Hi All,
I'm practicing analyzing an image file using Encase trying to find artifacts which I did. However, what is the most appropriate method for presenting artifacts from the Encase case into a forensic report?
Cheers
GG
I'm practicing analyzing an image file using Encase trying to find artifacts which I did. However, what is the most appropriate method for presenting artifacts from the Encase case into a forensic report?
Usually, it's the one that makes the readers of that report able to see the relevant information without any loss of information, and without any ambiguity. And that's in the eyes of the readers.
I have not kept up with recent releases of EnCase, but I'd expect that it still provides its own reporting module. That may be the best thing for the analyst, but it won't help you with disposition, and unintelligent or uninformed use of it will make for singularly unreadable reports.
I'm practicing analyzing an image file using Encase trying to find artifacts which I did. However, what is the most appropriate method for presenting artifacts from the Encase case into a forensic report?
What are your analysis goals? What are you attempting to prove or disprove? Who is your audience?
As a starting point, you could bookmark all your items that you want to be in the report and use the built in report module. From there, I would export to Word and build my report and format it accordingly.
I'm practicing analyzing an image file using Encase trying to find artifacts which I did. However, what is the most appropriate method for presenting artifacts from the Encase case into a forensic report?
What are your analysis goals? What are you attempting to prove or disprove? Who is your audience?
This is a valid point. Is your audience/stakeholders technical or non-technical? What have they asked you to find? What I have done in the past is, I create a narrative report documenting my process, analysis, and findings. My findings are based on what they have asked for and anything supporting what they have asked for or proving that what they have asked for is not there. I then hyperlink to my report the relevant artifacts that I found in EnCase.