Every report should begin with a clear and concise summary of the facts of the case and evidence gathered. The purpose of the summary is to provide the client (or court) with a high-level overview of the evidence gathered and the conclusions drawn based on the evidence. The summary is meant to provide the client or court with a snapshot of the facts and evidence. Remember, the client or court will be able to read the full details in the body of the report—the summary is merely an overview.
During an investigation, it’s easy to gather large amounts of evidence. While such evidence can be stored on an 8 GB USB flash drive (also known as UFD), if its contents were printed, it could generate a stack of paper approximately 1,000 feet tall. Even though you can’t have too much documentation, when it comes to presenting any case, you need balance. You won’t want to weed through tons of evidence again later, but you don’t want to appear incompetent. For example, if you are asked about log events or a specific activity, you don’t want to respond, “I know that I saw that somewhere.” If the activity is captured in a Tcpdump log file, you’ll need not only to be able to locate it again, but also to locate it quickly.
You need to organize relevant evidence in a report. When formulating a concise report, it is important to:
- Understand the importance of the report
- Limit the report to specifics
- Use a layout and presentation that is easy to understand
- Understand the difference between litigation-support reports and technical reports
- Write clearly
- Provide supporting material
- Explain methods used in data collection
- Explain results
The basic guidelines for your reports should be to document your steps clearly, use a template to organize the report, and be consistent. Documenting clearly and concisely helps ensure that the details can be recalled or conveyed when the need arises. To do this thoroughly, the scope of your original documentation must be broad and you should document every step of the process. Many of the tools we discuss in Chapter 8, “Common Forensic Tools” include report generation facilities that you’ll use to build your report, and to help you produce a summary to guide the judge, jury, and officers of the court through your painstakingly compiled evidence and information.
Often lawyers want to have electronic evidence produced for them in paper format. But evidence is much simpler to handle in electronic form, where it can be filed, cross-referenced, and indexed. Most law firms now have the technology to do this. A complete forensic analysis will usually fit on a single CD-ROM. Various software programs, such as AD Summation, permit evidence to be processed more efficiently than piles (and files) of paper. Find more information on AD Summation at http://accessdata.com. In particular, investigate CaseVantage at the following URL:
http://accessdata.com/products/ediscovery-litigation-support/ad-summation-casevantage
Kroll Ontrack is another software program that attorneys use. It provides software tools that let you view, search, sort, bookmark, and generate reports on data after the evidence is extracted. For more information go to www.krollontrack.com.
X-Ways Investigator offers a broad range of capabilities, including serving as an automated forensic examiner. It can come in handy during civil litigation when one party wants to examine the other party’s computers. Investigator is a product of X-Ways Software Technology AG. You can find information at http://www.x-ways.net/investigator/.