SANS Digital Forensics and Incident Response Blog

SANS Digital Forensics and Incident Response Blog

Report Writing for Digital Forensics: Part II

This blog post is a second edition and follow-up toIntro to Report Writing for Digital Forensics., which you've taken the time to review, digest, and dissect. How the digital forensic practitioner presents digital evidence to his/her intended audience (Regardless, of why we are preparing a digital forensic report), establishes proficiency of the digital forensic examination. Let's take it even a step further, how will you present your findings? Effectively reporting what you found during your forensic examination will aid you in presenting your report and the digital evidence to whomever your intended audience will be, which ultimately may be a jury in a criminal or civil proceeding. In this blog post, we are going to tackle some more report writing issues. Remember, YMMV depending on what hat you wear in digital forensics and who you will be reporting the findings to from your digital forensic examination. So how can you be effective at completing your forensic report and presenting your findings? Depending on where you fall as a digital forensic examiner/analyst, you have to win in the field to win in the courtroom! This is your time as the examiner/analyst (Maybe expert witness?) to tell a story (Are you creating a timeline or super-timeline during your forensic analysis?) of the digital evidence or even lack thereof and how it relates to the details of the case. This is your time to shine and communicate your work product to your audience! Stick to the facts and be straight-forward with the evidence.

If you fail to effectively report your findings, your analysis will quickly be forgotten as your reader is left to draw their own conclusion or worse, turn elsewhere for the answer. Your forensic report should be a balance of technical detail, presented in a simplistic fashion, and tailored for your audience. Avoid link dumping or, "I used ABC automated forensics tool, exported SAM registry hive, exported all e-mail & pictures, and burned the report to a CD". How much of that data is relevant to the case? Recently, Benjamin Wright, Esq. wrote a great article titled, "Investigators: How To Write A Report and Store Digital Evidence". Benjamin states, "As an educational exercise, I have developed a prototype, online investigation report and evidence container. Part check-list, part demonstration, this prototype could be useful for many kinds of non-criminal investigations. Using the Zoho online notebookapplication, I created the prototype as a teaching tool for my SANS course on the law of investigations." Take some time to read his blog article and take a look at the Zoho online notebook if you haven't. As Benjamin points out this could be a useful tool in non-criminal investigations.

When you are preparing your report your first section as I discussed in Part I, will be an "Overview/Case Summary". In this section, remember you are defining your role handling the digital evidence and why a forensic examination is being conducted. This is an abstract/synopsis of your forensic examination and straight-forward.You will include the technical details in the "Findings and Report (Forensic Analysis)". In some cases, a case summary may be sufficient for what your client/prosecutor/attorney is requesting. It is also good to keep a detailed forensic report for your records (per your department/company policy) in anticipation of legal proceedings. Your case summary should be written to the level where the non-technical reader will grasp and understand your findings. Lars Daniel with Guardian Digital Forensics blogged about presenting technical data to a non-technical audience here and here. Corey Harrell has a good blog post here on the Digital Forensic Investigation process. I mention this because you have to know where you are to get where you are going with your investigation and reporting is an integral part of this process.

Secondly, we discussed, "Forensic Acquisition & Exam Preparation"

Can you explain the forensic acquisition process in layman's terms to your audience?

Figure 1

Source:Guardian Digital Forensics (Reprinted with Permission)

Next, we discussed, "Findings and Report (Forensic Analysis)

What about webpage and browser artifacts that you just recovered for an internal investigation on your corporate network?

Figure 2

Source:Guardian Digital Forensics (Reprinted with Permission)

How about the deleted document containing sensitive data, that you were able to carve out of unallocated space?

Figure 3

Source: Guardian Digital Forensics (Reprinted with Permission)

Lastly, we discussed formulating the "Conclusion".

These are basic processes during the forensic examination. Explaining certain forensic terminology in a non-technical manner can be difficult even for the most seasoned examiner. Remember, find out who your intended audience will be that will be reading your forensic report. A case summary or abstract may be sufficient if that is what your client/audience expects. Depending on what form of case you are involved in, I would strongly recommend completing a formal & complete forensic report at least for internal documentation and reference. An engagement/incident response/criminal matter could go to court at any time for any number of reasons. Seek advice from your legal department/attorney/district attorney on retention policies & requirements for your company/agency.

