Hang tight while we fetch the video data and transcripts. This only takes a moment.
Connecting to YouTube player…
Fetching transcript data…
We’ll display the transcript, summary, and all view options as soon as everything loads.
Next steps
Loading transcript tools…
Forensics Report Writing | Introduction to Digital Forensics | YouTubeToText
YouTube Transcript: Forensics Report Writing
Skip watching entire videos - get the full transcript, search for keywords, and copy with one click.
Share:
Video Transcript
Video Summary
Summary
Core Theme
Writing effective digital forensic reports is a critical, yet challenging, aspect of the forensic process, requiring careful documentation of findings that can be understood by legal professionals and used as the basis for testimony.
[Music]
among the most difficult and important
things that digital forensic
practitioners do is to write forensic
reports hello I'm Mark pollot and this
video will be about how to write forensic
forensic
reports really doing the forensic
examinations is not sufficient there's
an old saying in the Le in law
enforcement community that if it's not
written down it didn't happen well that
very much is the case when it comes to
reporting the results of digital forensic
forensic
reports uh this lecture I'm going to
talk about how we can actually write
effective reports I will warn you up
front that it is an art as much as it is a
a
science as the uh author Steven cubby uh
said many times in his s rules for
highly effective people always begin
with the end in mind in the case of
digital forensic
examinations the end will always be uh
or may always be a trial and even if
it's not a trial your audience for your
report will be lawyers uh prosecutors
defense attorneys plaintiffs or
defendants attorneys uh and effectively
uh uh investigators and sometimes juries
so you're going to have a number number
of different audiences for this report
and you're going to need to write a
report that gives them the information
they need at the same time it provides
you with the information that you need
uh in order to effectively testify uh to
the contents of a
report now as we know from our previous
lectures there really four phases of a
digital forensic process or the forensic
process in general and that starts with
the acquisition and preservation of the
evidence the examination of it which is
the nuts and bolts of what you do the
analysis of determining what is
important what is not important and how
it fits into the uh case narrative and
last but not least the
presentation and the report obviously
fits into this last category and uh the
presentation of course can have two
parts it has the testimony part but it
also has the written part which is the
report and you really produce uh four
kinds of products if you will for the um
uh presentation phase uh the most
obvious of course is the report itself
but as you uh have already learned uh or
if you haven't you will very shortly uh
the notes are crucial uh to not only
writing good reports but having
effective testimony and so there is a
real um interface between notes and
reports and we're going to talk about
that uh somewhat in this lecture uh the
last two parts exhibits which are the
things that you bring in the trial to
demonstrate the results of your uh
examination and to demonstrate how a
technology Works uh will be covered in a
separate lecture uh as will uh the
actual process of giving testimony so
this this particular lecture will focus
on the notion of reports uh and to a
lesser extent the uh uh the notes now
we'll start with the notes because you
in fact start with them um and while
we're going to do a whole another
presentation about them again using CV's
admonition um you need to start with the
end in mind and if you're going to write
a report it has to be based on notes
because anything in the report must be
contained in the
notes and the rule of thumb is the notes
must contain enough information that a
skilled examiner can replicate your
results and demonstrate the basis of
your conclusions that doesn't mean that
they have to be able to do the exact
same steps it doesn't mean that they
have to even use the same software or
Hardware what it means is that they can
take the evidence that you've had and
using their knowledge skills and
abilities replicate the results and
importantly the basis of your
conclusions if you have
any the notes themselves are
discoverable which means that from the
first ink that you put on the paper or
the first letter you type into your
electronic notes uh that starts a chain
of events that will ultimately or
potentially ultimately end up in the
hands of opposing Council and so it's
important that these notes be good they
be clear they be legible they be
understandable all right um but they're
not in and of itself your report they're
not a part of the report per se but they
are what the report is based upon say it
saying it in another way if it's not in
the notes it didn't happen and if it's
not in the notes it can't be in the
report so everything in the report has
to be in the
notes conversely not everything in the
notes will be in the report part of your
analysis and presentation process is
deciding what is really important and
what is not important to uh answer the
questions that you're going to have to
answer with regard to your
report now
um if you ever want to start an argument
among forensic exam miners bring up the
topic of forensic reports because every
examiner has their own view of them has
their own uh bones to pick and their own
uh uh sticky points that they uh they
believe in um and there are two kind of
main extreme views uh when I first
joined the FBI the policy and lab was
