Upload
desmond-devendran
View
145
Download
0
Tags:
Embed Size (px)
Citation preview
Module L - Investigative Reports
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
News: Dubai Fund Boss Faces Investigation-Reports
Source: http://www.reuters.com/
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
News: Market Investigation Report on China’s Tyre Industry, 2008 out Now
Source: http://www.marketwatch.com/
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Module Objective
• Need of an investigative report• Report specifications• Report classification• Layout of an investigative report• Guidelines for writing a report• Use of the supporting material• Importance of consistency• Salient features of a good report• Investigative report format• Sample forensic report• Best Practices for Investigators• Writing report using FTK
This module will familiarize you with:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Module Flow
Report Specifications
Layout of an Investigative Report
Importance of Consistency
Need of an Investigative Report
Investigative Report Format
Salient features of a good Report
Guidelines for Writing a Report
Use of Supporting Material
Report Classification
Sample Forensic Report
Best practices for Investigators
Writing Report using FTK
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Computer Forensic Report
• Explain how the incident occurred• Be technically sound and clear to understand• Be properly formatted with page and paragraph numbers for easy
referencing• Provide unambiguous conclusions, opinions, and
recommendations supported by figures and facts• Adhere to local laws of land to be admissible in courts• Be submitted in a timely manner
Investigative report should:
Computer forensic report provides detailed information on complete computer forensics investigation process
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Computer Forensics ReportTemplate
Objectives
Date and time the incident allegedly occurred
Date and time the incident was reported to agency personnel
Name of the person or persons reporting the incident
Date and time the investigation was assigned
Nature of claim and information provided to the investigator
Location of evidence
• Case Number• Name and social security number of the author, investigators, and examiners• Why was the investigation undertaken?• List significant findings• Signatures analysis
Summary
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Computer Forensics Report Template (cont’d)
List of the collected evidences
Collection of evidence
Preservation of evidence
Initial evaluation of the evidence
Investigative techniques
Analysis of the computer evidence
Relevant findings
Supporting expert opinion
• Attacker methodology• User applications• Internet activity• Recommendations
Other supporting details:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Report Format Specifications
PDF is the preferred format for digital reports
Do not file a report directly with the court
Definition of goal or mission is must
Order of writing should match the development of the case
Use of outline or arrangement is suggested
Keep a copy of the report
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Report Classification
• A structured verbal report delivered to a board of directors/managers/panel of jury under oath
Verbal formal report
• A verbal report that is less structured than a formal report and is delivered in person, usually in an attorney’s office or police station
Verbal informal report
• A written report sworn under oath, such as an affidavit or declaration
Written formal report
• An informal or preliminary report in written form
Written informal report
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Layout of an Investigative Report
• Decimal numbering system• Legal-sequential numbering system
You can choose the numbering structure from two layout systems:
• To clearly communicate the information• To draw the reader’s attention to a point
Include signposts:
Present the text accurately
Maintain a proper document style throughout the text
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Layout of an Investigative Report (cont’d)
• Figures, tables, data, and equations
Provide supporting material
• How you have studied the problem
Explain methods
Include data collection
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Layout of an Investigative Report: Numbering
• Divides the text into sections• Readers can scan the heading• Readers can identify how the parts relate to each other
Decimal numbering structure
• Used in pleadings• Roman numerals represent major aspects• Arabic numbers are supporting information
Legal-sequential numbering
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Guidelines for Writing a Report
Avoid jargon, slang, or colloquial terms
Define acronyms and abbreviations
Check for grammar and spellings
Writing should be concise
Do not make any assumptions
Do not identify any leads
Double-check media findings
Write theoretical questions based on factual evidence
Report must support your opinion
Write opinions based on knowledge and experience
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Use of Supporting Material
Use figures, tables, data, and equation as a supporting material
Number figures and tables in the same order as they are introduced in the report
Provide captions with complete information
Insert figures and tables after the paragraph
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Importance of Consistency
The sections in the report format must be adjusted in the same way
Consistency is more important than exact format in report
Establish a template for writing report
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Salient Features of a Good Report
Explains methods of investigations
Data collection
Includes calculations
Provides for uncertainty and error analysis
Explains results
Discusses results and conclusions
Provides references
Includes appendices
Provides acknowledgements
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Aspects of a Good Report
A good report achieves the purpose by answering the questions that were set out in mandate for investigator
It is designed to meet the needs of the decision-maker
A decision-maker must rely on the facts that were presented in the report
The facts must be based on the evidence in the file
It must be clear and written in a neutral language so that the decision-maker and other readers will be able to understands it
