File000163

Module L - Investigative Reports

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

News: Dubai Fund Boss Faces Investigation-Reports

Source: http://www.reuters.com/



News: Market Investigation Report on China’s Tyre Industry, 2008 out Now

Source: http://www.marketwatch.com/



Module Objective

• Need of an investigative report• Report specifications• Report classification• Layout of an investigative report• Guidelines for writing a report• Use of the supporting material• Importance of consistency• Salient features of a good report• Investigative report format• Sample forensic report• Best Practices for Investigators• Writing report using FTK

This module will familiarize you with:



Module Flow

Report Specifications

Layout of an Investigative Report

Importance of Consistency

Need of an Investigative Report

Investigative Report Format

Salient features of a good Report

Guidelines for Writing a Report

Use of Supporting Material

Report Classification

Sample Forensic Report

Best practices for Investigators

Writing Report using FTK



Computer Forensic Report

• Explain how the incident occurred• Be technically sound and clear to understand• Be properly formatted with page and paragraph numbers for easy

referencing• Provide unambiguous conclusions, opinions, and

recommendations supported by figures and facts• Adhere to local laws of land to be admissible in courts• Be submitted in a timely manner

Investigative report should:

Computer forensic report provides detailed information on complete computer forensics investigation process



Computer Forensics ReportTemplate

Objectives

Date and time the incident allegedly occurred

Date and time the incident was reported to agency personnel

Name of the person or persons reporting the incident

Date and time the investigation was assigned

Nature of claim and information provided to the investigator

Location of evidence

• Case Number• Name and social security number of the author, investigators, and examiners• Why was the investigation undertaken?• List significant findings• Signatures analysis

Summary



Computer Forensics Report Template (cont’d)

List of the collected evidences

Collection of evidence

Preservation of evidence

Initial evaluation of the evidence

Investigative techniques

Analysis of the computer evidence

Relevant findings

Supporting expert opinion

• Attacker methodology• User applications• Internet activity• Recommendations

Other supporting details:



Report Format Specifications

PDF is the preferred format for digital reports

Do not file a report directly with the court

Definition of goal or mission is must

Order of writing should match the development of the case

Use of outline or arrangement is suggested

Keep a copy of the report



Report Classification

• A structured verbal report delivered to a board of directors/managers/panel of jury under oath

Verbal formal report

• A verbal report that is less structured than a formal report and is delivered in person, usually in an attorney’s office or police station

Verbal informal report

• A written report sworn under oath, such as an affidavit or declaration

Written formal report

• An informal or preliminary report in written form

Written informal report



Layout of an Investigative Report

• Decimal numbering system• Legal-sequential numbering system

You can choose the numbering structure from two layout systems:

• To clearly communicate the information• To draw the reader’s attention to a point

Include signposts:

Present the text accurately

Maintain a proper document style throughout the text



Layout of an Investigative Report (cont’d)

• Figures, tables, data, and equations

Provide supporting material

• How you have studied the problem

Explain methods

Include data collection



Layout of an Investigative Report: Numbering

• Divides the text into sections• Readers can scan the heading• Readers can identify how the parts relate to each other

Decimal numbering structure

• Used in pleadings• Roman numerals represent major aspects• Arabic numbers are supporting information

Legal-sequential numbering



Guidelines for Writing a Report

Avoid jargon, slang, or colloquial terms

Define acronyms and abbreviations

Check for grammar and spellings

Writing should be concise

Do not make any assumptions

Do not identify any leads

Double-check media findings

Write theoretical questions based on factual evidence

Report must support your opinion

Write opinions based on knowledge and experience



Use of Supporting Material

Use figures, tables, data, and equation as a supporting material

Number figures and tables in the same order as they are introduced in the report

Provide captions with complete information

Insert figures and tables after the paragraph



Importance of Consistency

The sections in the report format must be adjusted in the same way

Consistency is more important than exact format in report

Establish a template for writing report



Salient Features of a Good Report

Explains methods of investigations

Data collection

Includes calculations

Provides for uncertainty and error analysis

Explains results

Discusses results and conclusions

Provides references

Includes appendices

Provides acknowledgements



Aspects of a Good Report

A good report achieves the purpose by answering the questions that were set out in mandate for investigator

