of the procedure must be entered into the tracking database.

Taking this approach, using a template, completing a standard set of elements, tracking the historical life of a procedure, and finally, storing procedures in a central repository (think SharePoint) ensures that your library will grow effectively in a controlled manner and allow for maintenance.

Template Link - The template can be accessed here.

In my next post I will be posting a simple procedure on mounting a forensic image using the above approach. Until then, take care.