SANS Digital Forensics and Incident Response Blog

New, Cool and Sexy vs. Dull, Repetitive and Necessary

Computer forensics has a tendency to focus on the new, the cool and the sexy. I call it the NCS.

Most training, books, blogs, articles and so on have a tendency to focus on the NCS. NCS holds the audience's interest so much better and is more fun to talk about.

Unfortunately, most work in computer forensics does not focus on NCS. Most of the work is on the dull, repetitive and the necessary. The DRN.

This column will talk about the DRN.

Reporting

In the practice of digital forensics, each step has a tendency to build upon the last. While it's hard to make a call on the most important phase, reporting stands out.

The report is the output. It is what the layperson can access. The final product. The report is the culmination of all the work that has come before it and must be treated with the respect it deserves. Unfortunately, the report is also the prime example of the DRN to most people.

That said, let's lay out three rules for when we write forensic reports.

Rule #1 — Don't rush

I can't stress enough the point: If you screw up the report, you have screwed up the whole examination. You have made all the work you have done on the case worthless.

I think too often, forensic analysts will rush through the report feeling as if the important work is done and they need to get to the next case. That is not true. With the report being the output of everything that has come before, there is no reason to rush the report. Take the time and care to do the report right. Proof read it. Walk away from it for a day and look at it with a fresh perspective the next.

Rule #2 — Stick to the facts

Putting anything other than facts in the report is unethical. It does not matter who hired you, your goal should be nothing more than to find and document the truth to the extent you are able.

You are not a decision maker as a forensic analyst. You are a fact finder. Your report should reflect this.

Far too often I have read reports that contain opinion, insults, cherry picked facts and so on. This is irresponsible and unethical.

Write the report, include the facts and let the recipient draw the conclusions. If you did your job well, the reader should be able to draw conclusions without any help from you.

Rule #3 — Be understandable

The report must be readable. It does not matter how great the information contained within it is, if it is not understandable the report is no good.

Don't assume any special knowledge on the part of the reader. Explain all terms, include a glossary, spell out acronyms and so on.

Most of us know about this, but we skip it because it's DRN to do.

Jim O'Gorman, GCFA Silver 1356, works for Continuum Worldwide and lives at Elwood.net. You can reach Jim at jameso@elwood.net.