LinkedIn Profile Github Profile

Report Writing in Digital & Multimedia Forensics

Tips for report writing, while working with multimedia evidence

Introduction

As with every formal letter and legal document you glance over, the flow of information starts from the very basic introduction to the body, with various subheadings, and finally the conclusion.

When reading, you can realize that a specific outline or format is followed in drafting the document and can get an idea about where the most important facts or details lie.

The same is followed for creating a digital forensics case report. In this case, a report is being generated after analysis of a device, once seized during the investigation. It can be of vital importance towards solving a case.

Digital forensics can be used to recover deleted data from seized devices, that may contain important evidence.

Drafting a Report

NOTE: All sentences starting with Roman numerical should be treated as an option to be ticked/selected.

I) Title & other basic information

Firstly, we start with an appropriate title for the report being drafted, i.e. ‘Digital Evidence Forensic Report’ or ‘Examination Report’.

Remember that the document is being used for OFFICIAL USE ONLY

State the case number and the name of the agency undertaking the investigation

The date and time for report completion, along with incident occurrence(that is being investigated), should be explicitly mentioned.

Distribution-It can be of four categories:-

  1. IT

  2. Internal Audit

  3. Employee Relations

  4. Others-Analysis of electronic devices come under this category

II) Body of the Report

Details of the individual from whom the device was seized, along with the title (Mr., Dr., Miss., etc.), residence address, as well as address of workplace.

a) Summary of Devices seized/evidence submitted

It is represented by a tabular column, with the serial number and name of digital evidence seized. Digital evidence can range from device browsing history, routers and device seized. State the software used for the data extraction. This needs to be specified in detail.

An example-’The software used in this examination has been registered and licensed to Company or its agents. All software and forensic hardware have been validated.’

b) Evidence Report

In this section of the report, the evidence is referenced, by its serial number, along with all data that is associated with it. A photo for the same should also be submitted.

For example:

Item #1 — Browsing History

->’Culprit’ surfed stock market and dentistry websites.

->Visited an email site at 11:41:53 pm and sent an email

The above information should be concise and to the point. As we all would like to know the name of the sites that the culprit visited, it is not included, as it makes the report wordier.

c) Specify Hash Generation Method

Each device that is seized is hashed, with an unique ID. The hashing algorithm used can be MD5, SHA1, and others. In an investigation, digital evidence is identified by its hash id.

d) Specify Forensic Imaging Method

It is key that the original digital evidence should be cloned, so that the tests can be run on the copy version.

This section is documented in the following example:-

‘Once the forensic duplication of the original media was done, the forensic image was generated. It was stored on a :-

There can possibly be 2 options to select from:-

  1. Government-owned, forensically wiped Hard Drive

  2. Government-owned, forensically wiped Storage Area Network

To verify the authenticity of the forensic image and the original media, their hashes are compared. They can either turn out to be:-

  1. Matching

  2. Not matching. Provide a possible explanation for the same.

e) Virus & Malware

The original media is subject to a malware scan. It should be made sure, that the antivirus is updated with the latest definitions for malware and viruses.

Upon testing, we can infer that:-

  1. Media was free from malware

  2. If not, state a report on the same, below.

III**) Conclusion of the Report**

This section of the report contains:-

The examiner’s conclusion

  1. Attachments (Notes, photographs made during forensic analysis.

  2. Approvals-Gained from local Law Enforcement agencies and legal authorities.

  3. Digital Signatures of the report compiler and approver.

Conclusion

In this article, we can nose-dived into what constitutes a digital forensics report. There are a lot of factors to consider and not documenting particular information can cause a case to be unsuccessful.

By using modern digital forensics tools such as Cyber Triage, Autopsy and Nmap, the job is made much quicker for faster generation of reports and successful closure for a case.

PreviousSocial Engineering-A leading cause for vulnerability occurrenceNextZero-Day Vulnerabilities: A short overview

Last updated