Conducting an investigation is more than simply supporting the business risk scenarios discussed in Chapter 7. From conducting an investigation, organizations must also be able to provide answers to questions—of who, where, what, when, why, and how—and demonstrate how their digital evidence supports the credibility of these answers.
Achieving these goals requires that forensic viability of digital evidence, including the authenticity and integrity of the data, is maintained by following the steps outlined throughout this book, such as the need for governance over the collection, handling, and storage of digital evidence. Furthermore, by applying an evidence-based methodology for managing an investigation, organizations will be in a better position to establish the credibility of the answers to questions as they arise.
Having processed all digital evidence, a formal report must be created to communicate the results of the investigation. However, one of the biggest downfalls of any investigation is deficiencies in the final report. Ultimately, if decision makers cannot understand and interpret the information detailed within the report, the entire investigation could result in failure.
As with any investigation, organizations should always conduct themselves while keeping in mind that the matter will continue on to legal proceedings. Therefore, creating a formal report should be done not only to share information within the context of the organization, but also with the intention of presenting evidence as testimony in a court of law.
Required under Rule 26 of the U.S. Federal Rules of Civil Procedure, any person(s) who will be presenting evidence as testimony has a duty to disclose a written report.
These reports must disclose all “facts or data” considered by the person(s) during the investigation, the basis of how they established these “facts or data,” and the information that was used in order to arrive at these “facts or data.”
It is important to understand that Rule 26 defines the intent to exclude theories or opinions and the need for creating a credible investigative report that limits the disclosure of “facts or data” to only information that is “material of a factual nature.”
Completed during the presentation stage of the digital forensics readiness model, discussed further in Chapter 2, investigative reports are essential in communicating facts about the information analyzed to various stakeholders, such as presenting evidence as legal testimony. As the first step to creating a report, it is important that the authors identify the target audience and the purpose for creating the report.
Identifying the target audience is particularly important. Authors need to ensure that the content of the report is structured to be clear, concise, easy to follow, and understandable to the target audience. For example, where a report is being provided to management, the authors should consider accompanying any technical content with reference or educational materials to clarify or further elaborate this information so as not to alienate the reader.
With the audience determined, the next step is to decide which type of report is required. Typically, investigative reports can be grouped into one of the following categories:
• Verbal formal reports are typically quite structured and are commonly used to present information to management or in front of a jury without producing any form of document. An important consideration when using this presentation style is the amount of time available to communicate the facts. If the pace is quick, there is a chance that the audience will not clearly understand the information; alternatively, if the pace of delivering the report is too slow, the author may not have enough time to share important pieces of information contained within the report. Authors must ensure that they organize the presentation of information in a way that clearly and concisely focuses on the facts of the investigation.
• Verbal informal reports are typically less structured and are commonly used to present information to management or in an attorney’s office without producing any form of document. With respect to using this style for management communication, it is commonly done as an “elevator speech” where the facts of the investigation need to be shared quickly. Alternatively, this presentation style can also be used when communicating with attorneys where there is a need to reduce the amount of written information that can later be discovered as part of a legal proceeding. Authors must ensure that they are prepared to deliver this style of report by focusing on key relevant and meaningful facts of the investigation to avoid confusion or misinterpretation.
• Written formal reports are typically quite structured and result in the creation of a document that will be used to present information to management or as part of legal proceedings. Regardless of who the audience is, this style of report is considered legally discoverable and can be used in a court of law. These reports require authors to pay a great deal of attention to detail and ensure that the report is focused specifically on communicating credible and factual information only. When writing these reports, it is recommended that the authors use natural language, as discussed below, and not use words or grammar that are difficult for readers to understand. The arrangement of these reports is discussed in the section below.
• Written informal reports are considered high-risk because the information being documented might not yet be proven as factual to the investigation. If this style of report must be produced, it is important for organizations to understand that these documents are discoverable in a court of law. Instead of making preliminary statements about information that may not be factual, authors should include the same level of information provided in the verbal informal report discussed above.
Creating Understandable Reports
A written report should flow just as naturally and logically as we think or speak. Each related fact and piece of information should be grouped together into a single paragraph and build upon each other from beginning to end.
The use of jargon and slang should be avoided at all times. Where technical terms need to be used, they must be defined using natural language as part of a taxonomy, which is discussed further in Addendum D, “Building a Taxonomy.” Additionally, when using acronyms or abbreviations, they should be written in full expression upon first use or defined as part of the taxonomy.
