12

Report Writing

I have worked with examiners who loved getting down to the bits and bytes of investigation. No one worked harder as they examined the digital evidence, tracking the digital breadcrumbs until they had the evidence they needed. They were intelligent and brilliant, and if I had committed a digital crime, I would not want them to investigate it. It had nothing to do with their ability to investigate and everything to do with their ability to write a report. To say their report was lacking is a massive understatement.

Report writing is one of the hardest things you can do as a digital forensic investigator. You must take a very technical subject and explain it in a manner that a non-technical person will understand while not making any assumptions about the potential user or the digital evidence.

We will cover the following topics in this chapter:

• Effective note taking
• Writing a valuable report

Effective note taking

Your ability to take notes will directly impact your ability to write an effective report on your digital forensic investigation. Your notes will be the foundation of your reporting. A simple phrase that has impacted me as I conduct my exams is if you do not write it down, it did not happen. One of your examinations may take days or months; you will simply not be able to remember what exactly you did on day 14 of your examination.

The fundamental elements of notetaking should include the following:

• When you did something
• What you did
• What you saw
• Why you did something

Your notetaking starts when you get the notification, and you have to respond to the scene. This includes the date/time when you are notified, who notified you, and when you arrived at the scene. Document any actions you take; if you collected volatile data, RAM from the system in question, did you alter the digital evidence? The answer will be yes. This is where the why is essential. Why did you alter the digital evidence? Here, the answer is simple – because the evidence would be lost if it was not collected at that time.

Another example if you are responding to a commercial business is whether the digital evidence is contained in a server environment. You cannot (in most cases) shut down the server to create a whole disk forensic image; you will have to create a logical forensic image of the files in question. Once again, the question of why may be asked, and you will have to explain.

If the matter you are investigating goes to trial, the opposing counsel will have access to the same digital evidence and the notes taken during the investigation. They will use your notes and report to recreate your examination of the digital evidence. They are attempting to see whether they can get a different result or reach a different conclusion based on your actions.

How detailed should your notes be? The format of your notes is typically personalized to each digital forensic investigator. The baseline consideration should be, if the matter goes to trial years later, can you remember the details of the investigation?

There is no note standard, but you should include the following information:

• Details of the subject under investigation.
• Details of individuals or entities harmed by the incident under investigation
• Location of the digital evidence at the scene.
• Specifics of the digital evidence, make, model, the serial number of the system, any identifying marks (also include damage – there have been claims made that the system was damaged after it was seized. If you document the condition of the system(s) at the time of seizure, this will remove the effectiveness of those complaints).
• Condition of evidence bags/seals – if there is damage or broken seals.
• Details about the forensic hardware that was used, such as firmware/serial number.
• Details about the forensic software that was used, such as version number.
• Any findings that support or do not support your hypothesis about what occurred.

As a minimum, that is the information you should include in your notetaking. Can you incorporate more? Absolutely!

What medium should you use to take notes? I prefer handwriting at the scene and then transferring the notes into the digital medium. My handwriting is not the easiest to decipher, which is why that is my method. Also, digital photos are a medium for notetaking. When documenting the system’s condition or the storage device, it is straightforward to take a digital image and then refer to the image when completing your report.

Each organization/examiner will have their own standards about what information needs to be recorded and the method to use to record information. No matter which method you use, it is crucial that you are organized and consistent throughout the entire investigation.

As you can see, notetaking is the foundation for writing the report, which is our next topic.

Writing the report

The purpose of your report is to document the results of your forensic examination. Your report may be used to support additional investigative endeavors. The report may also be used in criminal court proceedings, civil court proceedings, or administrative proceedings. Others can use your findings to support a probable cause hearing, grand jury proceeding, or as a basis for an administrative sanction in the corporate environment.

Your report will be the first step in providing testimony regarding the matter you are investigating. The opposition will scrutinize your report and if they call you to testify, expect to be questioned about the content of the report you created.

As you prepare to draft a report, identify who will be your audience. Suppose you are writing the report for the Chief of Information, the IT security section, or any technology-based group. In that case, your report should go into much greater technical detail than the report directed toward lawyers, judges, or juries. If you go into minute detail about every artifact you found, you will lose your non-technical audience. While the technical audience will want those types of specific details and may feel insulted if you explain the details in a non-technical manner, it is possible to draft a report that addresses the technical and non-technical audience.

The following is a general template you can follow:

• Administrative information
• Executive summary
• Narrative
• Exhibits/technical details
• Glossary

The administrative section will contain information about your investigation, such as the following:

• The name of the agency, the case number(s), and the participants in the investigation. This will include information about the investigators, the victim(s), and the suspect(s). If the investigation started with another agency, you would also include the administrative information from that organization. Include a brief history of the investigation.
• When was the investigation started and what events transpired before you were assigned to the investigation? This could be who was interviewed or interrogated, or any search warrants prepared and served. You are providing a synopsis of the investigation before your involvement. Include the search authority you have in order to investigate/examine the evidence. Include what you are investigating, that is, the scope of the search, and who authorized the search. If the digital forensic examination is being conducted pursuant to a search warrant, include the search warrant and the affidavit used as an exhibit in the Exhibit/technical details section.

