Writing effective digital forensic reports is a critical, yet challenging, aspect of the forensic process, requiring careful documentation of findings that can be understood by legal professionals and used as the basis for testimony.
[Music]
among the most difficult and important
things that digital forensic
practitioners do is to write forensic
reports hello I'm Mark pollot and this
video will be about how to write forensic
forensic
reports really doing the forensic
examinations is not sufficient there's
an old saying in the Le in law
enforcement community that if it's not
written down it didn't happen well that
very much is the case when it comes to
reporting the results of digital forensic
forensic
reports uh this lecture I'm going to
talk about how we can actually write
effective reports I will warn you up
front that it is an art as much as it is a
a
science as the uh author Steven cubby uh
said many times in his s rules for
highly effective people always begin
with the end in mind in the case of
digital forensic
examinations the end will always be uh
or may always be a trial and even if
it's not a trial your audience for your
report will be lawyers uh prosecutors
defense attorneys plaintiffs or
defendants attorneys uh and effectively
uh uh investigators and sometimes juries
so you're going to have a number number
of different audiences for this report
and you're going to need to write a
report that gives them the information
they need at the same time it provides
you with the information that you need
uh in order to effectively testify uh to
the contents of a
report now as we know from our previous
lectures there really four phases of a
digital forensic process or the forensic
process in general and that starts with
the acquisition and preservation of the
evidence the examination of it which is
the nuts and bolts of what you do the
analysis of determining what is
important what is not important and how
it fits into the uh case narrative and
last but not least the
presentation and the report obviously
fits into this last category and uh the
presentation of course can have two
parts it has the testimony part but it
also has the written part which is the
report and you really produce uh four
kinds of products if you will for the um
uh presentation phase uh the most
obvious of course is the report itself
but as you uh have already learned uh or
if you haven't you will very shortly uh
the notes are crucial uh to not only
writing good reports but having
effective testimony and so there is a
real um interface between notes and
reports and we're going to talk about
that uh somewhat in this lecture uh the
last two parts exhibits which are the
things that you bring in the trial to
demonstrate the results of your uh
examination and to demonstrate how a
technology Works uh will be covered in a
separate lecture uh as will uh the
actual process of giving testimony so
this this particular lecture will focus
on the notion of reports uh and to a
lesser extent the uh uh the notes now
we'll start with the notes because you
in fact start with them um and while
we're going to do a whole another
presentation about them again using CV's
admonition um you need to start with the
end in mind and if you're going to write
a report it has to be based on notes
because anything in the report must be
contained in the
notes and the rule of thumb is the notes
must contain enough information that a
skilled examiner can replicate your
results and demonstrate the basis of
your conclusions that doesn't mean that
they have to be able to do the exact
same steps it doesn't mean that they
have to even use the same software or
Hardware what it means is that they can
take the evidence that you've had and
using their knowledge skills and
abilities replicate the results and
importantly the basis of your
conclusions if you have
any the notes themselves are
discoverable which means that from the
first ink that you put on the paper or
the first letter you type into your
electronic notes uh that starts a chain
of events that will ultimately or
potentially ultimately end up in the
hands of opposing Council and so it's
important that these notes be good they
be clear they be legible they be
understandable all right um but they're
not in and of itself your report they're
not a part of the report per se but they
are what the report is based upon say it
saying it in another way if it's not in
the notes it didn't happen and if it's
not in the notes it can't be in the
report so everything in the report has
to be in the
notes conversely not everything in the
notes will be in the report part of your
analysis and presentation process is
deciding what is really important and
what is not important to uh answer the
questions that you're going to have to
answer with regard to your
report now
um if you ever want to start an argument
among forensic exam miners bring up the
topic of forensic reports because every
examiner has their own view of them has
their own uh bones to pick and their own
uh uh sticky points that they uh they
believe in um and there are two kind of
main extreme views uh when I first
joined the FBI the policy and lab was
put the absolute minimum out of
information in the report uh if you
could do a report with one or two lines
then that's what they wanted
that proved to be pretty ineffective and
quite quite frankly kind of a waste of
effort uh as you'll see later on uh you
really have to have enough information
to report otherwise you're going to find
yourself having to verbally give the
report over and over again which
increases the chances that you make a
mistake The Other Extreme uh and this
was the the the kind of notion that uh
the iasis folks the International
Association of computer inv Specialists
when they were doing the very first
training in digal forensics their view
was you put everything in there you put
every single step and every single
outcome and you take screenshots of
absolutely everything well in the age of
terabyte and multi-terabyte drives u a
that's not very practical and B it
really is producing more garbage than
it's producing
value one of the most important things
that you do as a digital forensic exam
is to take a large amount of data and