put the absolute minimum out of
information in the report uh if you
could do a report with one or two lines
then that's what they wanted
that proved to be pretty ineffective and
quite quite frankly kind of a waste of
effort uh as you'll see later on uh you
really have to have enough information
to report otherwise you're going to find
yourself having to verbally give the
report over and over again which
increases the chances that you make a
mistake The Other Extreme uh and this
was the the the kind of notion that uh
the iasis folks the International
Association of computer inv Specialists
when they were doing the very first
training in digal forensics their view
was you put everything in there you put
every single step and every single
outcome and you take screenshots of
absolutely everything well in the age of
terabyte and multi-terabyte drives u a
that's not very practical and B it
really is producing more garbage than
it's producing
value one of the most important things
that you do as a digital forensic exam
is to take a large amount of data and
distill it down into the important and
Essential Elements for the particular
investigation that you're supporting
with your
examination so the middle ground is
really the important uh approach or the
appropriate approach and it means
essentially that we have to select what
information we're going to include and
when I say what information that
includes what we did why we did it how
we did it what the results were and what
our conclusions were and you want to do
that in a clear effective communication
style uh in fact we'll have a separate
lecture on uh Communications as well but
for the purposes of this uh lecture uh
understand that we're going to be
selecting uh what we're going to include
in our report and we need to do it on
some sort of an objective
basis but the bottom line is every
examiner has to make choices in terms of
what goes in the report and there is no
perfect report and there is no uh answer
that is correct in each and every uh
situation and you can have two different
examiners do exactly the same report or
do the same examination write two
different reports that have they're
factually uh consistent but are written
very differently and organized very
differently and that's
okay in the end it's about the choice
that you make and how you can defend those
those
choices in in connection with the goals
and objectives for your particular
examination now if you stop and think
why are we writing this report at all
and the simple answer is well it's going
to be the result of your
examination and so what has to be in
there well the pertinent facts and
conclusions it means that the stuff
that's important needs to be in there
and if it's not it's not a complete
report on the other hand you can't and
should not report everything you did
that's what your notes are for and most
of your notes are not going to be of any
interest to anybody and the report
itself is really a legal document it is
a u a concrete uh document that provides
the basis of your
testimony and it is what the attorneys
uh the prosecutors The Defenders the
judges Etc are going to rely
upon up until the moment that you get on
the stand and even then right if you
testify about something that isn't in
your report then you may find yourself
in a very awkward position trying to
justify things and I can tell you that
anything that is not in the report is
automatically suspect so if you get on
the stand and you start talking about
something that occurs to you then is
really important but it's not included
in your notes uh or correction it isn't
in your report you can expect to get
cross-examined at length about that and
the inference is going to be you have to
prove that uh what you did was in fact
in there and it was correct and you are
reasonable in your belief and have a
reason why it was not in the original report
report
um some cynics would say okay well all
reports do is they provide the uh the
Rope for you uh for your hanging uh and
that's really not true all right um the
reality of it is your notes and your
reports really are your best friend on
the stand because in the end right they
provide you with a factual set of uh
information that you can utilize in your
testimony so that your testimony is
going to be correct
poor notes or a poor report requires
that you rely entirely on your memory
and your ability to think on your feet
and in a long testimony that can be uh
very problematic so well-written report
May in many cases eliminate the need for
you to even testify or minimize the
amount of things that you are going to
have to testify about and so writing a
report well is really an important task
and it's not an easy task it's a hard
task in fact in the FBI it took most
people one to two years to qualify as an
examiner and then it took most examiners
about another two years to write really
good reports without
coaching um I would routinely along with
the supervisors uh who worked for me
read and critique every single report
that every examiner would write and the
particularly the new examiners I would
spend a lot of time talking to them and
I would virtually debrief them on almost
every exam that they wrote and the
issues would get smaller and smaller and
they they would get more and more
comfortable and the reports would get
better and generally after a year or two
they were to the point where I didn't
feel like I had to look at him with a
fine- tooth comb every single
time but that's having written several
dozen reports and uh and getting coached
in between so don't expect in the
context of a one- semester course to
master report writing but I'm certainly
going to do my best to train you as well
as I can in the time at