It should be concise and must convey the necessary information
It should be structured in such a way so that information can be located easily
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Investigative Report Format
Get samples of already established report format
Estimate objectivity
Document the findings in an unbiased and accurate manner
Address the identification and continuity of the evidence
Include any relevant extracts referred to the report that supports analysis or conclusions
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Attachments and Appendices
Use attachments or appendices as a supplement to the report
Attachments and appendices can be used to further detail any terminology, findings, or recommendations presented in the report
You can provide the reference to attachments or appendices when the report has more content
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Include Metadata
• System metadata can be used to identify the change in file location• Application metadata can be used to identify the change in document author,
document version, macros, email “to,” “from,” “subject,” etc
Two types of file metadata can be used in the forensic investigation:
Metadata is information about the file which includes who created a file and time/date stamps
The significance of metadata is based on the properties of the file type
During analysis, the expert needs to work with the mirror image to avoid altering metadata
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Signature Analysis
Signature analysis verifies file signature to know whether any files have been renamed
It identifies the difference between a file extension and the file header
It can be used for making hash sets for file filtering
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Sample Forensic Report
• Investigation• Concise summary of conclusions• Observations • All appropriate recommendations
The report identifies the continuity of the information and describes the procedures utilized during:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Sample Report
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Sample Report (cont’d)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Sample Report (cont’d)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Sample Report (cont’d)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Sample Report (cont’d)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Sample Report (cont’d)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Sample Report (cont’d)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Investigation Procedures
General evidence
• The date and time the investigator visited the site of the incident• The person with whom the investigator spoke with at that site
Collecting physical and demonstrative evidence
Testimonial evidence
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Collecting Physical and Demonstrative Evidence
The manner in which the scene of the incident, if any, was secured
A list of each piece of physical evidence that was collected
The manner in which the physical evidence was collected and logged
The manner in which the physical evidence was preserved after collection in order to maintain the chain of custody
A list of any pictures, which were taken
A list of any other demonstrative evidence available to the investigation, e.g. diagrams, maps, floor plans, and x-rays
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Collecting Testimonial Evidence
The way in which the investigator determined whom to interview
A list of all persons interviewed in chronological order, including title, date, and time of each interview
The person or persons, if any, as the target or targets of the case
The way in which the investigator afforded the target or other witnesses any right to representation, if such rights exist by labor contract, law, or regulation
Interviews without the writer’s statement
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Do’s and Don'ts of Forensic Computer Investigations
Ask questions
Document thoroughly
Operate in good faith
Do not get in over your head
Make the decision to investigate
Treat everything as confidential
File it
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Case Report Writing and Documentation
Document the entire computer media analysis and conclusions in the "Investigative Analysis Report”
Identify any files pertinent to the investigation and print them for inclusion as attachments to the analysis report
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Create a Report to Attach to the Media Analysis Worksheet
• Date and time of the evidence CPU• Current date and time (include appropriate time zone)• Significant problems/broken items• Lapses in analysis• Finding evidence• Special techniques required beyond normal processes
(e.g., password cracker)• Outside sources (e.g., commercial companies that provide
assistance and information by trained CCIs over Computer Forensic Investigators)
Keep notes on:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Best Practices for Investigators
Before submitting the report, read it again
• It gives a clear view of where you need to make changes
Anyone new to the situation should be able to understand the report
While revising the report, ensure that it is coherent, not repetitive, and presents information in right place
Ensure that the report corresponds to mandate
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Writing Report Using FTK
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Writing Report Using FTK (cont’d)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Writing Report Using FTK (cont’d)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Writing Report Using FTK (cont’d)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Writing Report Using FTK (cont’d)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Writing Report Using FTK (cont’d)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Writing Report Using FTK (cont’d)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Writing Report Using FTK (cont’d)
Final Report
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Summary
Investigative Reports are critical during investigations because they communicate computer forensics findings and other information to the necessary authorities
Reports can be formal or informal, verbal, or written
Reports need to be error free
Avoid jargons, slangs, or colloquial terms
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited