Professionals in fields such as intelligence, law enforcement, criminal defense work, incident response, and electronic discovery often conduct forensic examinations. Digital forensic investigations are pertinent in discovering, examining, and analysis of electronic data. After investigations are concluded, the digital forensic examiners/analysts have to record and present their findings in understandable language that can easily be read and interpreted by the clients. It must be noted that the report simply presents the findings, if it draws any conclusions or further opinions, it becomes expert testimony. When writing a forensic report, the expertise and trustworthiness of the expert (writer) is often on trial. In order to ensure consistency, credibility and excellence, the report(s) must follow specific rules that guide the format and content. The purpose of this research paper is to provide direction in the standard writing of digital forensic reports.
A forensic report is an official document that may be used as evidence in courts of law and as a basis for other important opinions. As such, the report has to begin by identifying all experts who made major contributions in developing the examinations and analysis captured in the report. The report then goes to the actual topic where the expert details his/her findings. The main body details how the expert conducted the examinations and analysis. In computer forensics, several tools are often employed in these processes, therefore, the report must also feature aspects of the machines used, tested, as well as the conditions, requirements, and limitations of the tests used.
Expert reports often include several assertions in the development of analysis. As such, any such affirmations must be backed by supporting, extrinsic, and reputable authorities. This crucial factor is often omitted by many experts since many claims appear understandably obvious to them. However, the truth is that it is prudent to include references in reports in order to be credible since such documents are used to inform judgements and far-reaching decisions. This brings in another side of expert reports; they often contain several scientific and technical terms. Such terms must be defined authoritatively as well. Take the example of explaining the operations of a domain name service in an example involving a case of DNS poisoning attack; the expert should quote or reference a reputable source. This is important especially where the report informs judicial proceedings since rigorous attorneys may convince juries or judges to disregard unreferenced reports as unsubstantiated or unfounded allegations. Defining terms and jargon is important since, for example, litigation cases that concern patent infringement require a Markman hearing where the court determines the meaning of words. In such cases, expert testimony is encouraged to construct claims (Jakes, 2002). A report that only asserts private views will not be sufficient to convince a court of a client’s position.
The next aspect of digital forensic reports is completeness. The expert should be thorough enough to include all pertinent issues in the report and in detail. In cases where the expert or client is called upon by a court or investigative panel to defend and explain the report, they are often precluded from interpreting the findings beyond the details included. Although this varies with different jurisdictions, it is essential that the report, nonetheless, be exhaustive in covering any angles that the investigation and analysis covered. To ensure this, the expert should always take good notes during the forensic digital examination stage or even using a digital voice recorder (SANS Institute, 2010). This documentation makes it much easier to prepare and finalize reports since those who forgo it are often forced to go back to the beginning of the forensic exam in order to write a report. This process is not reserved to notes alone, as it may also include screenshots, forensic bookmarks or logging using tools like EnCase and FTK, and data exportation into .csv files.
The main sections of a digital forensic report are generally broken into three: acquisition, documentation, analysis, and conclusion. Forensic acquisition describes the mechanisms that were used to obtain evidentiary material. The report should detail how the potential evidence was first examined in order to determine its nature which informs the next step. This step is a rundown of the standard operating procedures, such as chain of custody, that were used in preserving and processing forensic evidence. The legal requirements satisfied should be highlighted. Then, extraction procedures and other interactions with the evidence should be indicated as well as any steps taken to preserve it. The examiner should show that the integrity of the evidence was maintained, such as installing write protection.
Forensic documentation is a process that takes place over the case of forensic investigation. The report should indicate how evidence was logged and which tools were used. Custodian information and correspondences with external experts should be indicated. Forensic analysis is the central body of the report. It is a detailed explanation of the techniques and tools that were employed to examine the evidence collected. The methods used should be broken down to step-by-step procedures and tests that evidence was subjected to. The forensic hardware and software tools should be clearly identified using version numbers since other experts may be called in to validate such. Findings from the analysis should also be detailed in this section. The conclusion section is the final part of the report and contains additional information of matters that arose during the forensic process such as limitation and other external issues.
Digital forensic reporting is crucial in simplifying otherwise difficult information in computer related investigations. Forensic experts should be very careful in documenting every step of the investigative process in order to streamline the process of creating reports. In addition to being objective in reporting, the report should include a clear timeline of events and include signature sections for the client and analyst since it is an official document.
- Jakes, M. (2002). Using an expert at a Markman hearing: Practical and tactical considerations. Finnegan | Leading Intellectual Property (IP) Law Firm. Retrieved from https://www.finnegan.com/en/insights/using-an-expert-at-a-markman-hearing-practical-and-tactical.html
- SANS Institute. (2010). SANS digital forensics and incident response | Intro to report writing for digital forensics. Digital-forensics.sans.org. Retrieved from https://digital-forensics.sans.org/blog/2010/08/25/intro-report-writing-digital-forensics/