Search icon CANCEL
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Conferences
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
Windows Forensics Cookbook

You're reading from   Windows Forensics Cookbook Over 60 practical recipes to acquire memory data and analyze systems with the latest Windows forensic tools

Arrow left icon
Product type Paperback
Published in Aug 2017
Publisher
ISBN-13 9781784390495
Length 274 pages
Edition 1st Edition
Concepts
Arrow right icon
Authors (2):
Arrow left icon
Oleg Skulkin Oleg Skulkin
Author Profile Icon Oleg Skulkin
Oleg Skulkin
Scar de Courcier Scar de Courcier
Author Profile Icon Scar de Courcier
Scar de Courcier
Arrow right icon
View More author details
Toc

Table of Contents (13) Chapters Close

Preface 1. Digital Forensics and Evidence Acquisition FREE CHAPTER 2. Windows Memory Acquisition and Analysis 3. Windows Drive Acquisition 4. Windows File System Analysis 5. Windows Shadow Copies Analysis 6. Windows Registry Analysis 7. Main Windows Operating System Artifacts 8. Web Browser Forensics 9. Email and Instant Messaging Forensics 10. Windows 10 Forensics 11. Data Visualization 12. Troubleshooting in Windows Forensic Analysis

Writing reports

As with the chain of custody/audit trail mentioned in the preceding section, the style of report writing will no doubt vary based on legislative demands, company or agency guidelines, and individual investigator style. Once again, it makes sense to have a good grounding in the basics of digital forensic report writing, so that you have a flexible skill set within which to work.

Reports may also differ significantly depending on who is going to end up reading them. If you are investigating a civil dispute, your final report will probably not be written in highly technical language and may just include an overview in layperson terms of the methodology used and what was uncovered. If you are going to be called into court as an expert witness however, then a higher level of technical detail and a more in-depth demonstration of your investigative processes will no doubt be needed.

Broadly speaking, most digital evidence reports should include the following:

  • Name, job title, and company of the senior investigating officer.
  • Name, job title, and company of the digital forensics examiner (if different from the preceding one).
  • A brief description of the case, including the nature of the activities under investigation.
  • Name of the person or persons whose devices or data are under investigation.
  • Start and end date of the investigation.
  • Methodology used throughout the investigation, including but not limited to how evidence was identified, collected, preserved, and analyzed. This may also include details of any tools and processes used, as well as a copy of the chain of custody.
  • An overview of the results of the investigation in line with the original activities specified at the beginning of the report, as well as any other relevant information that was uncovered in the course of the investigation.
  • Screenshots, printouts, or other evidential items that demonstrate the results of the case.
  • An analysis of the results, including any conclusions regarding guilt or innocence of the accused party.
  • Any appendices, glossaries, or other information that may prove useful to the reader of the report.

Many forensic tools will generate their own reports in either digital or printable formats, in a number of different styles such as PDFs, Excel documents, or Word files. Some software packages, such as Nuix's Investigator Suite, include add-ons like Web Review and Analytics, which allow for multiple users to view or work on the same case. This can be very useful during an investigation, as it allows an administrator or senior investigator to allocate certain roles within a case, but it can also come in handy when compiling reports. Some users can be given access only to the final report, which they can enter into and look at the results that have been found and compiled into user-friendly graphs; if they have the correct permissions, they can then also take a further look at the evidence from this. The following diagram shows the dashboard of the Nuix Web Review and Analytics interface, which allows users to view and manage evidence in a forensic investigation.

You have been reading a chapter from
Windows Forensics Cookbook
Published in: Aug 2017
Publisher:
ISBN-13: 9781784390495
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at $19.99/month. Cancel anytime