hand now one of the other things that is
a personal Quirk uh of me a sore point
for me is that a lot of the automated
tools like enks ftk uh I look
prodiscover produce what they call quote reports
reports
what these are is nothing more or less
than a print out of the things that have
been done and observed uh using that
tool and they're useful but they're not
reports in the forensic sense they are
really a glorified form of notes and I
encourage you to use them as such a lot
of people will write their examiner
notes and in Old Days by hand but now
most of the time people do it
in a Word document uh but they will
produce at the end uh if they're using
one of these automated tools uh they
will produce a quote report from that
and attach that as part of their notes
and so it becomes uh a part of their
notes not the entirety of their notes
and it certainly is not their report
itself unfortunately I've seen some
lawyers particularly some prosecutors
that seem to love these printouts and
they tend to uh rely on them more more
than uh your notes or your uh report and
that's very dangerous for them and it's
a little bit dangerous for you as well
because first of all it presumes that
they really understand what they're
seeing there which in most cases frankly
isn't true uh most lawyers do not have
the ability to really interpret uh the
outputs uh from nks and ftk uh without
understanding uh the nuances of what it
may or may not be actually telling them
so it's a bad uh crutch for them and I
think in some cases it's because they
have not had examiners write really good
reports and so if you write a really
good report uh with appropriate
appendicies they will be less inclined
to want to play with your printouts uh
and in any case I try to avoid giving
prosecutors the raw data if I can only
because they tend to make a mess out of
it so how do we go about writing a good
report well every organization you'll
ever work for will develop their own
format and they have their own style and
their own verbage uh and uh and so you
will learn to write it however they want
to some degree you'll find that every
Professor will have you write reports a
little differently uh in in my program
we have tried to standardize it as as
best we can uh but there's always going
to be a certain amount of difference uh
there and that's just part for the
course but uh We've developed a format
uh specifically for training it's
understand that this is not necessarily
the best uh report format for
operational reports and real life cases
but for training purposes we've def
we've defined a report in six
parts the first is the examination or
validation tasking and then it's
followed up by what what we call the
forensic questions then our list of
steps taken our results our conclusions
and finally our opinions and I'm going
to go through each of these step by step
and explain what it is that they
mean this is just a screenshot of kind
of the format there uh the laboratory
number the date and the examiner's name
are part for the course and you just you
know what to fill in there the uh
exercise validation test or examination
pick whatever it is and the number for
it uh and put that in there then the
first section is examination or validation
validation
tasking and this this is a narrative
section meaning that it's not it's a
series of sentences usually no more than
one or two
paragraphs and it is your description of
the requirements for this
case and what your examination goals are
and if there's any specific criteria
that uh your client wants you to to do
and the way we figure that out is we
require our submitter the contributor
the person that's giving us our report
or giving us the uh uh the evidence they
need to uh as part of their submission
tell us what it is and what it is they
want us to
do it's our job to look at that talk to
them and essentially put this into a
format that allows us to describe what
examination we're going to do and more
importantly it's going to help us Define
when our examination is
complete because one of the things that
we've learned the hard way and I've
certainly learned this the very hard way
that if you don't Define when you're
done with an examination you will never
get done it's much easier to start an
examination than it is to complete one
and if you don't know what complete
looks like then you are never going to
finish and so before you even start to
do the examination I tell my examiners
to write the validation or examination
tasking section so that you know what
the what done means and I take it one step
step
further you should communicate that
verbatim with your contributor and
saying okay this is my understanding of
what you want are we talking on the same
sheet of music so when I find this and
this and this we're done are you in a
agreement with that and when you both
agree with it then you can start your
exam but if you start your exam before
you come to that agreement you can get a
third a halfway all the way through the
examination and the contributor says no
no no that's not what I wanted I wanted
something different that's not very
useful so to really focus the
examination make the examination as
efficient process as possible and at the
same time manage the expectations for
your customer so that your C customer
gets what they think they're going to
get right you want to come up with a
good examination or validation
tasking now U the tasking itself should
say who asked you to do the examination
what is or was their Authority or your
Authority and this is really important
because particularly in digital evidence
there are lots of uh parts of
evidentiary law that may require some
particular permission in order to do
