How often do you perform a computer backup? Probably not often enough! Well, if you…
By John Ahearne, Forensic Analyst
This article is part of a series that delves into each step of the digital forensic process. If you missed one of the previous articles, you can read them at the links below:
In this article, we outline certain digital forensic best practices on writing reports for the purpose of presentation of digital analysis and evidence.
Presentation of Digital Analysis and Evidence
Forensic cases often present unique scenarios that require a customized process that utilizes all possible best practices. The presentation of digital analysis includes a formal written report on the identification of relevant information.
Ultimately, the report and relevant information will be viewed by human resources, executives, law enforcement, lawyers, judges and juries. As such, the report should be clear and concise, yet still contain sufficient detail to describe a repeatable and defensible process.
The information must be provided in an organized and easily accessible format. Depending on the ultimate use of the information, there may be the need to provide the same data in different formats.
The most important overriding principle for a forensic report is that it is based on objective findings. It is acceptable to give opinions or examples when necessary. Any conjecture, however, should be clearly identified as such.
As with any written document, the digital forensic report must be drafted for the intended reader/audience. Since it will be intended for multiple audiences, it is important to divide the report into sections that appeal to each. Audiences may include individuals, businesses, clients, legal counsel, opposing counsel, forensic experts, judges and/or juries.
The organization of a report presenting digital analysis and evidence should include:
- Executive Summary
- Appended Reports
Due to the variation of potential readers, the report should balance the use of layperson definitions of technical terms with the need for sufficient technical detail.
The Executive Summary includes a high-level description of analysis findings in language that can be understood by individuals who may be less tech-savvy.
Executives do not have the time to read an entire report but definitely need to know what is going on, which is why a report should always begin with an Executive Summary. This section will also appeal to judges, juries and other readers who do not have significant technical backgrounds to know what forensic images are, care about the file carving method used to recover deleted files or why they may be important.
Opposing sides and expert witnesses, on the other hand, will want to know the technical details. In addition, many judges, lawyers and juries are becoming more sophisticated than ever as technology advances. Therefore, a report should provide a Findings section that contains all the technical language and details.
This section will contain visual illustrations such as diagrams, charts and pictures of important information that is easily viewable and understood by the entire audience.
The Findings section is intended to satisfy the tech-savvy and, more importantly, defend the findings outlined in the Executive Summary by clearly describing the repeatable and defensible process used in the forensic analysis of evidence referenced in the report.
Appended reports further support the analysis of the relevant information without losing an audience’s focus. Appended reports are useful for highly detailed technical information and for evidence that can produce a tremendous amount of data such as email or chat message analysis.
Appended reports can be handy for changing format without changing the entire report. For example, chat messages presented in a spreadsheet are easy to sort and organize by legal counsel. However, a conversational view of chat messages can better illustrate communication of multiple parties.
The Conclusion section is where it is appropriate to provide subjective analysis and expert opinions. The Conclusion should never contain new information and should wrap up the analysis in a direct and concise manner.
To better prepare a defensible report, review by a peer is not only helpful, it is highly recommended!
A peer would be someone on staff, a coworker, management or someone else who is familiar with the forensic process. Ideally, more than one person should review your report. A coworker or lead examiner should go over the entire case, the scope of work, how you came about your findings and supporting evidence. Management or Director of Forensics should go over the case at a high level to see that it makes sense to the intended audience.
The Presentation Process also includes providing the relevant information in native or a requested format, i.e. PDF, TIFF or database format for ingestion into eDiscovery software. This brings us to electronically stored information (ESI) Review Process, which will be discussed in the next article of this series.
Stay tuned for your lesson in ESI Review.
Visit DriveSavers eDiscovery and Digital Forensics.