Resources: Forensic Focus:Sample Reports and Links

NASA's Glenn Research Center: Guide to Research and Report Writing

 

10 Comments

Posted February 28, 2013 at 7:16 PM | Permalink | Reply

Tom

I can't remember where, but I heard someone say that analysts should just report the facts, and leave the story telling to the lawyers. Do you have any thoughts on that?

Posted February 28, 2013 at 8:29 PM | Permalink | Reply

Brad Garnett

Tom, Thank you for the comment. Absolutely, the digital forensic examiner should only being reporting facts in his/her report. If a court of law certifies a digital forensic examiner as an expert witness versus a lay witness, then the examiner will also be able to provide an expert "opinion" before the court. If the digital forensic examiner fails to provide context from his/her findings, are they doing a dis-service to their counsel/client? Every engagement and digital forensic examination has different goals. After all, arent we trying to affirm, deny, or reverse our original hypothesis or problem we were presented prior to initiating the forensic examination? Telling a story [or a sequence of events] should be in a non-fiction format, drawn from the digital forensic artifacts, and put into plain language, easy to understand, format for clients, attorneys, supervisors, and the lay non-technical reader. Know your audience and the goals of your exam when you "report for dough" Dave Hull quote.
Checkout https://sites.google.com/site/digitalforensicsource/df-source-files Example: 08-069208CaseReport.doc from the 2008 Casey Anthony case.

Posted March 01, 2013 at 12:16 AM | Permalink | Reply

Larry Daniel

Very nice write up Brad.

Lars Daniel and I will be presenting on this very topic at CEIC this year: Writing Expert Reports and Defending Them in Court.

I hope to see you there.

Larry Daniel

Posted March 01, 2013 at 12:51 AM | Permalink | Reply

Tom

Thanks for clearing it up, and pointing me to the Casey Anthony report. I have some reading to do. :)

Posted March 01, 2013 at 1:25 PM | Permalink | Reply

H. Carvey

Brad,

"If the digital forensic examiner fails to provide context from his/her findings, are they doing a dis-service to their counsel/client?"

Excellent question. Perhaps, rather than "if", the real question should be "how"...how does the examiner provide context? Do they do so through speculation? I just saw something on social media yesterday where an "examiner" speculated that timestomping was involved in the issue being examined...but after asking how they'd verified that assumption, their response was that they hadn't.

Posted March 01, 2013 at 5:56 PM | Permalink | Reply

J. Harper

@Harlan .. IMO, speculation would rank right up there with hearsay. The data is either there, or it isn't.

@Brad .. good write-up.

Posted March 05, 2013 at 9:50 PM | Permalink | Reply

Larry Daniel

@ J.Harper, @ Harlan

One of the things I see in court testimony is that speculation slips in when offered as an "opinion" by an expert. It is unfair to extrapolate to the point of speculation, in my opinion, unless you have a strong factual basis in the evidence to form the opinion. But then, it is no longer speculation, it is an expert opinion.

Posted March 20, 2013 at 12:25 AM | Permalink | Reply

Brett Shavers

Great points made in the article. I've always considered writing a report to be compared to painting a picture where the writer guides the readers to draw their own conclusions. Unexplained facts are unhelpful, but when placed in context with related information, help readers to personally connect the dots.

But when facts point to specific person and eliminate every other person, the report writer doesn't have to make a statement to that effect as it should be clear to the reader that of course the suspect did it.

In a book I just finished (Placing the Suspect Behind the Keyboard), I mentioned several of the same points in this article and also elaborate on obtaining facts that are compiled outside a digital forensics analysis of a hard disk. Digital forensics is cool and so is writing a killer report that makes the reader feel as if they are reading a well written suspense novel.

Posted March 20, 2013 at 1:39 AM | Permalink | Reply

Brad Garnett

Brett,
Thank you for the comment. I had read where your book was being published (congrats) and just recently available. I will definitely have to add it to my reading list.

Posted March 20, 2013 at 1:50 AM | Permalink | Reply

Brad Garnett

Author's Note: This blog post was originally published in August of 2010 and reposted recently [encore]. Thank you for all the comments.

Post a Comment






Captcha

* Indicates a required field.