something and so you need to be able to
demonstrate uh to the court when you
testify that you had the authority to do
whatever it is that you're doing now
that Authority can come from uh being a
law enforcement officer it can be from a
search warrant it can be from a court
order it could be from an employment
situation but you need to clearly
articulate what your Authority was to do that
that
examination and then what is it that
they asked you to do and this should be
in reasonably layman's terms uh anybody
that reads this report if they're a
lawyer or a judge ought to be able to go
okay I get what they were asked to do
this is not a time to to uh to bring out
your technical jargon and try to uh uh
to obfuscate things right it really is a
restatement of your examination goals if
you do an examination plan and that's
the subject of a a separate video uh but
if you have seen an examination plan or
if you done one it really is a
restatement of the exam
goals its purpose is to frame what
you're going to do basically saying okay
here are the boundaries of what it is
that I'm trying to do and here's what
I'm trying to
accomplish most people just don't spend
enough time uh or effort on this and I
can tell you that the better you do at
writing your tasking the easier and more
efficient your examination process is
going to be and the more uh streamlined
and effective your report is going to be
and more effective your testimony is
going to be and most of all it's going
to tell you when you're done when you
have accomplish whatever the tasking
sets out you're done it's time to write the
the
report here's an example on 31 of 05
detective J Jon Jones from tulson Police
Department delivered a 3 and a half inch
Seagate hard drive serial number 1 123
45 detective Jones provided me with a
copy of the search warrant there's your
Authority issued by judge Sally doe off
authorizing the search of this hard hard
drive for information concerning the
manufacturer possession or distribution
of control dangerous subss substances in
violation of Oklahoma statute
46913 and what they're saying here is
okay this is the kind of information I'm
looking for so if I'm if it doesn't help
me find information about manufactured
possession distribution and control
danger substances then I don't need to
look at it I'm not interested in it and
then the second part is Jones provided
the following summary of the case uh and
in that you're going to get some of the
names of the subjects the locations
perhaps the street name for the drugs uh
whatever they can give you that will
help you to search the hard drive to
find information that is probative in
this particular
case and then here's where you did your
negotiation with Detective Jones it says
detective Jones requested an examination
be conducted to identify and you list
the things that he wants you to identify
and again this goes back to the managing
expectations okay you want me to do an
examination of this for stuff about
drugs that's fine but specifically what
about drugs what about drugs in this
particular case you you really need to
refine this down for me and so you
negotiate this back and forth until you
and detective Jones agree on that last
statement and when you agree on that
last statement then you've got a good uh tasking
tasking
example we've had a whole separate
lecture uh on forensic questions and
we're going to go over them yet again on
this lecture because they are really
really important and they're important
for you to understand how to think about
uh conducting examinations and how to
construct forensic
examinations we learned about Inman and
ruden's typology where they said they
talked about identification
classification individualization
Association and reconstruction well I'm
going to go back and I'm going to cover
them very briefly again but keep in mind
that at the end we're going to ask one
or more forensic questions in the inmin
and Ruden context right in this
identification classification
individualization Association
reconstruction format all right as
forensic questions to help us Define how
we're going to conduct our
examination now remember we talked about
identification it's basically what is it
and merely identifying something as
something is
sufficient um this this is uh is not
uncommon in a digital forensic
examination uh but uh sometimes it's a
little bit more complex than you might
think um it's really easy to identify
Word documents or spreadsheets or
databases or pictures and if that's all
that's required then that's
enough perhaps a a more um focused
example would be if we're asked to find
child pornography images
uh once you identify the photographs and
you recognize the content then it's
pretty straightforward you have uh
identified it although practically
speaking you really can't uh identify
child pornography per se because you're
not an expert in the identification of
children now it may be intuitively
obvious to you but that may not be
sufficient but being asked to find all
of the photographs involving naked
people uh that would be a pretty easy
and straightforward identification task
and so the Inman and Ruden uh fentic
question would be identify any
photographs involving you know flesh
tones um a couple other tasking might
involve any images involving sexual
content uh identify any references to
John Smith AKA Pocus pimp uh identify
invoice dated you know January 25th
these are specific things when you find
them uh that's all you have to do you're
not asked to do anything further other
than to identify
them practically speaking in digital
forensics that's pretty rare more often
than not what you're asked to do is some
combination of the classification and
individualization question and under
