Notifications
Clear all

Forensics Report

9 Posts
6 Users
0 Likes
794 Views
(@hassman)
Posts: 3
New Member
Topic starter
 

Hello all,

My name is Tom and I am new to computer forensics. My question is how do examiners write reports based on their findings? Is there a basic form they use or do they just write one say in Word? Also what all would be included in this report? I would appreciate any advice I receive.

PS I am very glad I found this forum.

Thanks,

Tom

 
Posted : 10/11/2004 12:59 am
(@armresl)
Posts: 1011
Noble Member
 

Hi,

I wouldn't say that there is one universal report that is used. FTK has a nice report feature that will give you file attributes, structure, keyword lists, etc. This will however not describe your methodology, experience, and arguments against the reports from the other side you are reading.

You should include pictures of the pc, hard drive, location, and CD's or floppies that are imaged, etc.

Hope that helps.

Darren R. Miller

 
Posted : 10/11/2004 1:33 am
Suomi
(@suomi)
Posts: 8
Active Member
 

I usually write my reports in this form:

Intro
Background of case
Methods
Topics Covered
Results
Conclusions - Bullets, brief, and to the point.
Disclaimer

 
Posted : 10/11/2004 2:11 am
Jamie
(@jamie)
Posts: 1288
Moderator
 

Hi Tom,

Welcome to Forensic Focus.

EnCase, one of the most popular imaging and analysis tools, has a built in reporting feature which allows an investigator to put together a report quickly with the results of an investigation. This is a nice feature which simplifies the process of describing the media under analysis and the results of the analysis itself (e.g. interesting files or images found). In most cases, though, the investigator will still need to add more information as Suomi and Darren have mentioned.

Kind regards,

Jamie

 
Posted : 10/11/2004 3:04 am
Suomi
(@suomi)
Posts: 8
Active Member
 

Youre right, EnCase does have a reporting feature, but when presenting information to clients or whomever, a detailed report is much much better. Usually the people who read these reports are not fluent in computer forensics, so in most cases a written up report is great!

 
Posted : 10/11/2004 3:30 am
(@mohclips)
Posts: 4
New Member
 

check out Becoming a Forensic Investigator by Mark Maher

http//www.sans.org/rr/whitepapers/forensics/

It's a good start.

😉

 
Posted : 24/11/2004 11:14 pm
Jamie
(@jamie)
Posts: 1288
Moderator
 

Useful link to a useful doc. Thanks.

Jamie

 
Posted : 27/11/2004 4:46 pm
mukinusa
(@mukinusa)
Posts: 5
Active Member
 

My rule of thumb is that the language you choose to use needs to be the same as explaining to someone who has zero computer skills. If you start off the document by assuming that people have at least a rudimentary knowledge of computers then you could confuse people. It is better to over simplify the document than to complicate things.

I parenthesize practically every term that could be misunderstood at least once per document, when people receive my documents I quite often get a compliment on the concrete nature of the report.

 
Posted : 09/12/2004 5:22 pm
Jamie
(@jamie)
Posts: 1288
Moderator
 

I would strongly agree with this approach (with all the usual caveats about keeping the intended audience in mind, not leaving out the required level of detail, etc.) Often the examiner just cannot tell *exactly* who will end up with the report or be able to judge their technical expertise beforehand so writing for the "lowest common denominator" (at least in terms of what level of detail is included, rather than omitted) is frequently a sound strategy. Might take a little more time to begin with but could save a lot of time or confusion later.

Jamie

 
Posted : 10/12/2004 1:09 pm
Share: