Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
Learn Computer Forensics – 2nd edition

You're reading from   Learn Computer Forensics – 2nd edition Your one-stop guide to searching, analyzing, acquiring, and securing digital evidence

Arrow left icon
Product type Paperback
Published in Jul 2022
Publisher Packt
ISBN-13 9781803238302
Length 434 pages
Edition 2nd Edition
Concepts
Arrow right icon
Author (1):
Arrow left icon
William Oettinger William Oettinger
Author Profile Icon William Oettinger
William Oettinger
Arrow right icon
View More author details
Toc

Table of Contents (17) Chapters Close

Preface 1. Types of Computer-Based Investigations 2. The Forensic Analysis Process FREE CHAPTER 3. Acquisition of Evidence 4. Computer Systems 5. Computer Investigation Process 6. Windows Artifact Analysis 7. RAM Memory Forensic Analysis 8. Email Forensics – Investigation Techniques 9. Internet Artifacts 10. Online Investigations 11. Networking Basics 12. Report Writing 13. Expert Witness Ethics 14. Assessments 15. Other Books You May Enjoy
16. Index

Reporting your findings

We are at the final step of the process: your report. You did all the work of preparing, purchasing the equipment, going to training, and creating your response kit, and when the call came, you responded to the scene. You successfully got the case information and navigated any potential legal issues when you arrived. You collected the volatile data, identified containers of digital evidence, and duly seized the digital evidence while maintaining the chain of custody when transporting it back to your lab. You then conducted your analysis and found artifacts that show that the suspect did or did not do what they were accused of.

Now what? You must be able to explain your findings to a non-technical person. You must take a very technical topic and talk about it in a manner that a non-technical person will understand. This is one of the most challenging aspects of being a digital forensic investigator to master.

You may have to create different report versions depending on the audience. Your intended audience will read and interpret your report, and a third party might question you on it in a judicial or administrative hearing.

Details to include in your report

You need to include enough details so that you can remember what occurred. Taking notes as you traverse the process will be your friend. There have been many times where I have failed to take that advice and had to go back and redo the process because I did not write something down. Your notes can take many forms, such as handwritten notes, typed notes, screenshots, or notes made with the built-in blogging function of your favorite forensic tool. There is no right or wrong rule on how to take notes, only that you take notes during the process.

So, what do you want to document? The following gives you an idea:

  • Communication between the primary investigator and prosecutor/C-Suite executives
  • The condition of the evidence containers
  • The specifics of the storage device (the make, model, serial number, and condition)
  • Personal identifiers of the suspect, victim, and witness (if a criminal matter)
  • Personal identifiers of the witness(es), response team, responsible executive (if a civil matter)
  • The forensic hardware used
  • The forensic software used
  • What you examined (even if the examination turned up nothing of evidentiary value)
  • Your findings
  • Glossary (to define technical terms)

Take all the pieces and put them together so that a non-technical reader will understand the investigations, the steps you have taken, and why you made the conclusions you did. As with everything else in digital forensics, there is not a set standard for the format of your report. Instead, you will have input from your employer, the recipients of the report, and your personal preferences.

I would recommend you include the following in your report. You should break your report into three primary sections:

  • Your narrative
  • Pertinent exhibits
  • Supporting documentation

The narrative is what it sounds like. This is where you explain what occurred, what you did, and what it means. You should include an executive summary to hit the key points and conclusions and then move on to a detailed narrative. In your narrative, you should provide screenshots of the artifact you are talking about. Do not add a screenshot without an accompanying narrative. Do not assume the reader will understand what is pertinent about the screenshot. You will have to explain it to the reader. Make sure you focus your screenshot on the artifact you are discussing.

Suppose your report contains screenshots of contraband, such as illicit images. In that case, you will need to maintain control of that report to not cause an accidental release of the contraband images. You will also need to create a second report with the contraband images redacted for readers who cannot legally possess the contraband images.

After the executive summary, you should include basic administrative information. Next, identify the subjects involved, including the victim, suspect, witness, and other investigators.