Inman and Ruden the idea is did these
things originate from a common source
and can we identify one more objects as
being the same type of item
or as coming from a particular source to
the exclusion of all
others as an example word files are a
class we can
identify dozens hundreds tens of
thousands of Word files reliably because
we can classify them we have the the
software tools that we'll find every
word word file out there whether it has
a doc extension or not uh we can uh
classify them as a group now all Word
files don't come from the same source
and don't come from the same person etc
etc if you want to identify or
correction individualize A Word file the
only way that you can do that is by
running a mathematical algorithm called
a hash against it and if the hash value
of a file found on one computer matches
the hash value of a file found on
another computer or another piece of
media then you can say that those files
are identical to a mathematical
certainty and so they are
individualized and as a practical matter
um in fingerprints when we find uh a a
loop or an arch or whirl uh that's class
evidence but when we uh find minutia on
there that will allow us to identify
that against a known sample we can then
say that we've individualize that
fingerprint to this particular subject
to the exclusion of all others DNA we do
that for all intents and purposes
although the reality of it is that DNA
is not an exact match it's just an
extremely high statistical
probability bullets on the other hand uh
are at least to a visual uh certainty uh
a fairly exact match and you can
individualize them uh but as a practical
in the digital Arena we very often
classify uh documents or or files in
order to look for specific data and then
we look within that data uh to try to
find information appr probative value
occasionally we will be given a known
file or some known data and ask to find
that in that same location or find that
in the in our evidence and in that case
we're using
individualization as an example if uh
you are investigating the theft of
intellectual property where some
computer code is alleged to have been
stolen by one of the programmers and you
can find the known code from the company
and then you uh look for that same code
on their computer and when you find that
same code uh then uh you have
individualized uh that code U and so
that's an individualization question in
the inmin and Ruden
Paradigm here's just a visual
examination uh of uh fs and Tool marks
and you can see that uh they are in fact
identical uh and therefore that's an individualization
individualization
um again our example you can find all
the word files on a computer that's a
classification question um and if you
can find the make model of serial number
of a camera used to take an image then
uh that would be an individualization
question uh it's prettyy hard to do but
sometimes you get lucky uh and uh more
commonly we will take a set of known
files uh or more commonly a set of file
signatures hash signatures from a bunch
of known files and look for those on our
uh questioned computer the the one we're
doing the examination of and when we
find a match to the hash values then that's
individualization Association is the
third element of of imminent rudin's
Paradigm and it the idea behind it is
that it connects a person to a crime
scene or two objects to the same crime
scene and it's based fundamentally on
low card's uh exchange principle the
idea is that something transfers from
one direction to the other
direction and the value of that
Association is very often measured in a
probability weighed against the
uniqueness of the elements now if you
have in effect individualized evidence
then the probability is extremely high
on the other hand uh you can uh find a
number of relatively low uh probability
events and aggregate them and it becomes
more likely uh as a result of the multiple
multiple
elements uh examples of these are soils
and fibers and Glass and paint uh we're
finding uh a particular set of fibers uh
particular minerals and soil in one
location uh while individually they're
not rare the combination of them is uh
relatively unique so we very often want
to associate files with computers or
computers to networks or computers to
emails Etc and so we typically do that
using the metadata uh the connection
logs uh and that sort of thing
uh in our digital forensic
examinations this just a visual on the
on fiber evidence of uh different stuff
um in our in a digital forensic
examination you might want to uh
determine if this computer is associated
with the email account Poca pimp at
on this machine uh to or from poke pimp
Etc determine if q1 which is a
particular USB drive was attached to
this computer you're going to do an
examination of the registry and see if
you can make that
determination uh determine if there's
any material on this uh computer that
was created by John Smith and keep in
mind that the John Smith is in quotes
because uh all you may be able to tell
is that it says it was created by John
Smith whether it was is actually the
Flesh and Blood John Smith is a
different question and there in lies one
of the most difficult uh of all the
association questions for digital
forensics uh unlike many of the other
forms of forensic uh evidence how do you
actually prove that a particular human
being was at the end of the keyboard and
as uh some of my colleagues will call it
is the uh nut behind the keyboard
problem now reconstruction is uh
something that's very common uh in
bombing cases uh you can see the tww
uh 747 that blew up over the Atlantic
Ocean case a number of years ago like
all aircraft accidents they
reconstructed it uh particularly when
