More Related Content
Similar to File000163 (20)
More from Desmond Devendran
More from Desmond Devendran (18)
File000163
- 2. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
News: Dubai Fund Boss Faces
Investigation-Reports
Source: http://www.reuters.com/
- 3. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
News: Market Investigation Report on
China’s Tyre Industry, 2008 out Now
Source: http://www.marketwatch.com/
- 4. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Module Objective
• Need of an investigative report
• Report specifications
• Report classification
• Layout of an investigative report
• Guidelines for writing a report
• Use of the supporting material
• Importance of consistency
• Salient features of a good report
• Investigative report format
• Sample forensic report
• Best Practices for Investigators
• Writing report using FTK
This module will familiarize you with:
- 5. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Module Flow
Report Specifications
Layout of an Investigative
Report
Importance of Consistency
Need of an Investigative
Report
Investigative
Report Format
Salient features of a good
Report
Guidelines for Writing a
Report
Use of Supporting Material
Report Classification
Sample Forensic Report
Best practices for
Investigators
Writing Report using FTK
- 6. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Computer Forensic Report
• Explain how the incident occurred
• Be technically sound and clear to understand
• Be properly formatted with page and paragraph numbers for easy
referencing
• Provide unambiguous conclusions, opinions, and
recommendations supported by figures and facts
• Adhere to local laws of land to be admissible in courts
• Be submitted in a timely manner
Investigative report should:
Computer forensic report provides detailed information on complete computer forensics
investigation process
- 7. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Computer Forensics Report
Template
Objectives
Date and time the incident allegedly occurred
Date and time the incident was reported to agency personnel
Name of the person or persons reporting the incident
Date and time the investigation was assigned
Nature of claim and information provided to the investigator
Location of evidence
• Case Number
• Name and social security number of the author, investigators, and examiners
• Why was the investigation undertaken?
• List significant findings
• Signatures analysis
Summary
- 8. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Computer Forensics Report Template
(cont’d)
List of the collected evidences
Collection of evidence
Preservation of evidence
Initial evaluation of the evidence
Investigative techniques
Analysis of the computer evidence
Relevant findings
Supporting expert opinion
• Attacker methodology
• User applications
• Internet activity
• Recommendations
Other supporting details:
- 9. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Report Format Specifications
PDF is the preferred format for digital reports
Do not file a report directly with the court
Definition of goal or mission is must
Order of writing should match the development of the
case
Use of outline or arrangement is suggested
Keep a copy of the report
- 10. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Report Classification
• A structured verbal report delivered to a board of
directors/managers/panel of jury under oath
Verbal formal report
• A verbal report that is less structured than a formal report and is
delivered in person, usually in an attorney’s office or police station
Verbal informal report
• A written report sworn under oath, such as an affidavit or
declaration
Written formal report
• An informal or preliminary report in written form
Written informal report
- 11. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Layout of an Investigative Report
• Decimal numbering system
• Legal-sequential numbering system
You can choose the numbering structure from
two layout systems:
• To clearly communicate the information
• To draw the reader’s attention to a point
Include signposts:
Present the text accurately
Maintain a proper document style throughout the text
- 12. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Layout of an Investigative Report
(cont’d)
• Figures, tables, data, and equations
Provide supporting material
• How you have studied the problem
Explain methods
Include data collection
- 13. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Layout of an Investigative Report:
Numbering
• Divides the text into sections
• Readers can scan the heading
• Readers can identify how the parts relate to each other
Decimal numbering structure
• Used in pleadings
• Roman numerals represent major aspects
• Arabic numbers are supporting information
Legal-sequential numbering
- 14. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Guidelines for Writing a Report
Avoid jargon, slang, or colloquial terms
Define acronyms and abbreviations
Check for grammar and spellings
Writing should be concise
Do not make any assumptions
Do not identify any leads
Double-check media findings
Write theoretical questions based on factual evidence
Report must support your opinion
Write opinions based on knowledge and experience
- 15. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Use of Supporting Material
Use figures, tables, data, and equation as a supporting material
Number figures and tables in the same order as they are introduced
in the report
Provide captions with complete information
Insert figures and tables after the paragraph
- 16. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Importance of Consistency
The sections in the report format must be adjusted in the same
way
Consistency is more important than exact format in report
Establish a template for writing report
- 17. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Salient Features of a Good Report
Explains methods of investigations
Data collection
Includes calculations
Provides for uncertainty and error analysis
Explains results
Discusses results and conclusions
Provides references
Includes appendices
Provides acknowledgements
- 18. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Aspects of a Good Report
A good report achieves the purpose by answering the questions that were set
out in mandate for investigator