distill it down into the important and
Essential Elements for the particular
investigation that you're supporting
with your
examination so the middle ground is
really the important uh approach or the
appropriate approach and it means
essentially that we have to select what
information we're going to include and
when I say what information that
includes what we did why we did it how
we did it what the results were and what
our conclusions were and you want to do
that in a clear effective communication
style uh in fact we'll have a separate
lecture on uh Communications as well but
for the purposes of this uh lecture uh
understand that we're going to be
selecting uh what we're going to include
in our report and we need to do it on
some sort of an objective
basis but the bottom line is every
examiner has to make choices in terms of
what goes in the report and there is no
perfect report and there is no uh answer
that is correct in each and every uh
situation and you can have two different
examiners do exactly the same report or
do the same examination write two
different reports that have they're
factually uh consistent but are written
very differently and organized very
differently and that's
okay in the end it's about the choice
that you make and how you can defend those
those
choices in in connection with the goals
and objectives for your particular
examination now if you stop and think
why are we writing this report at all
and the simple answer is well it's going
to be the result of your
examination and so what has to be in
there well the pertinent facts and
conclusions it means that the stuff
that's important needs to be in there
and if it's not it's not a complete
report on the other hand you can't and
should not report everything you did
that's what your notes are for and most
of your notes are not going to be of any
interest to anybody and the report
itself is really a legal document it is
a u a concrete uh document that provides
the basis of your
testimony and it is what the attorneys
uh the prosecutors The Defenders the
judges Etc are going to rely
upon up until the moment that you get on
the stand and even then right if you
testify about something that isn't in
your report then you may find yourself
in a very awkward position trying to
justify things and I can tell you that
anything that is not in the report is
automatically suspect so if you get on
the stand and you start talking about
something that occurs to you then is
really important but it's not included
in your notes uh or correction it isn't
in your report you can expect to get
cross-examined at length about that and
the inference is going to be you have to
prove that uh what you did was in fact
in there and it was correct and you are
reasonable in your belief and have a
reason why it was not in the original report
report
um some cynics would say okay well all
reports do is they provide the uh the
Rope for you uh for your hanging uh and
that's really not true all right um the
reality of it is your notes and your
reports really are your best friend on
the stand because in the end right they
provide you with a factual set of uh
information that you can utilize in your
testimony so that your testimony is
going to be correct
poor notes or a poor report requires
that you rely entirely on your memory
and your ability to think on your feet
and in a long testimony that can be uh
very problematic so well-written report
May in many cases eliminate the need for
you to even testify or minimize the
amount of things that you are going to
have to testify about and so writing a
report well is really an important task
and it's not an easy task it's a hard
task in fact in the FBI it took most
people one to two years to qualify as an
examiner and then it took most examiners
about another two years to write really
good reports without
coaching um I would routinely along with
the supervisors uh who worked for me
read and critique every single report
that every examiner would write and the
particularly the new examiners I would
spend a lot of time talking to them and
I would virtually debrief them on almost
every exam that they wrote and the
issues would get smaller and smaller and
they they would get more and more
comfortable and the reports would get
better and generally after a year or two
they were to the point where I didn't
feel like I had to look at him with a
fine- tooth comb every single
time but that's having written several
dozen reports and uh and getting coached
in between so don't expect in the
context of a one- semester course to
master report writing but I'm certainly
going to do my best to train you as well
as I can in the time at
hand now one of the other things that is
a personal Quirk uh of me a sore point
for me is that a lot of the automated
tools like enks ftk uh I look
prodiscover produce what they call quote reports
reports
what these are is nothing more or less
than a print out of the things that have
been done and observed uh using that
tool and they're useful but they're not
reports in the forensic sense they are
really a glorified form of notes and I
encourage you to use them as such a lot
of people will write their examiner
notes and in Old Days by hand but now
most of the time people do it
in a Word document uh but they will
produce at the end uh if they're using
one of these automated tools uh they
will produce a quote report from that
and attach that as part of their notes
and so it becomes uh a part of their
notes not the entirety of their notes
and it certainly is not their report
itself unfortunately I've seen some
lawyers particularly some prosecutors
that seem to love these printouts and
they tend to uh rely on them more more
than uh your notes or your uh report and
that's very dangerous for them and it's
a little bit dangerous for you as well
because first of all it presumes that
they really understand what they're
seeing there which in most cases frankly
isn't true uh most lawyers do not have
the ability to really interpret uh the
outputs uh from nks and ftk uh without
understanding uh the nuances of what it
may or may not be actually telling them
so it's a bad uh crutch for them and I
think in some cases it's because they
have not had examiners write really good
