CHAPTER 16
Documenting Your Findings with Reports
We’ll Cover
Documenting your findings Exploring different types of reports Explaining your workGetting the answers to technical questions during an investigation is only half of your job as a computer forensic investigator. The other half has to do with communicating your results to those who requested your services. This chapter focuses on how to document your findings so that someone who is nontechnical can understand them. You learn about reporting standards and how to explain your work and its meaning to others.
Documenting Your Findings
One of the most common mistakes many first-time report writers make is thinking that whatever report option is built into their favorite computer forensic tool is acceptable. Truth is, that’s not the case. No matter how expensive your forensic software, those canned reports are not what you should be providing as your deliverable. A report generated by a forensic tool might, however, provide a nice appendix to your actual written report, because it will contain facts about the forensic images, information about who did the examination, and information about sections of the forensic image you may have bookmarked. What that report does not do is explain in layperson’s terms what you were asked to find, what you in fact found, and what it all means.
When you create a report, regardless of what format you use, five basic areas must be covered:
Who asked you to undertake the investigation What you were asked to do What you reviewed What you found What your findings mean
TipIf you don’t have a report template, and the examples in this chapter don’t work for you, you can use these bullet points as a report outline. Although they do not form a formal report structure, they might help you organize your findings in a way that will allow you to break it down easily for a nontechnical person. Remember that your report is your deliverable, and your work will be judged on it.
Who Asked You to Undertake the Investigation
Your report will often serve as a way to remind yourself of what you did, at some point in the future. This can be important, because some cases can idle for months, to years. If the organization changes and your authority to perform an investigation is questioned, the fact that you documented who asked you to perform the investigation in the first place will be quite important, even if you summarize this in a sentence: “At the request of John Doe in Human Resources, we began our investigation.”
NoteDon’t underestimate the importance of this simple information. Being able to state who requested your work will prevent many issues that can come up later, if someone within the company tries to bury your investigation. And, yes, this happens. Conversely, if someone is requesting that you perform an investigation but they can’t tell you on whose authority the investigation is to occur, you probably shouldn’t take on the job.
What You Were Asked to Do
What you were being asked to investigate is also very important information to include in your report. There are times when, either through the human resources reviews or through an improper termination lawsuit, your suspect will challenge whether they were unfairly targeted or discriminated against via your work as the examiner. Including information about not only who asked you to perform your investigation but what you were asked to investigate will prevent confusion in the future. You can simply say, “Jane Doe was made aware of the offensive browsing habits of Jim Smith and asked us to review his work-issued systems to determine whether he was doing so during company time.”
LINGO
An improper termination lawsuit is the most common type of lawsuit that an internal computer forensic examiner may get involved with. An ex-employee sues her ex-employer for firing her either because she believes the reasons given for her termination were false or because she alleges that she was unfairly discriminated against in some way or because other employees were not terminated for the same alleged offense.
In Actual Practice
People file many types of lawsuits. Truth is, a person can sue for any reason (though the lawsuit may be thrown out of court if it makes no sense). Even if your evidence is rock solid and a suspect knows he is guilty, he may still threaten an improper termination lawsuit to try to get back his position or additional benefits. This is particularly important when you’re dealing with union employees whose contracts may have restrictions on how they can be disciplined and/or terminated.
What You Reviewed
When you describe what you reviewed, you shouldn’t limit that to “a laptop.” You need to include the user who uses the laptop; who the laptop belongs to; the network name; the laptop make, model, and serial number of the laptop; the make, model, and serial number of the laptop hard drive; and what operating system it is running. This specificity is required because you are stating what evidence now in your possession contains information that leads to your conclusions. If your results are challenged, either internally or in a court proceeding, your ability to state which exact system you investigated prevents any confusion. This information may or may not warrant its own paragraph or section in your report, depending on the number of devices you reviewed. Here’s an example of a statement regarding what you reviewed: “Jim Smith’s company-issued laptop, identified as JSMITHCORP, is an HP EliteBook laptop, serial number 123456, containing a Hitachi hard drive model aa123, serial number 11003, running Windows 7 Professional. It was reviewed in this investigation and all results cited in this report came from this system.”
TipWhen you’re describing a system, more detail is better than less detail. The amount of detail you provide in your report will change as you get more comfortable generating and defending your reports. Remember that if you decide not to present all the details in the report, inform whomever is reviewing your report that you can provide additional details if necessary.
LINGO
Evidence in your possession may not always refer to the actual computer from which the image came. Instead, it may refer to the forensic images you created. If the chain of custody for a piece of evidence ends with you, then the evidence is still in your possession.
What You Found
Describing what you found in plain English (rather than using technical jargon) is important. Not only will this serve to remind you of what you found if you have to review this case in the future, but those who requested your work in the first place must be able to understand what you found in order to appreciate it. No matter how many days you put into your investigation and how many forensic artifacts you reviewed, your end result will be judged by your report. This means, for example, that you shouldn’t just write, “USBSTOR shows external drive”; instead, you should write, “Forensic artifacts located in the Windows registry under the ‘USBSTOR’ key reveal that an external storage device was attached to the system.”
