When looking at documenting an incident, it is not very difficult to ascertain what should be documented. Following the five Ws (Who, What, Where, When, and Why), and sometimes How?, is an excellent foundation when considering what to document during an incident. Another good piece of wisdom when discussing documentation, especially when discussing the legal implications of security incidents, is the axiom that if you didn't write it down, it didn't happen. This statement is used to drive home the point that proper documentation is often comprised of as much detail that the incident response analyst can bring. Analysts may be involved in an incident that ends up in a civil proceeding. The wheels of justice often move slowly, and an analyst may be called to the witness stand after 18 months, during which 10 other incidents may have transpired. Having as much detail available in the incident reporting will allow analysts to be able to reconstruct the events in the proper manner.

An excellent example of using these five Ws (and one H) structure in your documentation is when looking at a digital forensics task, such as imaging a hard drive. In Chapter 6, Forensic Imaging, proper documentation was partially addressed when we looked at the practice of taking photos of the suspect drive. The following is a more detailed record of the event:

• Who: This is the easiest detail to make a note of. Simply, who was involved in the process? For example, the person involved was analyst Jane Smith.
• When: Record the date and time that the imaging began and when it ended. For example, the imaging process was started at 21:08 UTC on August 16, 2019, and ended at 22:15 UTC on August 16, 2019. Times are critical, and you should ensure that a standard time zone is utilized and indicated in the report.
• Where: This should be a detailed location, such as an office.
• What: The action that was performed; for example, acquiring memory or firewall logs or imaging a drive.
• Why: Having a justification for the action helps in understanding the reason why the action was performed.
• How: A description of how an action is performed should be included. Additionally, if an incident response team utilizes playbooks or standard operating procedures as part of their plan, this should be included. Any departure from the standard operating procedures should also be similarly recorded.

Putting all this information together, the following sample language can be entered into the report:

On August 16, 2019, analyst Jane Smith arrived at office 217 of the Corporate Office Park located at 123 Maple St., Anytown, US, as part of the investigation. Upon arrival, Smith took control of the Dell laptop, asset tag #AccLT009, serial #7895693-862. An alert from the firewall IDS/OPS indicated that the laptop had communicated with a known Command and Control server. The laptop was to be imaged in an attempt to ascertain whether it had been infected with malware. At 21:08 UTC, Smith imaged the drive utilizing the live imaging technique in accordance with the Standard Operating Procedure IR-002. The process was completed at 22:15 UTC on August 16, 2019.

This entry provides sufficient detail to reconstruct the events that transpired. Taken together with other documentation, such as photographs and the chain of custody, the analyst has a clear picture of the process and the outcome.