there's an explosion involved um but we
very often do the same uh thing in um
computer incidents particularly in
hacking cases and theft of intellectual
property in those sorts of cases and uh
so it answers the where when and how
questions and so we may put together uh
the computer's log files Etc in order to
determine what happened in what
order um the uh the Reconstruction
questions uh are
uh very commonly uh done in the context
of a
timeline uh and so in fact there are
some tools
uh like the autopsy browser that will
specifically create a timeline for you
uh but your tasking may be in inmin and
Ruden terms to determine the timeline
for the creation transmission receipt or
any subsequent Communications concerning
an extortion email received on January
26 2002 basically how did that email get
created and how did it get transmitted
and how did it get received and how did
it get on this particular piece of meeting
media so when you look at the laboratory
report you see uh the second section
after you do the examination or
validation testing uh to put forensic
questions and unlike the examination
validation testing correction tasking
section which is a narrative section the
forensic question section are typically
listed as a set of bullet numbered
bullet points and they should be whole
sentences uh that typically uh uh
include the identification uh
classification individualization
Association or reconstruction terms
somewhere in that
sentence uh and so it's a succinct uh
forensic question and again once you've
answered all of those forensic questions
complete moving on to the steps taken um
this one uh seems so obvious but it
really isn't
the first thing to be said is that it's
not going going to be everything that
you did and it may not even be exactly
in the order that you did it but it is
in The Logical order that will yield the
results that you
obtained it's a matter of deciding what
you need to
uh say in order to uh in order for the
reader to understand what the result of
your process process is and so this is
one that you're going to spend a lot of
time kind of playing around with and
adding and
editing um you don't want to set out
every step but you need to have enough
so that not only can you testify but
that somebody reading the report could
follow what you did follow your result
and would be able to go back to your
notes and go okay I see where they did
that particular
step one way to do it particularly for comp
comp
examination is to do a flow diagram you
basically set up what you uh what you
did in blocks and then figure out what
the results are going to be for these
blocks and so put enough data in each of
those blocks that you uh can get to the
results that you want to report uh and
accordingly um again the steps taken are
a bulleted set of numbers each uh uh
item is a complete sentence uh subject
verb uh
punctuation um it uh is important to do
a couple things and not do a couple
other things one you need to have a
consistent way of representing things
like file names and uh computer programs
so if you're going to use a tool uh DD
all right you need need to have some way
of distinguishing that DD is a
application that is a a
program uh and that uh uh text. dooc is
a file not a set of words and so a
typical way of doing that is by
italicizing and Bolding uh things what's
exactly how you decide to do it is not
the important part uh but it's important
that you do it and you do it a consistent
consistent
fashion the second thing is that um you
do not want to put screenshots in here
um and there's a good reason for that uh
but I'll just leave it at that do not
ever put screenshots in the steps taken
that's not what we do reports that's not
why you're doing the steps taken
taken
um you normally will not put any of your
results in there
but you may put a summary for instance
uh did he search for Microsoft Word
files and found 5,280 of
them that's fine don't list the 5,280
here right uh don't put found the
Smoking Gun file called gun. dooc um
don't do that you basically said did the
search and if you if it's useful to to
provide uh the uh some metrics for it or
whatever that's
fine um but realize that you don't want
to make this too complex but you want to
make it uh sufficiently detailed that
the reader or another examiner can go
through and go okay I see what they did
I see how they got it and when they move
down to the next section which is the
results they can go back and look at
each result and go okay that result came
from step four step five
whatever and here's an example uh and uh
uh notice that they're all sentences uh
and while there is some uh intermediate
results U that's uh not in sufficient
detail uh to uh do anything except
case there's a lot of confusion between
steps taken and results results are just
that it is the outcome it is what
happened it the steps taken
uh May report raw data more likely
aggregate data all right but the actual results
results
themselves need to be reported in the results
results
section and this can take a fair amount
of organization and structure this is
perhaps the area where uh you spend a
lot more time figuring out how to
texturally and Visually organize the
information that you want to
report um it needs to be as succinct but
at the same time
clear um it needs to have some narrative
because you're really explain to people
what you've got where it came from and
somewhat what it means or what the
limitations are on its
interpretation but you want to keep it
organized and very often you have lots
of bits and pieces a lot of different
files and that sort of thing and tables
are very useful for that kind of uh of
reporting and so uh there's a great deal
to to plan out with regard to that you
