Jake Williams · Dec 12, 2013 · 9:04 PM UTC

Jake Williams @MalwareJake

12 Dec 2013

In #SANS FOR508 with @robtlee a quick class survey indicates that students spend avg 2 weeks per drive on forensics investigations.

Hal Pomeranz · Dec 12, 2013 · 9:05 PM UTC

Hal Pomeranz @hal_pomeranz

12 Dec 2013

@MalwareJake @robtlee Sounds about right. I wonder if they're including the time it takes to write the report.

Jake Williams · Dec 12, 2013 · 9:38 PM UTC

Jake Williams @MalwareJake

12 Dec 2013

@hal_pomeranz @robtlee The question was from phrased 'from acquisition to report' - many commented that it could be much, much longer

Hal Pomeranz · Dec 12, 2013 · 11:50 PM UTC

Hal Pomeranz · Dec 12, 2013 · 11:50 PM UTC

Hal Pomeranz @hal_pomeranz

12 Dec 2013

@MalwareJake Yeah, I've done "deep dives" on critical systems that have taken months.

Dec 12, 2013 · 11:50 PM UTC

Robert Austin · Dec 13, 2013 · 12:26 AM UTC

Robert Austin @W3nd1g04n6

13 Dec 2013

@hal_pomeranz @MalwareJake I've had the report alone take much longer than that 2 weeks, but that's more the exception than the norm.

Jake Williams · Dec 13, 2013 · 12:40 AM UTC

Jake Williams @MalwareJake

13 Dec 2013

@W3nd1g04n6 @hal_pomeranz Eek. I'd hate for reporting to take that long. I'd fear the result would be a job search...

Jake Williams · Dec 13, 2013 · 12:37 AM UTC

Jake Williams @MalwareJake

13 Dec 2013

@hal_pomeranz No doubt. It's all about the specific case at hand.

Travis · Dec 12, 2013 · 11:54 PM UTC

Travis @infosectravis

12 Dec 2013

@hal_pomeranz @MalwareJake I think it depends entirely on how convoluted the system is, and the type of operating system.