by Khushbu Jithra, NII Consulting
The expertise involved in a forensic investigation is best showcased through the documentation of the evidence and the recording of the techniques used for forensic investigation. Giving a written form to the investigation effort also enables clear explanation of findings and helps organize documents for litigation (if pursued). Important traits of a good digital forensics report are:
- Facts backed with substantial evidence
- Clarity, Conciseness, Correctness
- Logical Structure
- Appeal to a non-technical audience
- Pure facts sans opinions and assumptions
- Adequate explanation of evidence and its relevance
Reporting the Investigation is a mutlipart article which aims to cover the technique of creating various reports as the investigation procedure draws to an end. Part I focuses on general guidelines for
- Drafting a digital forensics report and
- Listing of various documents involved in different types of investigation
1. Drafting a digital forensics report
Digital forensics investigation being a complex procedure demands more than just articulate reporting. Each record entry made during the investigation must be preserved carefully. Analyzing the case at hand and keeping a track of the individual activities (identifying repositories, evidence collection, cross-validation, establishing Chain of Custody, and evidence preservation) performed is challenging. To meet this challenge, a systematic procedure can be followed as given here:
- Doing the groundwork: Collecting, collating and organizing raw data.Raw data refers to
- Notes taken during the investigation
- Reports generated by forensics tools such as ASR Data’s SMART, Guidance Software’s EnCase, Paraben’s P2 suite and AccessData’s Forensic Tool Kit
- Files generated during the investigation – screen shots, hash libraries, and scan reports from Anti-Virus or malicious software detection tools
There are various techniques of collating the raw data. Collation can be done as is best suited for the investigator’s analysis (this helps the reader to comprehend the investigation procedure better) or as per client expectations to align with the final presentation in the report. In either case, some ways the raw data can be collated is, by
- Date and Time
- Suspect (in case of more than one suspect)
- Relevance to distinct conclusions
- Digital technique used
- Creating the skeleton: Structure of the Report
There is no ideal structure for presentation of a forensic report except for the logical structuring of the integrals (Table of Contents, Executive Summary, Findings, Conclusions, Appendix [Supporting Material]). The structure largely depends on clarity of reflecting the analysis, findings, and conclusions made during the investigation. For example, if Encrypted/Password Protected Files or text searches on the suspect’s disk(s) have an important finding directly or more relevant to the case than a digital signature analysis, the appropriate files- and text search-related sub-categories should be presented first.
- Adding the details: Writing the main report
This step is comparatively easy to execute. Writing the core of the report deals with covering every detail under relevant sub-topics and providing accurate cross-referencing for better comprehension. It is highly recommended to use tables, charts and lists as opposed to paragraph findings. Important components of the investigation report include:
- Executive Summary: An important component of the digital forensics report, the executive summary is a brief introduction of the incident/fraud. All information in the executive summary should be non-technical. The executive summary must mention the motive behind the investigation, the duration and techniques used along with the key findings. All findings must be presented in descending order of importance. In addition, the names of investigators and the precise investigation task (for example, imaging the disk) must be mentioned.
- Case background: This section includes objective of the investigation, known facts, and information gathered from the victim’s workspace (cubicle/department). This section may also have specification of continued or first-time investigation. In case of continuing investigations, a relevant, two-three line summary of the previous report may be mentioned.
- Initial Examination: This section may include a summary of the acquistion process. Details of source and destination media along with acquisition parameters are mentioned here.
- Registry Information: Registry entries of malicious or unauthorized software prove the existence or prior installation of the same are mentioned. Reference to the technique in which the software was used to perform a task leading to the incident in question, should be provided here.
- Initial Disk Image: At times, the nature of the case may demand imaging the disk(s) at regular intervals in a specific duration. In such a case this section provides details of the first disk image.
- Results of Virus Scan
- Hash Libraries
- Listing and details of encrypted or password-protected files
- Results of Digital Signature Analysis
- Findings from Alternate Data Streams (ADS)
- Results from text searches
- Results of scripts executed, if any
- Log of files – Creation, Modification, Deletion, Recovery
- Responses to specific questions from the clients
Other items of the report include
- Adding the supporting material: Report Specifications
A forensics report is incomplete without the supporting evidence which comprises the screen shots of traced emails, attachments. Interrogation notes are also included in this section.
- Reviewing the report: Verification of facts, figures and findings
A thorough check of all the information presented in the investigation report is performed. An important investigation process – Articulation, applies to forensics reporting as well. Purging the report off the excess technical jargon and simplistic presentation of facts completes this step.
2. Listing of various documents involved in different types of investigations
The Role of Computer Forensics in Stopping Executive Fraud, Section: Reporting, by Scott Laliberte, Ajay Gupta
Hacking Exposed Computer Forensics Secrets and Solutions by Chris Davis, Aaron Philipp and David Cowen, Tata McGraw-Hill Edition 2005