Just Document EVERYTHING!

One of the hardest lessons I have had to learn over the years is just how damn important proper documentation is. It's not as simple as jotting down a couple of notes here or there but actually writing down the important information in a way that more than just you know what you are talking about. Because even if you know what a random IP address or tidbit from an investigation is mentally, does not mean anyone else who may work with you does, or that 2-3 days down the road YOU will even remember.

An example of this would easily be investigations into attacks, most common for me these days, spear phishing attacks.

Email headers contain a LOT of good relevant information that may or may not help you, but can be notoriously hard to parse for laymen who you may need to hand this information off to like law enforcement, or your CIO. 

So something like this:

Delivered-To: myemail@gmail.com

Received: by 2002:a02:b08d:0:0:0:0:0 with SMTP id v13csp616331jah;

        Sat, 21 Sep 2019 06:16:09 -0700 (PDT)

X-Google-Smtp-Source: APXvYqzfJBZgZFLvYln0C5ff2BNNZvfsq9f4lA254ZUpw8wI5BwJcu+stDTFtheBVH01Ov/AhJbJ

X-Received: by 2002:adf:f801:: with SMTP id s1mr3708896wrp.293.1569071769869;

        Sat, 21 Sep 2019 06:16:09 -0700 (PDT)

ARC-Seal: i=1; a=rsa-sha256; t=1569071769; cv=none;

        d=google.com; s=arc-20160816;

        b=VdRaidoMjN49dF9qghOdMhUPYjBZf/GRzGceuH7oo/BU2ubc4No16oA3mFGKbR0pe4

         Zf9EXWqekVME4BR6NaxTYyuWLN8q/vdT5w3rOgSmltVIAT0P7/AF6RJP7Dlco0aVHtAE

         YIGc/lOd/aBwWgx4gUafNWzJI+5GRr2rg+mDK730hCeYYtnfH0F2rtJ0iKGCqL0T3Odg

         uMuZWFuqlouDtSPspuLvW3koMxSZohZP6jEgmKEg82tgHskpy5FwajEhMczjy9m3a2+M

         6+7VqpCTDaxZOxumiW/rVYw6ioeDqVFcihj2B2bPDJldjwlYt+WGWnBlvwpFjUzHkUX9

         ej9A==

ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;

        h=date:message-id:reply-to:errors-to:importance:from:subject:to;

        bh=fBciv81s9jC3SqKNz4eArSqcS6Tf65kIbzVlYmqqAKs=;

        b=rx8aMXYG0IhnjNbWR40dF4+bjFgEF2FvFCBAJGGpHpv3zXTBiFPb798+tOjFxUmXjr

         u6+eIrCUt1vdPyx+Q0Ms62PeThcyja+8FJBkZsJsYPf7mimbA3461e9SsYG2IuYRUgRW

         BxvjivczTYYECb7/djsFnSeE1LtCWzG1ySQml1Bygpg1aNLvZKTCRSAsXk9ChElJaEFD

         oPzjRkhfuYSydWDMRfMicjhtg6Yq8l2kZNSOcpjwEf552mf/Rr52HozJe2f8oGakB64Y

         +xoRJ2mJdd9p9rT0XuFaG2k4gvrGT2jlUVLnD2TfjUXUG00QqXa9i6OyiTBqx/kbusrF

         nlSw==

ARC-Authentication-Results: i=1; mx.google.com;

       spf=softfail (google.com: domain of transitioning ceo@gmail.com does not designate 93.99.104.21 as permitted sender) smtp.mailfrom=ceo@gmail.com;

       dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com

Return-Path: <ceo@gmail.com>

Received: from localhost (emkei.cz. [93.99.104.21])

        by mx.google.com with ESMTPS id u67si1874795wmu.67.2019.09.21.06.16.09

        for <myemail@gmail.com>

        (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);

        Sat, 21 Sep 2019 06:16:09 -0700 (PDT)

Received-SPF: softfail (google.com: domain of transitioning ceo@gmail.com does not designate 93.99.104.21 as permitted sender) client-ip=93.99.104.21;

Authentication-Results: mx.google.com;

       spf=softfail (google.com: domain of transitioning ceo@gmail.com does not designate 93.99.104.21 as permitted sender) smtp.mailfrom=ceo@gmail.com;

       dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com

Received: by localhost (Postfix, from userid 33) id 5893322309; Sat, 21 Sep 2019 09:16:09 -0400 (EDT)

To: myemail@gmail.com

Subject: Wire transfer

X-PHP-Originating-Script: 33:index.php

From: Bob Loblaw <ceo@gmail.com>

X-Priority: 3 (Normal)

Importance: Normal

Errors-To: ceo@gmail.com

Reply-To: ceo@gmail.com

Content-Type: text/plain; charset=utf-8

Message-Id: <20190921131609.5893322309@localhost>

Date: Sat, 21 Sep 2019 09:16:09 -0400 (EDT)

Which is a mess to read for anyone not familiar to email headers can be better summed up like this:

Date: Sat, 21 Sep 2019 09:16:09 -0400 (EDT)

Delivered-To: myemail@gmail.com

Return-Path: ceo@gmail.com

Reply-To: ceo@gmail.com
Origin Domain: emkei.cz. [93.99.104.21]
Origin Location: Czechia
ASN Owner Liberty Global B.V.
DMARC: Failed - unauthenticated
SPF: Soft Failed - Tagged as Spam
Email Contents: Attempt to initiate wire transfer

See appendix 1

And then the actual headers included at the end as notes. This way the relevant information needed for the investigation and for those you are reporting to is there, but the info that's really only there for routing information internally to the email systems is left out but easily referenced later by looking up appendix 1 incase you want to go back and analyze it more.

This is a lot better than just saying 

origin 93.99.104.21

and assuming people know what the heck you are talking about even if it takes that much more time to type out.