Professional Documents
Culture Documents
SANSDigitalForensicsandIncidentResponseBlog|IntrotoReportWritingforDigitalForensics|SANSInstitute
1/9
6/3/2016
SANSDigitalForensicsandIncidentResponseBlog|IntrotoReportWritingforDigitalForensics|SANSInstitute
Nowwetakeourdetailednotestocompletetheforensicreporttotellthestoryofwhatthepresence
orabsenceofthedigitalartifactindicates,regardless,ifitisinculpatoryorexculpatoryinnature.Your
reportmayincludesomethingsimilaroraslightlydifferentflavorto:anoverview/casesummary,
forensicacquisition&exampreparation,findingsandreport(i.e.,forensicanalysis),andaconclusion.
Overview/Case Summary
Example:
1.Ontoday'sdate,JohnDoecontactedmyofficeinregardstoimagingastolenlaptopcomputer
runningWindowsXPProfessionalthathadbeenrecovered.Doeisrequestingaforensic
examinationtoseewhatcompanydocumentsmayhavebeenstolenbythesuspect(s)andis
requestingafullforensicexaminationandreportforpossiblecriminalcharges&civillitigation.
Thissectionwillvaryinlength.Youwillincludeanyrelevantinformationregardingwhatledtoyouas
theforensicexaminer/analystbecominginvolvedwiththedigitalevidence.Youmaybejustreceiving
theforensicimageandsomeoneelseconductedtheforensicacquisitionandthisisagoodplaceto
documentthatasthiswillcorrelatewithyourchainofcustodyinformationthatyouimmediately
startedonceyoucameintocontactwiththedigitalevidence.Remember,thisisanoverviewanda
summaryofhowthecasewasinitializedandwhereyouastheexaminer/analystbecameinvolved.
2/9
6/3/2016
SANSDigitalForensicsandIncidentResponseBlog|IntrotoReportWritingforDigitalForensics|SANSInstitute
Youwillalsoneedtoincludethatyouverifiedyourforensicimageandnotatethehashvalues
(e.g.,MD5,SHA1).
Youwillalsoneedtobrieflydescribetheprocessyouusedwhenmakingaworkingcopyfrom
theforensicimageoftheoriginalevidence.
(https://blogs.sans.org/computerforensics/files/2010/08/Image1.png)
(https://blogs.sans.org/computerforensics/files/2010/08/Image1.png)JohnDoeloggingintoGoogle
Mailaccount.
https://digitalforensics.sans.org/blog/2010/08/25/introreportwritingdigitalforensics
3/9
6/3/2016
SANSDigitalForensicsandIncidentResponseBlog|IntrotoReportWritingforDigitalForensics|SANSInstitute
(https://blogs.sans.org/computerforensics/files/2010/08/Image2.png)
Thisisthemostdetailedsectionofyourinvestigation.Youwillincludeallartifactsthatyoufindduring
youranalysisrelatingtothecase.
Examiner'sTip:Averygoodpracticewhenyouareincludingyourevidenceintoyourreportisto
includehyperlinkswithinyourreporttolinktopictures,documents,etc.Makesureyoutestand
validatethatthehyperlinksworkproperlysowhenyourreportisbeingreviewed,thereadercan
navigateeasilytotheevidencethatyouareincludinginyourreport.
Conclusion
Inthissection,youarebasingyourconclusionofftheforensicevidence.Remember,thegoalofthe
forensicexaminationistoreportthefacts,regardlessiftheevidenceisinculpatoryorexculpatoryin
nature.Asuccessfulforensicexaminationisonethatisverythoroughandoneinwhichyou"leaveno
stoneunturned".InthescenariothatIprovidedusingarecoveredstolenlaptop,whatelsemightyou
includebesidesemailandbrowserforensicsinyouranalysistoputthesuspectinpossessionandat
thekeyboardofthestolenlaptop?WhataboutregistryanalysistoseewhatIPaddressesthe
machineconnectedtointheSYSTEMhive:\CurrentControlSet\Services\{Adapter}\Parameters\Tcpip
key?Whereelsewouldyoulookandwhatwouldyoulookfor?
Thispostisforinformationalpurposesandaguideforthenewforensicexaminer.Yourreportwill
varyinlengthandformat.Aforensicexaminationreportcouldbejustafewpagesinlengthormaybe
20+pages,dependingonthetypeofcase,department/companyexpectations,andpolicy&
procedure.
Mr.BradGarnett,CCE,GCFAisacomputerforensicexaminerandlawenforcementofficer.Youcan
followBradonTwitter@bgarnett17(http://www.twitter.com/bgarnett17)andhisblogat
www.computerforensicsource.com(http://www.computerforensicsource.com)
Permalink(/blog/2010/08/25/introreportwritingdigitalforensics)|CommentsRSSFeed
(/blog/2010/08/25/introreportwritingdigitalforensics/feed)Postacomment|TrackbackURL
(/blog/2010/08/25/introreportwritingdigitalforensics)
11 Comments
https://digitalforensics.sans.org/blog/2010/08/25/introreportwritingdigitalforensics
4/9