Hello guys, i'm writing only my second investigation report and have within it a section called "forensic analysis procedures". In this section i have recorded eveything i did from the point i mounted the drive image(procedures before this point are recorded in previous sections). This section does not give an interpretation of the evidence i have found and i have said that what i have found is of "apparent" evidentiary value, it simply states findings and gives no explanation of what they prove/disprove.
I am about to add another section, i'm am unsure of whether to name this "witness statement" or "interpretation of evidence". In this section i plan to include a refined list of my findings (those that are definately of evidentiary value) with full explanations of what they show.
I was just wondering, as i know there must be analysts on this forum with far more experience, what you thought of this layout.
Should I have included two separate sections like this or would it have been better to record my interpretations of the evidence as i found it in one whole section.
Is "witness statement" or "interpretation of evidence" a good idea? (i think the latter could be worded better).
Thanks for any help
I'm not entirely sure what you mean. Surely you would have your separate section9 witness statement, probably exhibiting a separate report and any other exhibits produced within that which details all the techy info of what you found/didnt find. ?
I don't know, is there a set template you use? is "section9" always your witness statement? I havn't actually separated mine into "sections", just different titles, although i think i probably should.
Add0,
I believe Rich2005 is refering to a standard witness statement such as is used by Police forces (er sorry I have to call them Police services nowadays).
Here's what I do.
I would normally write a statement in which all the essential detail went, such as continuity details, serial numbers etc and a brief outline of what I did and what I produced.
My report would include separate headings and might include a case summary (background etc), summary of findings (the most salient facts), conclusions (if there are any importants ones to be made), forensic practices (tools used, methods etc) and a glossary of terms.
I would break down my actual findings either by evidence type…ie intrusion logs, emails etc and as appropriate cross reference different exhibits.
Exhibits produced by me would be sealed and refered to in both the statement and report.
Its worth spending some time putting together a report format you can use as a template. There's no right or wrong way but a popular method is to number your headings 1,2,3 etc and the subsections 1.1, 1.2, 2.1 and then 1.1.1, 1.2.1, 1.2.2 (if required) etc etc.
Steve
Indeed, and was eluding somewhat more briefly, to what steve has just described in more detail. )
If i have some information coverted from binary, which was at different locations on the drive, and i have typed up this evidence in my "summary of findings" with an explanation of what it means following it, would it
A.) Be ok to use this method? screen shots would be difficult as the data was located in different areas on the disk.
B.) Be ok to call this typed up data an "exhibit"?
I've decided to add to my report a section named "summary of findings" as steve mentioned, in which the exhibits will be located with explanations of them.
After this section i plan on adding my "witness statement" in which details of machines/drives, chain of custody etc will be, however there will be no details of the exhibits or their meaning as this will have been included in the previous section.
I then plan on adding a "glossery of terms" which will be the final section of my report.
What do you guys think?
Thanks for any advice
Add0,
Your whole report can be the exhibit which with your statement would be submitted to all sides in a civil or criminal case (if it goes that far).
As for the summary of findings this would normally be half a page or a page detailing the main points. For example '2 emails were found in the outbox for the user suspect_name in which threats were made'.
There would then be a separate section for the detailed evidence under a separate heading. 'Examination of BMW/1' for example, in which you could include screenshots, text boxes containing sections of extracted data etc and the physical sector location for any critical data. This would be the place for explanations rather than the summary.
Steve
OK sounds good, so the report would be submitted with the witness statement but they would be separate documents?
but the summary of findings and detailed evidence section would not be separate, they would be in the report?
Then i take it that, in the witness statement, as long as you state that explanations of the evidence are in exhibit A (the report) its fine. It seems a little strange to only have one exhibit however, but i'm new to this.
cheers
Add0,
That's pretty much how I do it….report (which is an exhibit) and a statement. Although I will usually produce other exhibits such as CDs or DVDs containing files extracted from the original exhibit. Or there might be printed exhibits too but the explanation and the narration of what I did, what I found/didn't find will be in the report.
Steve
Cheers man that was a help. I'm only going to have one exhibit - my report. Do you think just having one exhibit will seem a little stupid?