Document facts and circumstances

You have two options regarding listing the evidence that you analyzed. In some larger cases, the listing of digital evidence can take two or more pages. Having a long, drawn-out list does not help the reader understand your report. More likely, the reader will skip the evidence listing and move on. If the investigation does not have a large number of digital devices being examined, then you can list them here, including the devices where you found nothing of evidentiary value. If you have many digital devices, I recommend you only list the devices with artifacts of evidentiary value while listing the entire evidence list at the end of the report.

You should also list details about the creation of the forensic images. I typically include a summary of the acquisition details in the narrative portion. I then create a detailed step-by-step process of the forensic image’s creation as an exhibit. Once again, having a step-by-step process in the report’s narrative does not help the reader understand the process. Giving the reader the high-level details of the forensic image process and then providing the details at a different location improves the readability of the report.

The analysis of the digital evidence will make up the bulk of your report. This is where you will walk the reader through the step-by-step process of the incriminating artifacts you found and why the artifact is important. I have often seen reports where a specific image is highlighted as important, but then it never explains why the image is important. Is it the location of where the image was found, or is it the image itself? Explain why that specific artifact is important and how you determined it was important.

Note

Remember, you are taking a technical subject and explaining it to a non-technical reader. Do not create a list of important files and assume the reader will know what is important.

I find that it’s best to present the artifacts in chronological order. For example, if you are examining the illegal downloading of copyright-protected material, you would start by potentially identifying the owner of the computer and any artifacts that can identify a specific user. You can then show any browser searches the user performed when looking for the copyright-protected material and then the steps taken to download that material. Suppose the user had any ongoing communications with other users about the copyright-protected material. In that case, you could then use these communications to support your hypothesis about the user’s activity of downloading the copyright-protected material.

You can also present the artifacts by subject. For example, if you are investigating the possession and distribution of illicit images, you can present the artifacts showing that the user viewed the images. This will show that the user knew about the images on their system and whether the user actively shared them with other users. Just the image alone is not enough; you must also find the OS artifacts to support your hypothesis about the image. When creating the analysis section, you will need to avoid making any absolute statements. I have seen forensic reports dealing with illicit images where the investigator made the unequivocal statement that the user knew about the illegal image. They found the image in question in the thumb cache database. The location of an image in a thumb cache database is not absolute proof that the user knew about the image. The system can include images in the thumb cache database without the user’s knowledge. So, you want to be very careful with your language. Do not include opinions—only provide factual information.

I have seen reports describing artifacts as “a disturbing image of a child.” The term “disturbing image” is not factually based—it is an opinion. It would be best to describe the artifact as it is without projecting your feelings about it. A better description could be “an image depicting a young-looking male, nude, standing in a wooded area.” Be careful how you describe the artifacts attributed to a specific user or person. The most challenging item to prove is who is behind the keyboard. You can never say with 100 percent certainty that suspect A did the criminal activity unless you have a video showing suspect A was at the keyboard at that specific time. This is not the place for you to offer your opinion; do not assume ownership of an item or the identification of a user.

The report conclusion

The final portion of your narrative is your conclusion. This is the section where you can offer your opinion based on the artifacts you described in the analysis section of the report. You must still be careful about presenting your opinions. Try to look at the artifacts with no preconceived notions and determine whether the facts again meet your hypothesis. If you cannot decide, include that opinion. Remember, it is not always about proving the subject’s guilt or liability. You must also provide evidence if the subject did not do what they are being accused of.

You will probably create an electronic report for distribution; a standard format is PDF. No matter what format you use, make sure you digitally sign the report. The digital signature will show that no one has altered the report since you signed it.

Note

Remember, the report is a representation of you and the investigation. If you create a poor report, that will reflect poorly on you, the investigation, and your organization.

Proofreading is essential. Do not proofread the report yourself, use the peer review process. You will miss typographical errors, poor sentence structures, and unclear findings. What may be clear to you in your mind may not always be accurately transcribed in written form. Suppose the investigation proceeds to administrative or judicial proceedings. In that case, I can guarantee the opposition will dissect your report line by line, looking for inconsistencies and places where you were not objective.

Remember, if the reader does not understand what you are saying about the artifacts you found, your entire investigation effort has been wasted.

You have been reading a chapter from
Learn Computer Forensics – 2nd edition - Second Edition
Published in: Jul 2022
Publisher: Packt
ISBN-13: 9781803238302
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at $19.99/month. Cancel anytime
Banner background image