The executive summary is a section that summarizes the report. The narrative of the report will go into much greater detail than the executive summary. When the reader is finished reading the executive summary, they should have a high-level view of what occurred in the investigation. The executive summary should follow the following guidelines:

• Should be only 10 percent of the report
• Written in short, clear, concise paragraphs
• Should follow the same timeline as the narrative
• Should not include any information not included in the narrative
• Should contain your findings/conclusions

This allows for the non-technical user to understand what actions you took during the investigation without going into technical detail. For example, if you found illicit images within the user’s picture folder on a Windows 10-based operating system, you could report that fact in the executive summary like so:

Your non-technical audience will understand exactly what you intended. Most consumers are familiar with the Windows operating system and how the Pictures folder of the user’s account is accessed and used. In the narrative section, you can include a more detailed explanation, such as the following:

Clarity is one goal you seek to achieve as you draft the narrative. You do not want the reader to have questions or be unclear about your report. This can be difficult as you are combining the technical and non-technical aspects of the investigation. You also do not want to overwhelm the reader with technical details and acronyms. If you are in the criminal justice environment and the prosecuting attorney will read your report, you will most likely educate them on the technical aspect. Define the technical terms and concepts within the detailed narrative. How detailed does the narrative need to be?

There is not an easy answer. You should detail the narrative enough to inform the reader about the investigation, so it should suffice for a judge, jury, or lawyer to understand if you are not available to answer questions. Can your investigation be recreated based on the details in your narrative? The opposing counsel will have the ability to review the evidence and your report.

If there is not enough detail for them to recreate your actions, it gives them the ability to question your results. Remember, it is possible that the judicial proceeding will take place months or years later. Your report will be the official memory of your organization for what occurred during that investigation.

You also want to ensure that the narrative is not biased. Your goal is to report the facts without overstating/understating their importance. During the investigation, one of the hardest things is identifying the physical person behind the keyboard. You will base your identification on the digital identification of the user account. You are correlating the user account with the physical person operating the keyboard, using additional sources of digital evidence.

The narrative should contain various subsections, all of which we will go over now.

Evidence analyzed

In this section, you will include all the evidence you have examined, including the make/model, serial numbers, and so on. If it is a desktop/laptop, you should include the hard drives as a separate but related item.

The following is an example of the evidence that could be examined:

Figure 12.1: Evidence Tag example

In this example, the specific item has been identified and assigned the organizational identification number. I have assigned the Compaq laptop the organizational identification number “Tag1.”Any storage devices found in the computer will also contain the same tag number. There was a Toshiba hard drive storage device located inside the laptop, so it has the organizational identification number of “Tag1 HD001.” HD is an abbreviation for hard disk. If the laptop had two hard drives, the second drive would have the organizational identification number of “Tag1 HD002.” If, when the laptop was seized, a thumb drive was found in a USB port, the thumb drive will have the organizational identification number of “Tag1 TD001.” TD stands for thumb drive. You can also include the serial number of the item (if it has one) in the description field.

Acquisition details

This section will describe the acquisition process of creating the forensic image(s) as we discussed in Chapter 3, Acquisition of Evidence. First, identify the hardware or software used in the process and include the serial/version numbers. You should also include the date the hardware/software was verified. Your narrative should consist of a step-by-step analysis of how you (or a colleague) created the forensic image(s). Include descriptions of what steps were performed as expected and also include what did not function as expected. If the forensic image hash value was not verified, include that fact in your report and what steps you took to troubleshoot the issue. Finally, you must understand if there was an issue with creating the forensic image(s). Failing to identify these issues can question the totality of your investigation and the analysis of the forensic image(s).

Analysis details

This section will comprise a large part of your narrative. Your analysis cannot be a printout of pages of files you deemed pertinent to the investigation. You have to analyze the artifact(s) and explain why it is relevant to the investigation to the reader. Include screenshots to help reference the reader to your explanation. Including a screenshot does not remove the requirement to explain what the screenshot is depicting. Tell the reader why the screenshot is important and explain the relevance to the investigation. Do not assume the reader can determine what information in a screenshot is important. There are several different ways to present your analysis. You can do this chronologically, by device, or by the suspect. There is no right or wrong way to write this section. My preference is to create the report chronologically and by subject. For example, for a storage device that was the system drive for a desktop/laptop, I would establish ownership and usage of the device. Then, I would move on to the specific artifacts of the incident being investigated. Be careful not to get too far into the weeds and be overly technical with your technical descriptions. I would include that information with the specific exhibit you are describing in the Exhibits/technical details section for the technical descriptions.

For example, if the date/timestamp of an artifact is pertinent, in the narrative, you can state that the user accessed the application on X X day at X X time. Then, in the next section, you could go into more detail about the byte offset for the date/timestamps in the file record in the MFT.

