Each year, Champlain College selects several students to attend a three-day security and digital investigations conference called EnFuse. Students who have the opportunity to attend Enfuse not only get a chance to learn new skills to bring back to the classroom, they can also network with professionals in their field. I was among those chosen for Enfuse 2017, where I attended a number of courses specializing in Incident Response and new cyber threats. One session that I best remember was Forensic Report Writing, presented by USC professors Joseph Greenfield and Pierson Clair. No matter what type of forensic investigation you conduct, you will always have to compile some form of deliverable: the purpose of a deliverable is to communicate your findings to a client in detail. If your deliverable is not clear and concise, you risk jeopardizing the credibility of your work.
Writing an Effective Forensic Report
As Greenfield and Clair told us: “your report (and your investigation) must empower and advise decision-makers”. Whether you work as a public or private sector digital investigator, your job is to create logical conclusions based on factual evidence. An investigator’s job is never to win the case, but rather to find artifacts of potential evidentiary value and explain what those artifacts are. During their presentation, Greenfield and Clair broke down and explained the do’s and don’ts of forensic report writing.
The presentation began by exhibiting the writing style of a good forensic report. Greenfield and Clair stated: “your report must be scientific in nature….[it] should roughly follow a format of theory -> support or refute -> conclusion”. A forensic report must be unbiased, defensive in writing (always assume your report will be brought up in court), and written in the third person (this is to have continuity if multiple examiners are working on the same report).
The presenters also discussed words an investigator should never use in a forensic report, such as adjectives and adverbs; because a forensic report is scientific in nature, these types of words can turn an expert opinion into a personal opinion. To elaborate, words such as clearly, concrete, and absolutely state that the investigator has an opinion, which they should never show in their report. An investigator’s job is to present the facts of the case, not to point fingers; state who is innocent or guilty.
Forensic Report Template
Lastly, Greenfield and Clair presented an example of a general forensic report template:
- Cover Page
- Table of Contents
- Executive Summary
- Typically not seen on criminal forensic reports.
- This should always be written last. This section contains answers to the following questions:
- Why were you asked to perform the investigation (investigative goals)?
- What were the key findings?
- What is the significance, and what are your recommendations/expert opinion?
- Computer Evidence Analyzed
- This section contains details about media/devices seized and examined. This includes system information, serial numbers, dates/times, hashes, etc. This section is essentially a “light-weight chain of custody.”
- Relevant Findings
- This section contains a detailed list (ordered by importance) of artifacts of potential evidentiary value you discovered during your investigation. Make sure to only list findings relevant to the case.
- Investigative Leads
- This section contains references to other devices that were not available during the investigation. Essentially, anything that was explicitly outside of the investigative scope.
- In this section, you will restate the investigative goals, and provide your expert opinion that can be defended in court.
- Typically used for internal investigations, not civil or criminal investigations.
- In an incident response related investigation, this section would answer the following questions:
- What are some ways the problem could have been identified sooner?
- What are some strategies to mitigate/prevent this problem in the future?
- Any recommendations for criminal referral, or law enforcement assistance?
- This section contains a bibliography of any outside resources you referenced in your report.
- Good Appendices vs Bad Appendices:
- Good: list of deleted files during a particular time period of interest, list of IPs that a compromised system connected to with dates and times, list of USB devices with applicable dates and times when dealing with an Intellectual Property Theft case.
- Bad: Every text message on a device when you are only investigating a conversation between two individuals, a list of all USB devices, including keyboards, mice, hubs, etc., list of every LNK (shortcut) file on the system.
- Good Appendices vs Bad Appendices:
- This section contains the definitions to words that non-technical people might not know.
Greenfield’s and Clair’s final words of advice are to stay consistent when writing a forensic report, be as detailed as possible, and revise your report with the help of both technical and layman audiences. Having someone who doesn’t share your proficiencies proofread your report will ensure that you explained all the technical aspects of the report properly. A similarly specialized individual will ensure you don’t have errors in your report.