SANS Digital Forensics and Incident Response Blog

Investigators: How to Write a Report and Store Digital Evidence

A wise investigator assumes an attitude of professionally skepticism. She recognizes that any piece of evidence may not be what it seems to be, and might in the future be interpreted in a different way or be refuted by other evidence.

Consider for example one of the most famous and thorough investigations in American history. The official investigation of the 1970 shooting of Kent State students by national guardsmen concluded that a certain Terry Norman (paid FBI informant) played no role in the shooting. However, forty years later a previously-unknown tape recording of the events has surfaced, and a forensic analysis of the recording shows that someone fired a .38-caliber pistol four times, shortly before the guardsmen opened fire. Norman was known to have brandished such a pistol at that place and time. It appears that Norman fired shortly before the guardsmen fired. So the official investigation appears to have been wrong on account of compelling evidence that emerged four decades after the fact.

In many cases, a professional investigator needs to remember that her investigative work and report will not and should not be the final word on a matter. The investigator's job is to collect and analyze evidence, recognizing that rarely will the investigator possess all of the possible evidence. Someone else will be the final judge and jury.

As an educational exercise, I have developed a prototype, online investigation report and evidence container. Part check-list, part demonstration, this prototype could be useful for many kinds of non-criminal investigations. Using the Zoho online notebook application, I created the prototype as a teaching tool for my SANS course on the law of investigations.

The prototype report gives instructions on the skeptical attitude the investigator should adopt. It reminds the investigator to evaluate any biases or conflicts of interest she may possess. It includes an optional banner for protecting attorney-client confidentiality and attorney work product. It provides the investigator a means for storing embedded evidence (written text, plus audio, video or other files) and for affirming that the stored evidence accurately reflects what the investigator collected.

An interactive, published report from the prototype appears here:

Obviously many investigators who might want to use a report like this in Zoho would not want to publish the report openly for all to see. Zoho allows the report to be shared (read-only or read/write) selectively, with people possessing the right credentials.

In the prototype, I signed the report with a webcam electronic signature.

I secured the stored evidence, and associated it with my webcam signature, using the log-on ID and password to my Zoho account. Further, Zoho allows me to secure my account (and prevent tampering with the report) by limiting which IP addresses can access it and by providing me a report on which IP addresses accessed at which time. Zoho keeps a detailed history of revisions, which could be helpful if question arose about whether someone tampered with the report after it was finalized.

Zoho allows the people with whom I selectively share a report to make their own, independent copies of it. These independent copies could deter me from making undetected changes to my report after I finalize it.

I am interested in feedback. What do you think? If anyone would like to help me make an iPad, iPhone or Android app like this, please let me know!

—Benjamin Wright
Mr. Wright teaches the law of investigations at the SANS Institute.


Posted October 23, 2010 at 4:20 AM | Permalink | Reply

Uma Mahesh

Its really good as it includes special txt file giving authority to investigation which keeps investigator safe. It is always and highly important that investigator has to play safe otherwise might end up in screwing himself legally.
It is good from legal perspective and also provides focus for investigation, however one thing I find missing is Time Line. I believe it plays very important role for any investigation. Also I believe it should have a column for listing out the who are the people involved in the issue and may be their scope.

Posted October 25, 2010 at 10:21 PM | Permalink | Reply

Benjamin Wright

Uma Mahesh: Thank you for the good comments. I'll incorporate them into version 2. ''"Ben

Posted October 28, 2010 at 5:17 PM | Permalink | Reply

Rob Lee

I really enjoyed reading this Ben. Thanks for sharing. Very useful'' Ill include this link as additional information in the course.

Posted January 28, 2011 at 8:48 PM | Permalink | Reply

John Franolich

I like "the authenticating this Report and Evidence Container".. what happens if Zoho goes out of business?

Posted January 29, 2011 at 4:35 PM | Permalink | Reply

Benjamin Wright

John: That's a good question. Zoho Notebook (which has remained in beta for too long) is not ideal. I chose it for demonstration purposes because I was looking for something that was app-like in its functionality, something that integrated functionality into a package. Zoho Notebook was the best I could find at the time because it does directly integrate webcam functionality.
To answer your question directly, I have two replies:
1. Zoho Notebook allows you to download a copy of the final record, which you could give to multiple people (your boss, your lawyer, your colleagues). That approach is not ideal.
2. Instead of Zoho Notebook, I actually prefer email as the final evidence container. Using email, the investigator attaches the evidence (i.e. the witness's voice record) and the webcam video to an outgoing email. I have not found a completely cool way to demonstrate the use of email in this way. I've been trying to persuade developers to make a smartphone app that captures evidence (e.g. audio or photo), and attaches it, together with a webcam signature video , to outgoing email. The investigator can send the email to multiple people. Email retains a reliable record under the control of the investigator's enterprise. I have blogged about email as a container for the investigator's evidence and report
What do you think about email as the container?
[Nothing I say in public discussions is either warranted for accuracy or legal advice for any particular situation. If you need legal advice, my public statements are not the place to get it.]