Be careful when dealing with absolute statements or using unnecessary adjectives. I once read a report that described the user’s Google searches as disturbing. You do not want to categorize the behavior/actions you find while doing your digital forensic exam. Your duty is to provide the facts to the fact finder, the judge/jury, and allow them to make that determination.

At the end of the narrative is the time to present your conclusions/findings. This is where you offer your opinions on the subject’s culpability in your digital forensic investigation. Keep it short and straightforward – for example, based on my examination of the following evidence (list the items you examined in the course of your digital forensic examination), it is my opinion… – and then lay out the facts based on the artifacts you analyzed. You want to avoid any inflammatory/descriptive language and remain unbiased and professional.

Exhibits/technical details

As you create the narrative in the Analysis section, you will reference specific artifacts. You should place the screenshots of those artifacts in the Exhibits/technical details section. This will also include the output reports of the forensic tool(s) you used in the exam process. If you reference the artifact in the narrative, you must include it in the Exhibits/technical detail section; likewise, if you have an exhibit in that section, you must reference it in your narrative. I find it helpful to organize the exhibits and technical details in the same order I referenced them in the narrative. It helps the reader comprehend the report’s content if they view the exhibits after reading the narrative and they are in the same order.

In the following example, I have included the owner information of the operating system, along with the install date/timestamps, time zone, and last shutdown date/timestamp:

Figure 12.2: Evidence example

An appropriate narrative of the information would be as follows:

The description is concise, factual, and unbiased, which is the goal of the report.

The final portion of this section will be a table of software/hardware used. You want to include the version numbers of the software/firmware so that others can repeat your examination. You also want to make sure that the organization licenses for your software are authentic. This can be a simple list, as shown here:

• FTK Imager 3.0.0.1443
• X-Ways Forensics 19.7
• Paladin 7.05
• Recon 3.14.1.12

There have been issues where an organization has used unlicensed/pirated software in the exam process. This is not recommended and can result in negative sanctions against you and your agency. In addition, the use of unlicensed/pirated software can call the validity of your findings into question.

I cannot stress enough how important it is for you to proofread your report. You will not create a perfect report the first time around (or the second time). You will have grammar, spelling, and content errors in the report. Therefore, you should always have a second person proofread the report after making the first draft. The second person will find mistakes you missed and help determine how the report flows from one section to the next. You already have an idea in your head of what to say; the second proof-reader will help determine if this is effective. The second proof-reader will also bring a different insight to the report’s presentation and help ensure that your conclusions are logical and without bias. Whenever I proofread a colleague’s report, I would look at it from the opposition’s point of view. My goal was to find inconsistencies or gaps that the opposition could exploit if the matter went to trial. Another option is once the report has been finalized, your organization may have a peer-review process. A supervisor or colleague reviews your report and findings to ensure you followed the appropriate policies and procedures and that your conclusions are fact-based.

What format should your report be in when it is disseminated to the stakeholders? My preference was to deliver my reports in a digitally signed PDF. If the report is altered, it will break the digital signature. Some digital forensic investigators will create an HTML-based report and burn it onto an optical disk, while others will use the reporting function of their forensic tool. You can use many options in the report’s presentation; you will want to make sure you can authenticate its contents if you have to testify in a judicial/administrative proceeding. A PDF will allow you to authenticate with a digital signature while saving the report and related data to an optical disk, which will enable you to create a hash value to ensure that no one has changed the contents.

Summary

This chapter has discussed notetaking and how important it is to take quality notes. You learned that notetaking is the fundamental building block in creating your report. You understood the makeup of a digital forensic examination report and what information it should include. We also discussed that technical and non-technical readers may read your report and that you have to draft your report with that in mind. With that, you are able to take effective notes and prepare a clear and concise report.

In the next chapter, we will discuss the culmination of your investigation and report writing, taking the stand as a witness.

Questions

1. You should start taking notes __________?
   1. When you receive notification
   2. When you get to the scene
   3. When you start the exam
   4. When you start the report
2. What information should you include in your notes?
   1. What you had for breakfast
   2. The shoe size of the suspect
   3. Location of the digital evidence at the scene
   4. Weather conditions
3. There is a national standard for notetaking.
   1. True
   2. False
4. When drafting the report, who should you keep in mind?
   1. Supervisor
   2. Chief of police
   3. District attorney
   4. The reader
5. What information is not contained in the Administrative Information section?
   1. Your birthday
   2. Agency name
   3. Suspect information
   4. Witness information
6. The Executive Summary should not exceed 25 percent of your report.
   1. True
   2. False
7. What should your draft report be?
   1. Detailed
   2. Brief
   3. Clear
   4. Efficient

The answers can be found at the back of this book.

Further reading

For more information, you can refer to Forensic Examination of Digital Evidence, A Guide for Law Enforcement, from https://www.ncjrs.gov/pdffiles1/nij/199408.pdf.

Join our community on Discord

Join our community’s Discord space for discussions with the author and other readers:

https://packt.link/CyberSec