Events being communicated occurred before the report was written, which means the authors should primarily write in the past tense but can decide to change tense to use either present or future where appropriate.
Regardless of whether the investigation will proceed to a court of law, all investigative reports should be structured to communicate relevant and factual information. At a minimum, authors should ensure that the following components are consistently found in every type of report that is being presented:
• Accurate description of all events/incident details is provided
• Report content is clear, concise, and understandable to relevant decision makers
• Content is deemed admissible and credible in a court of law
• Does not portray opinions or information that are open to misinterpretation
• Contains sufficient information to establish factual relevance of conclusions
• Is completed and presented in a timely manner
With verbal reports, whether formal or informal, the intention is to speak about the facts of the investigation. Alternatively, when using a written report the authors should ensure that they follow a consistent approach in the layout and presentation of the facts. In addition to ensuring the above noted goals are achieved, a standardized template should be used to establish a repeatable standard for how facts and information will be presented.
Understanding that the inclusion of information in a written formal report is subjective to the organization’s needs, the required components of a standardized report template should include the following:
• Executive summary: The sub-sections included within the executive summary are intended to provide readers with a high-level summary of the investigation. Most commonly, this section might be all that management reads to get an understanding of the investigation. For this reason, it is important that the information contained in these sub-sections be written in a natural and business language that does not include unnecessary technical details.
• Background: Describes the event(s) and/or incident(s) that brought about the need for the investigation, the objectives of performing the investigation, as well as who authorized the investigation to be conducted.
• Summary of findings: Summarizes the significant findings as a result of the investigation.
• Conclusions: Establishes credible answers to questions that came about from the investigation.
• Investigative details: The sub-sections included within the investigative details are intended to provide readers with detailed information about the investigation. While the information contained within places emphasis on the digital evidence, it must be focused on detailing the credibility of facts as experienced during the investigation.
• Chain of evidence: Describes the continuity of all digital evidence related to where it was identified, the techniques used to seize it, and methods used to transport it.
• Gathering of evidence: Specifies the methodologies, tools, and equipment used to collect and preserve digital evidence.
• Processing of evidence: Specifies the methodologies, tools, and equipment used to examine digital evidence.
• Analysis of evidence: Details the meaningful, relevant, and factual findings from analyzing digital evidence.
• Addendums: The sub-sections included within the investigative details are intended to provide readers with in-depth supplementary information that supports the findings outlined in the previous section. Examples of supplementary information that can be included are:
• Tables listing full pathnames of significant digital evidence
• The total amount of digital evidence reviewed during the investigation
• Keywords and terms used and results of string searching
A template for creating written formal reports has been provided as a reference in the “Templates” section of this book.
Inculpatory and Exculpatory Evidence
While the objective of performing an investigation is to determine the root cause or identify a culprit, all conclusions derived from the analysis of evidence must be factual and credible. However as conclusions are being drawn, it may become clear that there is inculpatory (indication of guilt) and exculpatory (indication of innocence) evidence that needs to be considered further before any factual and credible conclusions can be established.
The totality of all digital evidence, whether inculpatory or exculpatory, is an important consideration when establishing credible facts. The suppression of exculpatory evidence, which indicates innocence, is a violation of U.S. Supreme Court rules and can result in implausible facts. Organizations must ensure that they have clearly defined in their governance documentation, such as standard operating procedures (SOP), how to handle exculpatory evidence when it is encountered.
Brady v. Maryland 373 U.S. 83 (1963), is a milestone in court rulings that has set precedence for establishing the requirement to disclose all exculpatory evidence.
The state of Maryland prosecuted Brady for murder, an accusation to which he claimed a companion had committed the actual crime. The prosecution willfully withheld from the defendant the companion’s written statement by which he confessed to committing the murder.
Under the Brady rule, named after this matter, the Supreme Court ruled that suppression of evidence that is favorable to a defendant is a violation of due process and established that evidence of information that proves innocence must be disclosed.
When communicating the findings of an investigation, it is important that reports are created to focus specifically on the credible facts that have been established during the investigation. Regardless of whether findings from digital evidence demonstrate guilt or innocence, as long as reports are an accurate representation of the event(s), they are considered relevant and credible.