Providing Clarity in the Face of Adversity - Digital Forensics Reports
“If you did not document it, it did not happen” – is a doctrine followed diligently by digital forensic investigators worldwide. This blog post discusses the importance of documentation in a forensic investigation and provides best practices on how to write reports.
What is a report?
A digital forensics report is a formal document that describes the events that led to an unfavourable incident, identified by the investigator. It is typically handed over to the client once the investigation is complete.
What information should a digital forensics report contain?
A good digital forensic report must be written in formal language with correct grammar. The following sections would highlight the proceedings of the investigation:
Executive Summary: This section is typically a high-level overview of the entire investigation without much technical jargon.
Background Study: This section includes any background information relevant to the investigation. Content in this section will help anyone understand the facts described in the upcoming sections.
Investigation Steps: This section provides a detailed account of the investigation. Any assumptions made before the investigation commenced are outlined here. The methodology and tools used in the digital forensic process are described here. Screenshots of crucial artifacts identified from the evidence are presented in this section.
Inferences: Based on the critical artifacts, inferences are drawn. This section ties facts together and presents the final verdict about the investigation.
Limitations: Any limitations encountered during the course of the investigation are specified.
Timeline of Events: A timeline is a table or a graph which depicts the events that led to the incident, along with the timestamp. Timestamps are the holy grail in digital forensics. It helps to clearly pinpoint ‘when’ an event occurred.
Suggested Remediations: In this section, recommendations are made to help recover from the incident and prevent a similar incident in the future.
References: This section lists any additional reading material relevant to the investigation.
Why write reports?
The main purpose of writing a digital forensic report is to present the findings of an investigation in an understandable manner. As you work your way through an investigation, it would be a good idea to document any findings. During the report writing phase, those findings can be included in the report along with information surrounding it.
In some cases, the entire investigation may be handed over to another party. In that situation, any findings that you have documented may be useful for the new team to carry the investigation forward. It saves time by not having to repeat forensic tasks.
Sometimes, you may need to refer to the findings from an older investigation. A well-documented report would come in handy then.
You must remember to document any finding that you think is relevant to the investigation in the report. It is proof that the occurrence of the event has been recorded.
A final word about reports
Apart from being able to perform technical tasks, a good forensic investigator must also have the ability to generate clear, concise reports following an investigation. A good report serves as a validation of the investigative work performed.
You can create standard templates that are ready to use during an investigation. It would be a good idea to get into the habit of taking screenshots and documenting your work, so that generating reports during a forensic investigation comes naturally to you!
Want to learn practical Digital Forensics and Incident Response skills? Enrol in MCSI’s MDFIR - Certified DFIR Specialist Certification Programme