It is designed to meet the needs of the decision-maker

A decision-maker must rely on the facts that were presented in the report

The facts must be based on the evidence in the file

It must be clear and written in a neutral language so that the decision-maker and other readers will be able to understands it

It should be concise and must convey the necessary information

It should be structured in such a way so that information can be located easily



Investigative Report Format

Get samples of already established report format

Estimate objectivity

Document the findings in an unbiased and accurate manner

Address the identification and continuity of the evidence

Include any relevant extracts referred to the report that supports analysis or conclusions



Attachments and Appendices

Use attachments or appendices as a supplement to the report

Attachments and appendices can be used to further detail any terminology, findings, or recommendations presented in the report

You can provide the reference to attachments or appendices when the report has more content



Include Metadata

• System metadata can be used to identify the change in file location• Application metadata can be used to identify the change in document author,

document version, macros, email “to,” “from,” “subject,” etc

Two types of file metadata can be used in the forensic investigation:

Metadata is information about the file which includes who created a file and time/date stamps

The significance of metadata is based on the properties of the file type

During analysis, the expert needs to work with the mirror image to avoid altering metadata



Signature Analysis

Signature analysis verifies file signature to know whether any files have been renamed

It identifies the difference between a file extension and the file header

It can be used for making hash sets for file filtering



Sample Forensic Report

• Investigation• Concise summary of conclusions• Observations • All appropriate recommendations

The report identifies the continuity of the information and describes the procedures utilized during:



Sample Report



Sample Report (cont’d)


















Investigation Procedures

General evidence

• The date and time the investigator visited the site of the incident• The person with whom the investigator spoke with at that site

Collecting physical and demonstrative evidence

Testimonial evidence



Collecting Physical and Demonstrative Evidence

The manner in which the scene of the incident, if any, was secured

A list of each piece of physical evidence that was collected

The manner in which the physical evidence was collected and logged

The manner in which the physical evidence was preserved after collection in order to maintain the chain of custody

A list of any pictures, which were taken

A list of any other demonstrative evidence available to the investigation, e.g. diagrams, maps, floor plans, and x-rays



Collecting Testimonial Evidence

The way in which the investigator determined whom to interview

A list of all persons interviewed in chronological order, including title, date, and time of each interview

The person or persons, if any, as the target or targets of the case

The way in which the investigator afforded the target or other witnesses any right to representation, if such rights exist by labor contract, law, or regulation

Interviews without the writer’s statement



Do’s and Don'ts of Forensic Computer Investigations

Ask questions

Document thoroughly

Operate in good faith

Do not get in over your head

Make the decision to investigate

Treat everything as confidential

File it



Case Report Writing and Documentation

Document the entire computer media analysis and conclusions in the "Investigative Analysis Report”

Identify any files pertinent to the investigation and print them for inclusion as attachments to the analysis report



Create a Report to Attach to the Media Analysis Worksheet

• Date and time of the evidence CPU• Current date and time (include appropriate time zone)• Significant problems/broken items• Lapses in analysis• Finding evidence• Special techniques required beyond normal processes

(e.g., password cracker)• Outside sources (e.g., commercial companies that provide

assistance and information by trained CCIs over Computer Forensic Investigators)

Keep notes on:



Best Practices for Investigators

Before submitting the report, read it again

• It gives a clear view of where you need to make changes

Anyone new to the situation should be able to understand the report

While revising the report, ensure that it is coherent, not repetitive, and presents information in right place

Ensure that the report corresponds to mandate



Writing Report Using FTK



Writing Report Using FTK (cont’d)



















Final Report



Summary

Investigative Reports are critical during investigations because they communicate computer forensics findings and other information to the necessary authorities

Reports can be formal or informal, verbal, or written

Reports need to be error free

Avoid jargons, slangs, or colloquial terms





Technology

File000163