Report Writing in Digital & Multimedia Forensics
Tips for report writing, while working with multimedia evidence
Last updated
Tips for report writing, while working with multimedia evidence
Last updated
As with every formal letter and legal document you glance over, the flow of information starts from the very basic introduction to the body, with various subheadings, and finally the conclusion.
When reading, you can realize that a specific outline or format is followed in drafting the document and can get an idea about where the most important facts or details lie.
The same is followed for creating a digital forensics case report. In this case, a report is being generated after analysis of a device, once seized during the investigation. It can be of vital importance towards solving a case.
Digital forensics can be used to recover deleted data from seized devices, that may contain important evidence.
NOTE: All sentences starting with Roman numerical should be treated as an option to be ticked/selected.
Firstly, we start with an appropriate title for the report being drafted, i.e. ‘Digital Evidence Forensic Report’ or ‘Examination Report’.
Remember that the document is being used for OFFICIAL USE ONLY
State the case number and the name of the agency undertaking the investigation
The date and time for report completion, along with incident occurrence(that is being investigated), should be explicitly mentioned.
Distribution-It can be of four categories:-
IT
Internal Audit
Employee Relations
Others-Analysis of electronic devices come under this category
Details of the individual from whom the device was seized, along with the title (Mr., Dr., Miss., etc.), residence address, as well as address of workplace.
It is represented by a tabular column, with the serial number and name of digital evidence seized. Digital evidence can range from device browsing history, routers and device seized. State the software used for the data extraction. This needs to be specified in detail.
An example-’The software used in this examination has been registered and licensed to Company or its agents. All software and forensic hardware have been validated.’
In this section of the report, the evidence is referenced, by its serial number, along with all data that is associated with it. A photo for the same should also be submitted.
For example:
Item #1 — Browsing History
->’Culprit’ surfed stock market and dentistry websites.
->Visited an email site at 11:41:53 pm and sent an email
The above information should be concise and to the point. As we all would like to know the name of the sites that the culprit visited, it is not included, as it makes the report wordier.
Each device that is seized is hashed, with an unique ID. The hashing algorithm used can be MD5, SHA1, and others. In an investigation, digital evidence is identified by its hash id.
It is key that the original digital evidence should be cloned, so that the tests can be run on the copy version.
This section is documented in the following example:-
‘Once the forensic duplication of the original media was done, the forensic image was generated. It was stored on a :-
There can possibly be 2 options to select from:-
Government-owned, forensically wiped Hard Drive
Government-owned, forensically wiped Storage Area Network
To verify the authenticity of the forensic image and the original media, their hashes are compared. They can either turn out to be:-
Matching
Not matching. Provide a possible explanation for the same.
The original media is subject to a malware scan. It should be made sure, that the antivirus is updated with the latest definitions for malware and viruses.
Upon testing, we can infer that:-
Media was free from malware
If not, state a report on the same, below.
This section of the report contains:-
The examiner’s conclusion
Attachments (Notes, photographs made during forensic analysis.
Approvals-Gained from local Law Enforcement agencies and legal authorities.
Digital Signatures of the report compiler and approver.
In this article, we can nose-dived into what constitutes a digital forensics report. There are a lot of factors to consider and not documenting particular information can cause a case to be unsuccessful.
By using modern digital forensics tools such as Cyber Triage, Autopsy and Nmap, the job is made much quicker for faster generation of reports and successful closure for a case.