Once the iterative process of network forensic investigations is complete, the real tough part begins. This is the time when all the effort that was put in to maintain the meticulous documentation pays off.
Reporting a case is a lot like narrating a story. The only difference is that stories can be fictional or modified to create a better tale; whereas, an investigation report allows no such artistic liberty. It has to be thoroughly grounded in fact. Every statement should be backed by solid evidence. Every conjecture should be backed by circumstantial evidence and should be clearly identified as such.
A case report should be the following:
- Clear
- Concise
- Purposeful
Keep the audience that the case report is aimed at in mind. Very long reports are seldom read and the action points are hardly ever implemented, therefore, the structure is very important.
Most reports should begin with a case summary.
Following this, the report should at a minimum have the following structure:
- Introduction
- Information available and assumptions
- Investigations
- Findings
- Action taken and recommended
Recommendations need to be carefully thought out and should have a specific bearing on the network forensics aspect. Recommendations should include the following:
- Whether remediation should be initiated at the current time or not (this may have bearing on the fact that it may tip off the attacker and precipitate action that may be very damaging to the organization).
- Whether the scope of the assigned work should be narrowed or expanded to include more digital devices. A listing of additional possible sources of evidence should be made and provided to the management.
- Advice relating to the evidence-retention period should be taken from legal teams. This should form a part of the recommendations and additional secure storage should be arranged for this.
- If specific or new artifacts have been identified as part of the investigation and these can be used as a new IOC, the inclusion of these as IOC in the defense of the network should be recommended.
- Recommendations need also include actions that the organization is required to take as a part of legal or regulatory compliance. An example would be the finding of child pornography.
- Other than the preceding points, there are likely to be a number of case specific recommendations. All of these should be vetted and then presented to the management.