by Feby Thealma, CEH, CHFI
Reporting is one of the most important steps in digital forensic analysis. Reporting sums up every single step performed during the investigation and allows investigators to communicate with the intended audience regarding the output they need to convey out of the investigation.
The Report Builder feature in XAMN is one of the newest additions to XAMN as a helper to the investigation reporting phase. Investigators are given the freedom to quickly assemble reports as necessary out of the analysis performed and documents created outside XAMN.
Simply click and drag blocks from the Input table on the left side to the Report table next to it, customize each block, rearrange the blocks as necessary, and the investigation report is ready to be generated.
There are three types of blocks we could assemble into the report as seen on the Input table: system blocks, tag blocks, and data blocks. System blocks are blocks that generate a specific layout according to the information that investigators provide upon adding the block into the report, such as the Chapter name on the Chapter block or text to input on the Notes block. Meanwhile, tag blocks are blocks that will be used to add to the report artifacts which have been grouped and tagged by the investigator during the analysis phase.
Last but not least, data blocks are created by selecting one or more artifact(s) and clicking on the add button in the Report Builder section from the main menu on top of every page as shown in the screenshot below. Data blocks are easily the most used block in Report Builder due to its flexibility and convenience in adding artifacts to the Report without tags restriction.
Going through the blocks one by one, on the cover page system block, the investigator could change the Title Text, Case Information such as Case ID up to Report Generation Date/Time, and finally, Organization Logo and Information.
Unfortunately, investigators are only able to choose or fill in which information they would like to be displayed in the cover page without any changes to the preset layout. Being able to design the report such as changing fonts and adjusting alignments, designing the header and the footer, or adding colors to the report would be able to make the investigation report look more professional.
The Case system block provides multiple case related blocks such as Case Data, Categories, Apps, and Person References. This can be utilized to quickly generate the case details into the report.
The contents of the page can be customized by dragging other system blocks into the Chapter system block. The Chapter system block provides a bolded single text line on the middle top of the page, so it is also useful as a section divider in managing the Report layout.
The Data Source block provides generation of pages where investigator could choose which data source’s detail they would like to add into the report. The generated page will also be able to change according to the artifacts included in the report by choosing “only data sources used in report” option. The Data Source block includes a choice of Summary, General Information, and Device Overview blocks to be added into the report.
The Document system block is a powerful block where the investigator can simply upload any PDF or TXT document created outside of XAMN. Any document that couldn’t be generated through XAMN, such as an existing chain of custody document or search warrant document, can be merged into one investigation report with this block.
The Notes system block works as a subtitle and/or content customization. The investigator can utilize the Notes system block for small sections of the report that can be fitted into several paragraphs. To add pictures to the section, the investigator could utilize the Picture system block. An example of the usage of Notes and Picture system blocks can be seen on the screenshots below.
The investigator can easily group and export evidence artifacts freely into the Report by tagging the artifacts with custom tags during the analysis phase to simply add those tagged artifacts or created data blocks into the appropriate report section made in Report Builder. The exported information of the artifacts could be easily customized as well by simply adding and removing any information out of available choices.
Changing the displayed information on the report would help the investigator in creating reports for different stakeholders according to the necessity of the information or the stakeholder’s level of technical knowledge. The investigator could also capture screenshots of the investigation process in the software by going through the Capture menu option.
Available information choices are dependent on the relevant artifact properties. For example, media related artifacts include Picture, File Name, Type, File Format, File Size, Path, Owner, Owner Name, Group, Group Name, File Extension Mismatch, Modified, Accessed, Updated, Related Application, Storage, Owner Rights, Group Rights, and Hash Value; but the data which the investigator can choose to display would differ for each type of artifact.
The investigator could save the created layout as a Report Builder template to reuse it on the next investigation. As the blocks are highly customizable, it is also possible to make different report templates for different stakeholder groups. This would save time on creating investigation reports, as the investigator would only need to change a few pieces of information on the report such as changing the artifacts to be exported, or changing the report generation date and time. Everything else would be instantly generated by XAMN Report Builder.
XAMN Report Builder uses Adobe Acrobat Reader DC for the report preview in XAMN software. It’s also possible to use other PDF readers to look at the preview outside the software. Screenshots provided in this review would be an example of how the preview would look without Adobe Acrobat Reader DC installed on the workstation, but the preview works fine outside the software. In this case, I personally used Google Chrome to open the preview pages.
At its current state, XAMN Report Builder provides little customization on the report design and the styling of the inputted texts. As of now, investigators won’t be able to change the design of the report cover, document header and footer, fonts and paragraphs styling, nor lists numbering or bullets with XAMN Report Builder’s generated system blocks. For styled cover or front page, it’s possible for investigator to attach an externally created page using the Document block.
On my personal preferences, I usually make sure to make my own report not bland by having a color or company logo in the header and/or footer, making the paragraph look neater by using justify, designing the cover of the report; but none of those options are available on Report Builder. The result feels like a quick five-minute report assembly, but even then, it would take longer to assemble the blocks on Report Builder.
It would be much easier to design the investigation report using another document editor, publish it as a PDF file, and upload it into XAMN Report Builder to export the whole report with the analyzed artifacts; or simply export the analyzed artifacts using the Report Builder and attach it separately from the report.
However, if the design of the report isn’t a concern, XAMN Report Builder is a very convenient reporting tool considering two features oriented on speed and simplicity: first, the possibility of saving a created layout as a template and reusing it for the next case investigation, and second, its capability to export grouped analyzed artifacts immediately.
Overall, XAMN Report Builder is a convenient feature to export analyzed artifacts and merge the result into the investigation report. XAMN Report Builder is a reporting feature fit for all kinds of digital forensic practitioners and presented to different types of stakeholders. Offered blocks and customizations are applicable for any kind of digital forensic investigation. For those who want a well-designed report generated solely through XAMN, this feature might not be much of help. But for those who are looking to accelerate generating a simple investigation report with detailed artifacts information attached, XAMN Report Builder will be a great help for the reporting phase in investigation.
Feby Thealma is a cyber security expert who specializes in digital forensic investigations from Jakarta, Indonesia. At the age of 20, she has started working in the industry and handled many digital forensic investigations. She always tries to find new challenges and opportunities to learn and grow in cyber security and especially digital forensics.