Notifications
Clear all

Forensics Report

9 Posts
6 Users
0 Reactions
1,696 Views
(@hassman)
New Member
Joined: 21 years ago
Posts: 3
Topic starter  

Hello all,

My name is Tom and I am new to computer forensics. My question is how do examiners write reports based on their findings? Is there a basic form they use or do they just write one say in Word? Also what all would be included in this report? I would appreciate any advice I receive.

PS I am very glad I found this forum.

Thanks,

Tom


   
Quote
(@armresl)
Noble Member
Joined: 21 years ago
Posts: 1011
 

Hi,

I wouldn't say that there is one universal report that is used. FTK has a nice report feature that will give you file attributes, structure, keyword lists, etc. This will however not describe your methodology, experience, and arguments against the reports from the other side you are reading.

You should include pictures of the pc, hard drive, location, and CD's or floppies that are imaged, etc.

Hope that helps.

Darren R. Miller


   
ReplyQuote
Suomi
(@suomi)
Active Member
Joined: 21 years ago
Posts: 8
 

I usually write my reports in this form:

Intro
Background of case
Methods
Topics Covered
Results
Conclusions - Bullets, brief, and to the point.
Disclaimer


   
ReplyQuote
Jamie
(@jamie)
Moderator
Joined: 5 years ago
Posts: 1288
 

Hi Tom,

Welcome to Forensic Focus.

EnCase, one of the most popular imaging and analysis tools, has a built in reporting feature which allows an investigator to put together a report quickly with the results of an investigation. This is a nice feature which simplifies the process of describing the media under analysis and the results of the analysis itself (e.g. interesting files or images found). In most cases, though, the investigator will still need to add more information as Suomi and Darren have mentioned.

Kind regards,

Jamie


   
ReplyQuote
Suomi
(@suomi)
Active Member
Joined: 21 years ago
Posts: 8
 

Youre right, EnCase does have a reporting feature, but when presenting information to clients or whomever, a detailed report is much much better. Usually the people who read these reports are not fluent in computer forensics, so in most cases a written up report is great!


   
ReplyQuote
(@mohclips)
New Member
Joined: 21 years ago
Posts: 4
 

check out Becoming a Forensic Investigator by Mark Maher

http//www.sans.org/rr/whitepapers/forensics/

It's a good start.

😉


   
ReplyQuote
Jamie
(@jamie)
Moderator
Joined: 5 years ago
Posts: 1288
 

Useful link to a useful doc. Thanks.

Jamie


   
ReplyQuote
mukinusa
(@mukinusa)
Active Member
Joined: 21 years ago
Posts: 5
 

My rule of thumb is that the language you choose to use needs to be the same as explaining to someone who has zero computer skills. If you start off the document by assuming that people have at least a rudimentary knowledge of computers then you could confuse people. It is better to over simplify the document than to complicate things.

I parenthesize practically every term that could be misunderstood at least once per document, when people receive my documents I quite often get a compliment on the concrete nature of the report.


   
ReplyQuote
Jamie
(@jamie)
Moderator
Joined: 5 years ago
Posts: 1288
 

I would strongly agree with this approach (with all the usual caveats about keeping the intended audience in mind, not leaving out the required level of detail, etc.) Often the examiner just cannot tell *exactly* who will end up with the report or be able to judge their technical expertise beforehand so writing for the "lowest common denominator" (at least in terms of what level of detail is included, rather than omitted) is frequently a sound strategy. Might take a little more time to begin with but could save a lot of time or confusion later.

Jamie


   
ReplyQuote
Share: