Scribd Logo
Upload

Welcome to Scribd!

  • Intro To Report Writing For Digital Forensics - SANS Institute

    Uploaded by

    hemanth.k.raju2982
    647 views4 pages
    People who are interested in forensics.

    Original Title

    Intro to Report Writing for Digital Forensics _ SANS Institute

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    People who are interested in forensics.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    647 views4 pages

    Intro To Report Writing For Digital Forensics - SANS Institute

    Uploaded by

    hemanth.k.raju2982
    People who are interested in forensics.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 4

    6/3/2016

    SANSDigitalForensicsandIncidentResponseBlog|IntrotoReportWritingforDigitalForensics|SANSInstitute

    SANS Digital Forensics and Incident


    Response Blog
    25Aug2010

    Intro to Report Writing for Digital Forensics


    (/blog/2010/08/25/intro-report-writing-digitalforensics#)
    11comments(/blog/2010/08/25/introreportwritingdigitalforensics#comments)PostedbyBrad
    Garnett(/blog/author/BradGarnett)
    FiledunderComputerForensics(/blog/category/computerforensics),Reporting
    (/blog/category/reportingcomputerforensics)
    Soyou'vejustcompletedyourforensicexaminationandfoundthatforensicgemorsmokinggunin
    yourcase,sohowdoyouproceed?Dependingonwhereyoufallasaforensicator(e.g.,law
    enforcement,intelligence,criminaldefensework,incidentresponse,ediscovery)youwillhaveto
    reportyourfindings.Foremost,findoutwhattypeofworkproductyouaregoingtoberequiredto
    producetotheclient,attorney,etc.Thiswillbeyourguideforcompletingyourreport.Whilethereport
    writingpartofthedigitalforensicexaminationprocessisnotasfunastheforensicanalysis,itisa
    veryimportantlinkinthechainasDaveHullsummedituphere
    (http://twitter.com/davehull/status/19998988426)inatweet.
    Asdigitalforensicexaminers/analysts,wemustreportandpresentourfindingsonaverytechnical
    disciplineinasimplisticmanner.Thatmaybetoasupervisor,client,attorney,etc.oreventoajudge
    andjurywhowillreadandinterpretyourreportafterithasbeencrossexamined.Areyoupreparedto
    explainyourfindings?Whenthecasegoestotrialandyouarecalledupontotestifyayearormorein
    thefuturewillyoubeabletorememberthecasebasedsimplyfromthedetailsyouincludedinyour
    report?
    You'veprobablyfoundyourselfatsomepointdivingrightintoanexam,completingyourforensic
    analysisandtheoreticallygoingbacktothebeginningoftheexamwhenitcomestimetobeginyour
    reportbecausethelackofnotetakingduringtheforensicexamination.Asolidforensicexamination
    requiresdetailednotesalongtheway.Whatexactlyaregoodnotes?Takingscreenshots,
    bookmarkingevidenceviayourforensicapplicationofchoice(EnCase,FTK,XWaysForensics,etc.),
    usingbuiltinlogging/reportingoptionswithinyourforensictool,highlightingandexportingdataitems
    into.csvor.txtfiles,orevenusingadigitalaudiorecordervs.handwrittennoteswhennecessary.Jim
    O'Gorman(https://blogs.sans.org/computerforensics/author/elwood/)providessomegoodtipsfor
    takinggoodnotesduringadigitalforensicexamination(https://blogs.sans.org/computer
    forensics/2009/01/02/ncsvsdrn%E2%80%93takingnotes/).AsJimdiscusses,thereisnowrong
    waytotakenotes,norastandard.Everyexaminerapproachesthenotetakingprocessdifferently,
    theimportantpieceistodocument,document,document.Themorenotesyoutake,theeasieryour
    reportwillbetoprepareandfinalize.Speakingofnotes,JoeGarciahasprovidedanexcellentreview
    andwalkthroughofusingCaseNotesduringdigitalforensics(https://blogs.sans.org/computer
    forensics/2010/08/19/digitalforensicsreportingcasenoteswalkthroughreview/).
    https://digitalforensics.sans.org/blog/2010/08/25/introreportwritingdigitalforensics

    1/9

    6/3/2016

    SANSDigitalForensicsandIncidentResponseBlog|IntrotoReportWritingforDigitalForensics|SANSInstitute

    Nowwetakeourdetailednotestocompletetheforensicreporttotellthestoryofwhatthepresence
    orabsenceofthedigitalartifactindicates,regardless,ifitisinculpatoryorexculpatoryinnature.Your
    reportmayincludesomethingsimilaroraslightlydifferentflavorto:anoverview/casesummary,
    forensicacquisition&exampreparation,findingsandreport(i.e.,forensicanalysis),andaconclusion.

    Overview/Case Summary
    Example:
    1.Ontoday'sdate,JohnDoecontactedmyofficeinregardstoimagingastolenlaptopcomputer
    runningWindowsXPProfessionalthathadbeenrecovered.Doeisrequestingaforensic
    examinationtoseewhatcompanydocumentsmayhavebeenstolenbythesuspect(s)andis
    requestingafullforensicexaminationandreportforpossiblecriminalcharges&civillitigation.
    Thissectionwillvaryinlength.Youwillincludeanyrelevantinformationregardingwhatledtoyouas
    theforensicexaminer/analystbecominginvolvedwiththedigitalevidence.Youmaybejustreceiving
    theforensicimageandsomeoneelseconductedtheforensicacquisitionandthisisagoodplaceto
    documentthatasthiswillcorrelatewithyourchainofcustodyinformationthatyouimmediately
    startedonceyoucameintocontactwiththedigitalevidence.Remember,thisisanoverviewanda
    summaryofhowthecasewasinitializedandwhereyouastheexaminer/analystbecameinvolved.

    Forensic Acquisition & Exam Preparation


    Example:
    1.Ontoday'sdateIbegantheforensicacquisition/imagingprocessofthestolenlaptop.Priorto
    imagingthestolenlaptop,Iphotographedthelaptop,documentinganyidentifiers(e.g.,make,
    model,serial#),uniquemarkings,visibledamage,etc.whilemaintainingchainofcustody.
    2.Usingasterilestoragemedia(examinationmedium)thathadbeenpreviouslyforensically
    wipedandverifiedbythisexaminer(MD5hashvalue:ed6be165b631918f3cca01eccad378dd)
    usingABCtoolversion1.0.TheMD5hashvaluefortheexaminationmediumyieldedthesame
    MD5hashvalueaspreviousforensicwipestosterilizethismedia.
    3.Atthispoint,Iremovedtheharddrivefromthestolenlaptopandconnectedittomyhardware
    writeblocker,whichisrunningthemostrecentfirmwareandhasbeenverifiedbythis
    examiner.Afterconnectingthehardwarewriteblockertothesuspectharddrive,Iconnected
    thehardwarewriteblockerviaUSB2.0tomyforensicexaminationmachinetobeginthe
    forensicimagingprocess?
    4.Etc,etc.
    Thissectionisveryimportant,asyoumustdetailyourinteractionwiththedigitalevidenceandthe
    stepstakentopreserveandforensicallyacquiretheevidence.Anyadditionalstepsthatyoutake(e.g.
    forensicallywipingstorage/examinationmedia,etc.)shouldbenotatedinthissectionofyourreport.
    Remember,thissectionofyourreportisusuallywhereyouastheexaminer/analystcameintocontact
    withthedigitalevidenceandthoroughlydocumentingwhatyouhavedoneisveryimportanttothe
    integrityofthedigitalevidenceandyourchainofcustody.
    Examiner'sTip:Youshouldhaveadigitalcamerainyourforensictoolkit.Takeapictureofthe
    evidenceanddocumenteachstepoftheforensicacquisitionandpreparationprocess.Regardless,if
    youincludethepictureinyourreportorasanexhibit,thispictureisaperfectfieldnoteforyouasthe
    examinertoreferencewhencompletingyourreport.
    https://digitalforensics.sans.org/blog/2010/08/25/introreportwritingdigitalforensics

    2/9

    6/3/2016

    SANSDigitalForensicsandIncidentResponseBlog|IntrotoReportWritingforDigitalForensics|SANSInstitute

    Youwillalsoneedtoincludethatyouverifiedyourforensicimageandnotatethehashvalues
    (e.g.,MD5,SHA1).
    Youwillalsoneedtobrieflydescribetheprocessyouusedwhenmakingaworkingcopyfrom
    theforensicimageoftheoriginalevidence.

    Findings and Report (Forensic Analysis)


    Example:
    1.AftercompletingtheforensicacquisitionofthestolenlaptopIbegananalyzingtheforensic
    imageofthestolenlaptopwithForensicTool
    2.Iusedthefollowingtoolsforforensicanalysis,whicharelicensedtothisexaminer:
    GuidanceSoftware'sEnCase6.17
    SANSInvestigativeForensicToolkit(SIFT)Version2.0
    InternetEvidenceFinderv3.3
    RegRipperbyHarlanCarvey
    MicrosoftExcel2007
    3.AreviewoftheInternethistoryusingInternetEvidenceFinder,thefollowingdatawas
    recoveredfromsector117004,whichshowsaFacebookemailbetweenJohnDoeandJane
    Doe.FurtheranalysisshowsthataJohnDoeloggedintohisGoogleMailaccount.See
    screenshotsbelow:
    EmailbetweenJohnDoeandJaneDoe.

    (https://blogs.sans.org/computerforensics/files/2010/08/Image1.png)
    (https://blogs.sans.org/computerforensics/files/2010/08/Image1.png)JohnDoeloggingintoGoogle
    Mailaccount.

    https://digitalforensics.sans.org/blog/2010/08/25/introreportwritingdigitalforensics

    3/9

    6/3/2016

    SANSDigitalForensicsandIncidentResponseBlog|IntrotoReportWritingforDigitalForensics|SANSInstitute

    (https://blogs.sans.org/computerforensics/files/2010/08/Image2.png)
    Thisisthemostdetailedsectionofyourinvestigation.Youwillincludeallartifactsthatyoufindduring
    youranalysisrelatingtothecase.
    Examiner'sTip:Averygoodpracticewhenyouareincludingyourevidenceintoyourreportisto
    includehyperlinkswithinyourreporttolinktopictures,documents,etc.Makesureyoutestand
    validatethatthehyperlinksworkproperlysowhenyourreportisbeingreviewed,thereadercan
    navigateeasilytotheevidencethatyouareincludinginyourreport.

    Conclusion
    Inthissection,youarebasingyourconclusionofftheforensicevidence.Remember,thegoalofthe
    forensicexaminationistoreportthefacts,regardlessiftheevidenceisinculpatoryorexculpatoryin
    nature.Asuccessfulforensicexaminationisonethatisverythoroughandoneinwhichyou"leaveno
    stoneunturned".InthescenariothatIprovidedusingarecoveredstolenlaptop,whatelsemightyou
    includebesidesemailandbrowserforensicsinyouranalysistoputthesuspectinpossessionandat
    thekeyboardofthestolenlaptop?WhataboutregistryanalysistoseewhatIPaddressesthe
    machineconnectedtointheSYSTEMhive:\CurrentControlSet\Services\{Adapter}\Parameters\Tcpip
    key?Whereelsewouldyoulookandwhatwouldyoulookfor?
    Thispostisforinformationalpurposesandaguideforthenewforensicexaminer.Yourreportwill
    varyinlengthandformat.Aforensicexaminationreportcouldbejustafewpagesinlengthormaybe
    20+pages,dependingonthetypeofcase,department/companyexpectations,andpolicy&
    procedure.
    Mr.BradGarnett,CCE,GCFAisacomputerforensicexaminerandlawenforcementofficer.Youcan
    followBradonTwitter@bgarnett17(http://www.twitter.com/bgarnett17)andhisblogat
    www.computerforensicsource.com(http://www.computerforensicsource.com)
    Permalink(/blog/2010/08/25/introreportwritingdigitalforensics)|CommentsRSSFeed
    (/blog/2010/08/25/introreportwritingdigitalforensics/feed)Postacomment|TrackbackURL
    (/blog/2010/08/25/introreportwritingdigitalforensics)
    11 Comments

    https://digitalforensics.sans.org/blog/2010/08/25/introreportwritingdigitalforensics

    4/9

    You might also like