obsidianforensics
commented
1 year ago Hi there! We don't have a concept in DFIQ for priority, which is why you can't sort questions by it.
I'd be interested in any thoughts around how a priority system in DFIQ would work.
My thoughts on the issue are:
- Priority is subjective, and the priority of a question will vary depending on the specifics of a case and the answers to other, related questions
- in DFIQ, Scenarios are broad "knowledge bases" for a particular type of investigation - a responder can use it as reference and pick and choose what questions make sense, based on their specific case. I don't think generically assigning priority to Questions within a Scenario makes sense in DFIQ's context
- Scenarios aren't the only way to organize Questions (it's just the initial way in DFIQ). If someone wants to make a checklist or punchlist of Questions, ordered by some kind of priority that makes sense in their context, that's totally fine.
-
DFIQ is trying to stay out of the "flowchart" part of making playbooks/runbooks; that feels too brittle and subjective and would need a lot of maintenance and room for discussions as to the "correct" way. Keeping DFIQ more focused on Questions allows it to focus more on facts (what files were downloaded? was psexec run?) rather than investigation philosophies on what to do when.
That was a long-winded response, but DFIQ is still in the early stages so we have a lot of this kind of "philosophical" stuff to hash out still - so thanks for the question! We definitely need to consider stuff like this.
ruppde
joachimmetz
Expected Behavior
Sort questions by priority
Actual Behavior
Questions sorted by ID
Specifications