Making Ham Sandwiches in DFIR

Following up on some points made about DFIR writing on Twitter, here are my opinions on the subject of writing up your work in DFIR:

1: Write it up (or else your work didn’t happen)

2: Write it for your audience (or it won’t matter what you did anyway)

If you follow those two tips, your writing will be fine.

In police work, report writing is frequently given the analogy of “Painting a picture”, in that you should write a story that doesn’t need explaining outside of what you wrote.  The canvas should tell the entire story.  Search warrant affidavits work the way in that the probable cause for the warrant must be contained (and comprehended) within the four corners of the affidavit.  An independent party should be able to read what was written without requiring outside information to either support the words or interpret them.  The report (aka, the picture) stands on its own to describe the story.   I usually use the analogy of making a ham sandwich instead of painting a picture.

When I read a report that doesn’t make sense to me, I typically say to myself, this person can’t make a ham sandwich.  I can see the tomatoes, the bread, and the ham, but it just doesn’t look like a ham sandwich.  If I need the writer to verbally explain to me what was written, then the report is meaningless.  It may be 100% technically accurate, but 100% worthless at the same time.  I do not mean to say 'worthless' in an insulting manner, as a technical report can be very well done for a technical audience. I mean worthless in the manner that if the intended audience can't understand it, then why write in the first place.

If any of these are true, then the report wasn’t written correctly.

1: The writer needs to explain the report.

2: There is no story.


You can do the best DFIR work in the world and yet write a report that ruins it all.  Or, you can write up what you did in a manner that the report can be read on national television, in full, without needing a word of exposition to translate it to the audience. 

Few of us are great DFIR’rs and great writers.  We tend to favor one side over the other.  Some of us however, tend to ignore the writing part completely.  We don’t like to write.  We don’t like to edit.  We don’t like to write for an audience who doesn’t know what a MFT is, after all, doesn’t everyone know what the MFT is?

The reality is, you have to write up what you did so that others can understand it.  Embrace writing.  Showcase your DFIR labor in your writing, so that the reader completely understands what you did, what you found, and what needs to be done next.   

Make that ham sandwich.

Rate this blog entry:
Cyber Health
DFIR Case Studies #7


No comments made yet. Be the first to submit a comment
Already Registered? Login Here
Tuesday, 20 March 2018