My name is Tom and I am new to computer forensics. My question is how do examiners write reports based on their findings? Is there a basic form they use or do they just write one say in Word? Also what all would be included in this report? I would appreciate any advice I receive.
PS I am very glad I found this forum.
I wouldn't say that there is one universal report that is used. FTK has a nice report feature that will give you file attributes, structure, keyword lists, etc. This will however not describe your methodology, experience, and arguments against the reports from the other side you are reading.
You should include pictures of the pc, hard drive, location, and CD's or floppies that are imaged, etc.
Hope that helps.
Darren R. Miller
I usually write my reports in this form:
Background of case
Conclusions - Bullets, brief, and to the point.
Welcome to Forensic Focus.
EnCase, one of the most popular imaging and analysis tools, has a built in reporting feature which allows an investigator to put together a report quickly with the results of an investigation. This is a nice feature which simplifies the process of describing the media under analysis and the results of the analysis itself (e.g. interesting files or images found). In most cases, though, the investigator will still need to add more information as Suomi and Darren have mentioned.
Youre right, EnCase does have a reporting feature, but when presenting information to clients or whomever, a detailed report is much much better. Usually the people who read these reports are not fluent in computer forensics, so in most cases a written up report is great!
Useful link to a useful doc. Thanks.
My rule of thumb is that the language you choose to use needs to be the same as explaining to someone who has zero computer skills. If you start off the document by assuming that people have at least a rudimentary knowledge of computers then you could confuse people. It is better to over simplify the document than to complicate things.
I parenthesize practically every term that could be misunderstood at least once per document, when people receive my documents I quite often get a compliment on the concrete nature of the report.
I would strongly agree with this approach (with all the usual caveats about keeping the intended audience in mind, not leaving out the required level of detail, etc.) Often the examiner just cannot tell *exactly* who will end up with the report or be able to judge their technical expertise beforehand so writing for the "lowest common denominator" (at least in terms of what level of detail is included, rather than omitted) is frequently a sound strategy. Might take a little more time to begin with but could save a lot of time or confusion later.