Depending on the formality of your report, you could include a simple list of bullet points or a full narrative of the suspect’s activities. Following are some examples of each, starting with a bulleted list:
Findings
The Internet history records were deleted the day before we forensically imaged the computer. The Internet history records were recovered from the deleted space on the disk. The Internet history records reveal regular access to adult web sites during work hours. The login records show that Jim Smith was the only user logged into this computer during these times.And here’s the example narrative:
In our examination of the forensic image belonging to Jim Smith’s work computer, we first reviewed his Internet history records. Our analysis found that he deleted records that should normally be kept for 30 days on his system by company policy the day before we forensically imaged his system. We were able to recover the records he deleted using our forensic tools. These records revealed that Jim Smith has been regularly accessing adult web sites during work hours. To ensure that these were indeed Jim Smith’s accesses, we confirmed that no other user was making use of the system during the days in question.
A narrative provides additional nontechnical details such as the timing of an action—for instance, when the suspect decided to delete everything a day after he was put on notice. You don’t need to use flowery prose in a narrative, but you do need to tell your story in such a way that a nontechnical person can understand it and reach the same conclusions that you reached. The power of the narrative can be strong. Your ability to tell the story will help lead the reader to your conclusions in a way that can be much more powerful that a list of bullet points.
LINGO
In a narrative, you write the facts of your investigation into a story rather than just listing them.
What Your Findings Mean
The last, but not least, important area of any report is what your findings mean to you. Typically, you’ll include this information in a section called “Conclusions,” but it can just as easily be included in the last paragraph of your report starting with a sentence: “In Conclusion…” or “My conclusion is….”
IMHO
You might be wondering why you would need to write out your conclusions if you already listed what you found. Some people will try to say that the reader should draw their own conclusion so as not to bias the investigator. In my experience, the people who are requesting your work are not asking you to do so just so they can read about what you found; they also want to know what it means to you and your interpretation of the evidence. It is especially important to be descriptive if you used a bulleted list style of findings; this is where you can add additional depth to the meaning of your findings.
Finishing up our Jim Smith case, this is how I would write the conclusion:
In conclusion, after having reviewed all the evidence, it is my opinion that Jim Smith violated company policy in viewing adult material on his work laptop on a regular basis during work hours. In addition, it appears that Jim Smith attempted to hide this behavior by deleting his Internet history records from the system. Based on our review of the evidence, we do not believe this evidence was created by another user accessing Jim Smith’s system or the result of some virus or malware. Instead, this is the result of Jim Smith’s accesses to the system as supported by recovered deleted history records showing him logging into adult sites using his own e-mail address.
TipIn a conclusion, you are generally allowed to state your own personal opinion. Just make sure you can justify it with evidence that supports it.
Types of Reports
One of the first lessons you learn as a writer is that you must always know who your audience is. The same holds true for your investigation reports. How formal your report is and what format it needs to be written in will depend on who requested you work and what the requestor intends to do with it. You should always ask who will be reading the report and what do they intend to do with it. The answer will determine which of the following types of reports you will write:
If your report is meant for the review of only the person who requested it to make a decision, an informal report may suitable. If your report is meant to detail the impact of an incident (such as malware or an intrusion), an incident report may be required. If your report is meant for an internal review by human resources and legal, a formal internal report is likely required. The declaration and affidavit are the most formal types of reports if an outside law firm is not involved and you are serving as an expert witness. This type of report is most appropriate when the legal department needs to submit your report to the court in a legal proceeding.Informal Report
An informal report (Figure 16-1) can be as simple as an e-mail containing your conclusions. However, even in an informal report, it’s important that you capture the topics detailed in the first part of this chapter. Although you may not need to detail the make, model, and serial number of the devices in question, you should make it clear who requested you to do the work, what was requested of you, and your conclusions. Even an informal report can be used during litigation, so make sure that you write it appropriately.
Figure 16-1 An informal report
Incident Report
Incident reports (Figure 16-2) cover the impacts and exposure of data that may have occurred because of an incident. They typically focus on malware and intrusions, because the originators of the incidents are either outside of any legal jurisdiction or contain no assets that could be used to pay for damages they have caused. In these reports, you should ensure that you detail all the areas discussed at the beginning of the chapter; the reports may be passed on to regulators or legal entities in compliance with breach notification laws.
Figure 16-2 An incident report
Internal Report
The internal report (Figure 16-3) is a more traditional investigation report. It contains information on three major areas: Executive Summary, Findings, and Technical Details. The issues described at the beginning of the chapter will fit within these sections, but you will go beyond the level of detail you provide in other reports in the “Technical Details” section, where you place screenshots of artifacts, excerpts from recovered data, and evidence to support your conclusions.
Figure 16-3 An internal report
Declaration
A declaration (Figure 16-4) is a legal document—a sworn statement that you are making regarding a legal matter. If you are asked to write a declaration, you should know that it will likely be submitted into materials used in a formal legal matter. If your report is being submitted to other parties, they may retain their own computer forensics experts to critique your work and the truthfulness of your statements. For this reason, it’s crucial that you fully consider all the statements you make in a declaration. If someone asks you or convinces you to add in a statement you cannot support or do not agree with, you may face penalties in a court of law for making false statements. Remember that the only person who is liable for the statements made in a declaration is the one who signs it—you.