know this is a very simple uh one here
uh but uh there were 26 graphic files
identify which appear to be children
they've been placed on a CD ROM Mark UCF
provideed the
contributor well that's uh okay but you
probably wanted to do something a lot more
more
extensive uh you can number uh you can U
do numbered bullets you can do sections and
and
subsections and you can include tables
organizing this is up to you but again
it's you need to put the actual data in
there but at the same time you need to
organize it excuse
me uh in the de directory c/ documents
and settings Roger marks my docs a set
of files which constitute a website was
located these files when viewed in a web
browser advertising sale of chemicals
used the cocaine used in cocaine
processing was located the website's
metadata indicated the site was
developed by use of Microsoft Office
publisher a copy of which was
installed you can see that you're
providing raw data but at the same time
you're also providing some
context and here's an example of using
tables in there and here's the files
that you found and the file created
modified and last access
time conclusions and opinions these are
two separate
sections not only are conclusions and
opinions two different things but they
really have two different levels of
proof in the case of conclusions what
you're essentially reporting are
scientific facts there are things that
you can demonstrate based upon your
results that to a reasonable certainty
uh could only have occurred in the way
that you
report on the other hand uh opinions are
based in part about
experience and so if there are
alternative explanations for how
something might have happened then it is
probably an
opinion if it's provable then it's a
conclusion one bad thing to do is to
make investigative conclusions well I
think the investigator ought to do this
or you know I think the bad guy did it
those are investigative conclusions and
have no basis uh in scientific fact and
so they shouldn't be in your report at
all um and so conclusions are scientific
conclusions and opinions are opinions
based upon the science and the
experience and training and education of the
the
examiner and obviously this is where
they go and uh here's an example uh
based on a comparison of the website
located these two sites are Iden
all right that's a statement of
conclusion that's a
conclusion this conclusion is based upon
the file names the sizes mathematical
signature and direct comparison in
digital files that forms the basis of
your conclusion the data is these files
your conclusion is that these are in
fact identical and the basis of your
conclusion is because you did the
following things and gives you this result
result
are there any uh alternative
explanations for this not really um and
conclusion now opinions on the other
hand U are a little bit
fuzzier now an example in this
particular case is based on the
examination of the subject's computer
the internal clock the dates of times
etc etc it is my opinion that the
subject's computer is most likely the
source of the email received by the cooperating
cooperating
witness that leaves the door open the
fact that are there alternative ways
that these things could have happened
and the answer is
yes and so as as a result it's fine to
put the the opinion but you still need
to provide the basis of that opinion
which is all this data that you outline
in this uh example and uh while you
don't have to list the alternative
explanations uh kind of unspoken is the
notion is that there are alternative
explanations and so you probably may
want to record uh what you think some of
the alternative explanations might be in
your notes uh just so that you remember
why you put it in an opinion instead of
a conclusion uh 3 years after you uh
report remember the fren of questions
are based on the tasking and the tasking
is based upon your negotiation with the
contributor the steps taken are driven
by those forensic questions pretty much
the forensic questions will lead you to
to say this is what I need to do in
order to conduct my examination and to
get the results that I need the results
are the data that are obtained from your
doing the steps uh that you did and the
steps taken the conclusions are the
scientific facts that you draw from the
data that you got in your results the
opinions are logical inferences from the
data in your results in your opinions
and uh provide for a um reasonable
belief by The Examiner rather than a scientific
fact report writing is an art it takes
lots of time and experience it requires
careful consideration of all the issues
Technical and legal you're going to need
edit and re-edit and rewrite time and time
time
again you need to keep mind that
whatever you finally submit you are
going to have to live with on the stand
there are no doovers in this
case and so always from the beginning of any
any
examination think about uh it with the
end in mind think about everything that
you do how am I going to put this in my
report how am I going to explain this in
my report how am I going to testify
well that's it for this lecture and so I
hope you've enjoyed it and I hope you've
gotten something out of it until next
time have a good day [Music]
Click on any text or timestamp to jump to that moment in the video
Share:
Most transcripts ready in under 5 seconds
One-Click Copy125+ LanguagesSearch ContentJump to Timestamps
Paste YouTube URL
Enter any YouTube video link to get the full transcript
Transcript Extraction Form
Most transcripts ready in under 5 seconds
Get Our Chrome Extension
Get transcripts instantly without leaving YouTube. Install our Chrome extension for one-click access to any video's transcript directly on the watch page.
