Coming from a presentation viewpoint adding non-necessary stuff to your digital report only serves to muddy the waters. I'm specifically referring to the screenshot addition and checksum mentioned. You already have a bazillion bits of data that you try to present to persons who probably have trouble signing in to windows.
I believe simply mentioning what you did in a text report is sufficient on little details like this. I believe it to be overkill but if it works for you and you like doing it…….keep it up. I just generally write in my text report that I placed the image and work product on a previously wiped evidence drive.
Personally I write zeros, do a MBR and then we look at the drive using Imager to verify zeros outside the MBR. Another method we use is to utilize EnCase's wipe function, which with 7.03 was enabled to work without the dongle (previous v7 installs were not enabled). It seems to be the best function for 7.03. lol An unlisted feature of that product is a really slow wipe and verification of wipe.
Hi Steve,
To address your point of how to include it in your report I would create a Standard Operating Procedure (SOP) detailing your wiping, verification process and just refer to this in your report, IE 'the drive was prepared for the imaging process in accordance with our SOP's'. I personally think reducing the minor detail (but referencing it where necessary) from our reports helps the flow of reading and if the 'other side' want to challenge what these 'procedures' are you can simply produce the SOP and maybe a simple log that was completed at the time showing you had wiped HDD X using the SOP. Obviously, have a lab wide sign up policy that you'll all follow SOP's as well! I've used this system in law enforcement for over 7 years and it seems to work well as i've never been challenged.
For your interest, we used to wipe our drives with Blancco from
Regards
Shep
Another method we use is to utilize EnCase's wipe function, which with 7.03 was enabled to work without the dongle (previous v7 installs were not enabled). It seems to be the best function for 7.03. lol An unlisted feature of that product is a really slow wipe and verification of wipe.
lol
In terms of including it within the report, it depends on who the report is aimed at. When I write a report that is aimed at a jury, I would not go into the technical details of sterilisation as it is just a destraction and yet another concept to explain to a set of people who you have to consider will know very little about IT. Just saying that the media was "new" or "clean" has always been OK for me.
Obviously, within the unused material will be all the techy stuff about wiping, hashing etc and the defence expert, if there is one, is free to check all that if they wish. And as long as they have checked this and seen that all is OK, then no need to bring that into the court.
Just my 2pence worth
I agree with Mr. Beardmore.
I always write reports according to which "public" is supposed to read it. Since it i generally made for people who don't have a deep technical knowledge, I tend to write "generic" sentences like "clean drive" or so. It doesn't prevent me from having technical papers aside, in which I describe the exact process used to clean the drive, or how I've done any forensic operation in the case.
I don't write reports for courts though, mostly for CISOs.