Figure 16-4 A Declaration
In Actual Practice
If the document you are submitting is not being sealed under some kind of protective order by the court, it is considered to be a public document. Therefore, in the future, anyone who is trying to challenge your testimony can find that document and question you about it. I bring this up to reinforce how important it is that you are confident and comfortable with all the statements made within any document you sign—you will have to live with what you’ve written for the rest of your career.
A declaration can comprise any form you want; sometimes your legal counsel will provide a declaration template or a draft of what they want you to attest to. The standard parts of a declaration include all the areas from earlier in the chapter, plus a section on your qualifications. Typically, when you are writing a declaration, you state your education, training, and experience to allow others to understand your expertise when evaluating your statements.
Affidavit
The main difference between an affidavit (Figure 16-5) and a declaration is that an affidavit is signed in the presence of a notary republic. The notary republic will then sign and stamp the document to attest that you appeared before them and signed the document. Other than a notarized signature, other differences would include changing the title of the report to “Affidavit of Your Name” and the signature block.
Figure 16-5 An affidavit
Explaining Your Work
I’ve talked about what to include in your report and the different ways your report can be written or presented, but I haven’t yet covered how to explain what you found to your audience. Throughout this book, you’ve noticed the “Lingo” sections that offer definitions of some terms used in this book; in much the same way, you need to make sure you explain any technical terms or acronyms you include in your reports. You also need to ensure that, when you provide an example to explain a concept, you do this in layperson’s terms, because the majority of people reading your reports will not be technically savvy. Lastly, make sure that you can explain the meaning and relevance of all the forensic artifacts you discover.
Define Technical Terms
Any time your report makes reference to a computer forensic term, such as forensic image, unallocated space, carved file, slack space, or file fragment, you need to define it. Some people will notate each technical term and define it separately in a footnote; I prefer to define a word after I use it in the sentence. Defining your technical terms will not only make your report easier to understand, but it prevents confusion with other experts if your report is sent out for review.
Provide Examples in Layperson Terms
When you are explaining a computer forensic concept or artifact, you’ll often need to offer an example of how something came to exist. When you need to provide an example, either in the form of a metaphor or a scenario, make sure to put it in terms relatable to the report reader. For instance, when I mention “slack space,” I typically refer to other types of linear media, such as cassette tapes or VHS tapes. For example, I might say something like this:
Slack space works much like an old recording on a VHS tape. Suppose you had a VHS tape that originally had a concert recorded onto it. Sometime later, you used the same tape and recorded your favorite comedy show. If the comedy show was 30 minutes long and the concert was an hour long, you would expect to see the concert on the video about 30 minutes in, after you watch the comedy show. In much the same way, if a file does not completely overwrite a sector, the remains of the file that previously existed there can still be found.
It can be difficult to find examples relevant to your audience—there are so few VHS and cassette tapes in use today, for example—but in using examples, you can make the concepts accessible to the reader.
Explain Artifacts
New investigators sometimes assume that everyone understands the impact of a forensic artifact. After reading this book, for instance, you know a LNK file’s meaning if it shows access to files on an external drive. To your report reader, however, if you don’t explain the file’s significance, this can simply be another confusing fact. When you point out specific artifacts found in your investigation, you need to make sure that you fully explain their meaning, their impact to the investigation, and how they relate to your conclusions.
Here is an example explanation:
We found three artifacts supporting the conclusion that Mr. Smith placed an external storage device on the system and copied data to it the day of his departure. First, we found an entry in the setupapi.log for the day of his departure. This entry represents the first time that Mr. Smith plugged in a specific storage device to the system. Second, we have the LNK files, showing specific files identified as confidential that were created and accessed on the external drive the same day Mr. Smith plugged in the storage device. Last, we found shellbags that provide the names of additional directories accessed that existed on the external storage device. Although we cannot see the contents of those directories, they match the same directory structure that we found on Mr. Smith’s work system and include files accessed via the LNK files. These three artifacts show that on his last day at work, it appears that Mr. Smith attached a new external storage device and then copied confidential data onto it.
We’ve Covered
In this chapter, we’ve walked through how to write a report on your forensic investigation. This is where many examiners have the most trouble. Learning and understanding forensic artifacts is fun for technical people who want to prove what someone did, but writing out their findings can be frustrating. I hope the examples provided in this chapter, and available on our web site at www.learndfir.com, make things easier for you. Writing reports is part of the job and the only way the people requesting your work will judge it.
Documenting your findings
Tool-generated reports are not satisfactory for your written report. Know what to include in your report. Explain what you found.Exploring different types of reports
Know the differences between informal and formal reports. Learn how to write an informal report. Learn how to write different formal reports.Explaining your work
Define technical terms. Provide clear examples of technical terms. Explain artifacts clearly...................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.