Yes, I had that modularity in mind for common, overlapping tasks–akin to modular coding. Love the "uber-index"! )
Great to hear you have a program manager! Is she part of the open-forensics site, now?
She isn't yet …
Maybe is what you mean (or maybe I didn't understood) but… what about separating methodology from scenarios ?
Scenarios could be part of a specific document or a section in the open-forensics' wiki or topics of a FF's forum.
Anyway the approach to every scenario could/should be methodology driven with space for the feeling that the examiner has with the scenario itself.
Thoughts?
Rob
Rob,
Indeed, the methodology is separate from the scenario.
The methodology sections contain, for example, sections on "Deleted Files", "Alternate Data Streams", "Log Files", "E-mails" and "Internet Bookmarks" amongst others.
Then the scenarios section says "Ok, hacking case for a spambot, you want to consider "Deleted Files" for evidence of root kits, "Log Files" for evidence of initial compromise, "E-mails" for, well, e-mails etc. "
I think that this section could well be formatted as a table, or set of tables refering to the relevant sections in the remaining document.
You are right to state though that there should be "space for the feeling that the examiner has with the scenario itself." Attempting to create an "absolute" list for any given scenario would likley overlook possibilities that may be unique to a case.
Az