reports and so if you write a really
good report uh with appropriate
appendicies they will be less inclined
to want to play with your printouts uh
and in any case I try to avoid giving
prosecutors the raw data if I can only
because they tend to make a mess out of
it so how do we go about writing a good
report well every organization you'll
ever work for will develop their own
format and they have their own style and
their own verbage uh and uh and so you
will learn to write it however they want
to some degree you'll find that every
Professor will have you write reports a
little differently uh in in my program
we have tried to standardize it as as
best we can uh but there's always going
to be a certain amount of difference uh
there and that's just part for the
course but uh We've developed a format
uh specifically for training it's
understand that this is not necessarily
the best uh report format for
operational reports and real life cases
but for training purposes we've def
we've defined a report in six
parts the first is the examination or
validation tasking and then it's
followed up by what what we call the
forensic questions then our list of
steps taken our results our conclusions
and finally our opinions and I'm going
to go through each of these step by step
and explain what it is that they
mean this is just a screenshot of kind
of the format there uh the laboratory
number the date and the examiner's name
are part for the course and you just you
know what to fill in there the uh
exercise validation test or examination
pick whatever it is and the number for
it uh and put that in there then the
first section is examination or validation
validation
tasking and this this is a narrative
section meaning that it's not it's a
series of sentences usually no more than
one or two
paragraphs and it is your description of
the requirements for this
case and what your examination goals are
and if there's any specific criteria
that uh your client wants you to to do
and the way we figure that out is we
require our submitter the contributor
the person that's giving us our report
or giving us the uh uh the evidence they
need to uh as part of their submission
tell us what it is and what it is they
want us to
do it's our job to look at that talk to
them and essentially put this into a
format that allows us to describe what
examination we're going to do and more
importantly it's going to help us Define
when our examination is
complete because one of the things that
we've learned the hard way and I've
certainly learned this the very hard way
that if you don't Define when you're
done with an examination you will never
get done it's much easier to start an
examination than it is to complete one
and if you don't know what complete
looks like then you are never going to
finish and so before you even start to
do the examination I tell my examiners
to write the validation or examination
tasking section so that you know what
the what done means and I take it one step
step
further you should communicate that
verbatim with your contributor and
saying okay this is my understanding of
what you want are we talking on the same
sheet of music so when I find this and
this and this we're done are you in a
agreement with that and when you both
agree with it then you can start your
exam but if you start your exam before
you come to that agreement you can get a
third a halfway all the way through the
examination and the contributor says no
no no that's not what I wanted I wanted
something different that's not very
useful so to really focus the
examination make the examination as
efficient process as possible and at the
same time manage the expectations for
your customer so that your C customer
gets what they think they're going to
get right you want to come up with a
good examination or validation
tasking now U the tasking itself should
say who asked you to do the examination
what is or was their Authority or your
Authority and this is really important
because particularly in digital evidence
there are lots of uh parts of
evidentiary law that may require some
particular permission in order to do
something and so you need to be able to
demonstrate uh to the court when you
testify that you had the authority to do
whatever it is that you're doing now
that Authority can come from uh being a
law enforcement officer it can be from a
search warrant it can be from a court
order it could be from an employment
situation but you need to clearly
articulate what your Authority was to do that
that
examination and then what is it that
they asked you to do and this should be
in reasonably layman's terms uh anybody
that reads this report if they're a
lawyer or a judge ought to be able to go
okay I get what they were asked to do
this is not a time to to uh to bring out
your technical jargon and try to uh uh
to obfuscate things right it really is a
restatement of your examination goals if
you do an examination plan and that's
the subject of a a separate video uh but
if you have seen an examination plan or
if you done one it really is a
restatement of the exam
goals its purpose is to frame what
you're going to do basically saying okay
here are the boundaries of what it is
that I'm trying to do and here's what
I'm trying to
accomplish most people just don't spend
enough time uh or effort on this and I
can tell you that the better you do at
writing your tasking the easier and more
efficient your examination process is
going to be and the more uh streamlined
and effective your report is going to be
and more effective your testimony is
going to be and most of all it's going
to tell you when you're done when you
have accomplish whatever the tasking
sets out you're done it's time to write the
the
report here's an example on 31 of 05
detective J Jon Jones from tulson Police
Department delivered a 3 and a half inch
Seagate hard drive serial number 1 123
45 detective Jones provided me with a
copy of the search warrant there's your
Authority issued by judge Sally doe off
authorizing the search of this hard hard
drive for information concerning the
manufacturer possession or distribution
of control dangerous subss substances in
violation of Oklahoma statute
46913 and what they're saying here is