It is designed to meet the needs of the decision-maker
A decision-maker must rely on the facts that were presented in the report
The facts must be based on the evidence in the file
It must be clear and written in a neutral language so that the decision-maker
and other readers will be able to understands it
It should be concise and must convey the necessary information
It should be structured in such a way so that information can be located easily
- 19. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Investigative Report Format
Get samples of already established report format
Estimate objectivity
Document the findings in an unbiased and accurate manner
Address the identification and continuity of the evidence
Include any relevant extracts referred to the report that supports
analysis or conclusions
- 20. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Attachments and Appendices
Use attachments or appendices as a supplement to the report
Attachments and appendices can be used to further detail any terminology, findings, or
recommendations presented in the report
You can provide the reference to attachments or appendices when the report has more
content
- 21. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Include Metadata
• System metadata can be used to identify the change in file location
• Application metadata can be used to identify the change in document author,
document version, macros, email “to,” “from,” “subject,” etc
Two types of file metadata can be used in the
forensic investigation:
Metadata is information about the file which includes who created a file and time/date stamps
The significance of metadata is based on the properties of the file type
During analysis, the expert needs to work with the mirror image to avoid altering metadata
- 22. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Signature Analysis
Signature analysis verifies file signature to know whether any
files have been renamed
It identifies the difference between a file extension and the file
header
It can be used for making hash sets for file filtering
- 23. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Sample Forensic Report
• Investigation
• Concise summary of conclusions
• Observations
• All appropriate recommendations
The report identifies the continuity of the information and
describes the procedures utilized during:
- 31. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Investigation Procedures
General evidence
• The date and time the investigator visited the site of the incident
• The person with whom the investigator spoke with at that site
Collecting physical and demonstrative evidence
Testimonial evidence
- 32. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Collecting Physical and Demonstrative
Evidence
The manner in which the scene of the incident, if any, was secured
A list of each piece of physical evidence that was collected
The manner in which the physical evidence was collected and logged
The manner in which the physical evidence was preserved after
collection in order to maintain the chain of custody
A list of any pictures, which were taken
A list of any other demonstrative evidence available to the investigation,
e.g. diagrams, maps, floor plans, and x-rays
- 33. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Collecting Testimonial Evidence
The way in which the investigator determined whom to interview
A list of all persons interviewed in chronological order, including title, date, and
time of each interview
The person or persons, if any, as the target or targets of the case
The way in which the investigator afforded the target or other witnesses any right
to representation, if such rights exist by labor contract, law, or regulation
Interviews without the writer’s statement
- 34. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Do’s and Don'ts of Forensic Computer
Investigations
Ask questions
Document thoroughly
Operate in good faith
Do not get in over your head
Make the decision to investigate
Treat everything as confidential
File it
- 35. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Case Report Writing and Documentation
Document the entire computer media analysis and conclusions in the "Investigative
Analysis Report”
Identify any files pertinent to the investigation and print them for inclusion as attachments
to the analysis report
- 36. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Create a Report to Attach to the Media
Analysis Worksheet
• Date and time of the evidence CPU
• Current date and time (include appropriate time zone)
• Significant problems/broken items
• Lapses in analysis
• Finding evidence
• Special techniques required beyond normal processes
(e.g., password cracker)
• Outside sources (e.g., commercial companies that provide
assistance and information by trained CCIs over
Computer Forensic Investigators)
Keep notes on:
- 37. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Best Practices for Investigators
Before submitting the report, read it again
• It gives a clear view of where you need to make changes
Anyone new to the situation should be able to understand
the report
While revising the report, ensure that it is coherent, not
repetitive, and presents information in right place
Ensure that the report corresponds to mandate
- 39. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Writing Report Using FTK (cont’d)
- 40. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Writing Report Using FTK (cont’d)
- 41. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Writing Report Using FTK (cont’d)
- 42. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Writing Report Using FTK (cont’d)
- 43. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Writing Report Using FTK (cont’d)
- 44. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Writing Report Using FTK (cont’d)
- 45. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Writing Report Using FTK (cont’d)
Final Report
- 46. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Summary
Investigative Reports are critical during investigations because they communicate
computer forensics findings and other information to the necessary authorities
Reports can be formal or informal, verbal, or written
Reports need to be error free
Avoid jargons, slangs, or colloquial terms