okay this is the kind of information I'm
looking for so if I'm if it doesn't help
me find information about manufactured
possession distribution and control
danger substances then I don't need to
look at it I'm not interested in it and
then the second part is Jones provided
the following summary of the case uh and
in that you're going to get some of the
names of the subjects the locations
perhaps the street name for the drugs uh
whatever they can give you that will
help you to search the hard drive to
find information that is probative in
this particular
case and then here's where you did your
negotiation with Detective Jones it says
detective Jones requested an examination
be conducted to identify and you list
the things that he wants you to identify
and again this goes back to the managing
expectations okay you want me to do an
examination of this for stuff about
drugs that's fine but specifically what
about drugs what about drugs in this
particular case you you really need to
refine this down for me and so you
negotiate this back and forth until you
and detective Jones agree on that last
statement and when you agree on that
last statement then you've got a good uh tasking
tasking
example we've had a whole separate
lecture uh on forensic questions and
we're going to go over them yet again on
this lecture because they are really
really important and they're important
for you to understand how to think about
uh conducting examinations and how to
construct forensic
examinations we learned about Inman and
ruden's typology where they said they
talked about identification
classification individualization
Association and reconstruction well I'm
going to go back and I'm going to cover
them very briefly again but keep in mind
that at the end we're going to ask one
or more forensic questions in the inmin
and Ruden context right in this
identification classification
individualization Association
reconstruction format all right as
forensic questions to help us Define how
we're going to conduct our
examination now remember we talked about
identification it's basically what is it
and merely identifying something as
something is
sufficient um this this is uh is not
uncommon in a digital forensic
examination uh but uh sometimes it's a
little bit more complex than you might
think um it's really easy to identify
Word documents or spreadsheets or
databases or pictures and if that's all
that's required then that's
enough perhaps a a more um focused
example would be if we're asked to find
child pornography images
uh once you identify the photographs and
you recognize the content then it's
pretty straightforward you have uh
identified it although practically
speaking you really can't uh identify
child pornography per se because you're
not an expert in the identification of
children now it may be intuitively
obvious to you but that may not be
sufficient but being asked to find all
of the photographs involving naked
people uh that would be a pretty easy
and straightforward identification task
and so the Inman and Ruden uh fentic
question would be identify any
photographs involving you know flesh
tones um a couple other tasking might
involve any images involving sexual
content uh identify any references to
John Smith AKA Pocus pimp uh identify
invoice dated you know January 25th
these are specific things when you find
them uh that's all you have to do you're
not asked to do anything further other
than to identify
them practically speaking in digital
forensics that's pretty rare more often
than not what you're asked to do is some
combination of the classification and
individualization question and under
Inman and Ruden the idea is did these
things originate from a common source
and can we identify one more objects as
being the same type of item
or as coming from a particular source to
the exclusion of all
others as an example word files are a
class we can
identify dozens hundreds tens of
thousands of Word files reliably because
we can classify them we have the the
software tools that we'll find every
word word file out there whether it has
a doc extension or not uh we can uh
classify them as a group now all Word
files don't come from the same source
and don't come from the same person etc
etc if you want to identify or
correction individualize A Word file the
only way that you can do that is by
running a mathematical algorithm called
a hash against it and if the hash value
of a file found on one computer matches
the hash value of a file found on
another computer or another piece of
media then you can say that those files
are identical to a mathematical
certainty and so they are
individualized and as a practical matter
um in fingerprints when we find uh a a
loop or an arch or whirl uh that's class
evidence but when we uh find minutia on
there that will allow us to identify
that against a known sample we can then
say that we've individualize that
fingerprint to this particular subject
to the exclusion of all others DNA we do
that for all intents and purposes
although the reality of it is that DNA
is not an exact match it's just an
extremely high statistical
probability bullets on the other hand uh
are at least to a visual uh certainty uh
a fairly exact match and you can
individualize them uh but as a practical
in the digital Arena we very often
classify uh documents or or files in
order to look for specific data and then
we look within that data uh to try to
find information appr probative value
occasionally we will be given a known
file or some known data and ask to find
that in that same location or find that
in the in our evidence and in that case
we're using
individualization as an example if uh
you are investigating the theft of
intellectual property where some
computer code is alleged to have been
stolen by one of the programmers and you
can find the known code from the company
and then you uh look for that same code
on their computer and when you find that
same code uh then uh you have
individualized uh that code U and so
that's an individualization question in
the inmin and Ruden
Paradigm here's just a visual
examination uh of uh fs and Tool marks
and you can see that uh they are in fact
identical uh and therefore that's an individualization
