June 1, 2019
Four Tips for Effective Forensic Report Writing
Digital forensics is a complicated
field. As mentioned in previous
articles, much of what we do as forensic practitioners is break down very
complicated & technical matters to basic concepts that stake-holders in our
cases can easily understand. In fact, if
you ever take any of the Mac Forensics courses taught by Sumuri, Instructor Steve Whalen starts out by
asking “what is digital forensics?” You’d
be astonished how many people in the room who are digital forensic
practitioners cannot answer the question.
Is this because they never (or rarely) have to present their findings in
court? Perhaps. But even before the case gets to court, there
has to be effective documentation of the steps undertaken to reach findings and
conclusions. Without this documentation,
it makes it very hard to justify or affirm the conclusions.
Recently, we worked a criminal
defense case where the law enforcement digital forensic examiners report was
frankly abysmal. This is not good for
law enforcement, public safety or the digital forensic community overall. We will not call out the examiner or his
agency. That’s unprofessional. But in this article, we’ll relay some steps
that can help make your forensic reports much more effective. Whether the case is a criminal defense matter
or a civil litigation domestic dispute, the report is your voice as an examiner
and analyst and it’s extremely difficult, if not impossible, to do a “take-back”. After all, when people’s lives and/or livelihood
are on the line, don’t we all owe it to everyone involved to be thorough and
accurate?
Tip # 1:
Know the Different Types of Reports
This seems basic, but it can often be
confused by examiners, Counsel, judges and juries. When explaining the different types of
reports, we generally break it down like this:
There is the examiner’s narrative of the steps he took and a summary of
the evidence and any conclusions. This
is the “Summary Report”(or narrative report).
The summary report refers to the forensic reports, which are generated by
whichever forensic tools you’ve used in the case. As most anyone who has been doing digital
forensics for a while will attest, some forensic reports can be hundreds or
thousands of pages long, depending on the type of case, the number of items
analyzed, the amount of data and other factors.
Furthermore, it’s important that the
distinction between the two reports is clear.
When we receive a narrative with no heading, no dates, no details about
basic case items and no real format to it, it is automatically confusing. Even more so when this type of “report” is
not accompanied by any forensic report generated by a forensic tool. We have to be clear and concise. Confusion is the enemy in digital
forensics. While this may be a tactic
used by some to overload or misdirect the opposing party, that too is
unprofessional. If your methods and
findings are solid, why should there be a need to purposely confuse, confound
or misdirect the other side?
Tip # 2:
Be Accurate
In the case mentioned above, we
received a narrative that didn’t detail basic items about the system and tool(s)
used in question. These include:
· Pictures of the examined
item
· Verification of
system time
· Operating system
in use on the item
· Version of
forensic tool used to conduct the analysis
· Detailed methods
used for creating the forensic image
The last point proved to be rather
important. The forensic image of the Mac
system was created in the .E01 format.
Normally, .E01 images are segmented into parts during the imaging
process. This one was not. It was one large 265 GB .E01 file. This was odd, but in and of itself not a big
deal. However, upon hashing the .E01
image that was provided, the hashes did not match the hash values in the log
generated during the imaging process. We
still have no explanation for this, but there was missing data -- very
important missing data. One of the most
frustrating things as an examiner is to have questions like this and no
answers. They can be huge or they can be
inconsequential. The problem is, we just
don’t know because there is no accurate documentation.
In the narrative/summary report, it
was stated that no activity was present on the system for the date in question (paraphrased),
therefore it must have been wiped by CCleaner (see further on that below). However, a timeline analysis of the system
indicated there was a great deal of activity on the system on date in
question. At trial, the law enforcement
examiner’s testimony and statement was updated to say that “no files were
created” on the system on that date, not that there was no activity. There’s a big difference. Accuracy is important!
Tip # 3:
Be Thorough
In the
cited case, there were allegedly illicit images downloaded from the defendant
by the police, but no images were found anywhere on the computer system. That in itself is intriguing from a forensic
perspective and we were excited to see what the evidence showed. One of our steps was to conduct a key word
search for unique items in the file name of the main image charged (there were
only two downloads, none of which were on the system). We found several hits in a database for “PTHC”
which is a frequent term in file names of illicit images and was in the file
name of the main charged image. We
documented this for Counsel and were prepared to testify about it (despite the
fact it did not help the defendant).
The law
enforcement examiner also conducted a key word search for the same key word and
the forensic report (which we obtained 2 days before trial – also unprofessional)
simply stated 5 hits in 5 files. No
additional detail about what the hits were and where they were found was
contained either in the summary/narrative report or the forensic report. Did they find the same things we found? Did they even look beyond the hits? Did they index the system prior to conducting
the key word search? To be clear, we received dozens of hits for that string of
letters after indexing and conducting our search, but as often happens, the false
positives needed to be checked and weeded-out and the relevant ones documented.
The point
about all of this is, we had no idea what we were dealing with in regards to
the “5 hits in 5 files”. Further, the
issue of validation of these hits was outstanding. We found 5 key word hits, but they were in 2
files, not 5. The work was half done… or
at least half documented.
Tip # 4:
Your Conclusions Have to Make Sense
At issue in the cited case was the
fact that no images were found on the suspect/defendant drive and CCleaner was
also present on the system. The law enforcement
examiner’s narrative stated “No images were found and CCleaner was installed on
the system, therefore the image(s) must have been wiped by the user using
CCleaner” (paraphrased). This conclusion
was not supported by any evidence other than 1) no images found 2) CCleaner
found. That’s it.
This conclusion is at least
potentially erroneous and is not backed by any other facts, analysis, evidence
or documentation. It is a digital
forensic leap to say that just because a disk cleaning utility exists on a
system and little or no evidence relevant to the charges were found, that a disk
cleaning utility must have been used to wipe the data. Such an important hypothesis like
this should be documented with logs, metadata, etc. to attempt to prove or disprove
whether or not it is true. Aside from
that, it is conjecture and quite possibly coincidence.
Wrapping It Up
Our goal in this article is not to
bash any one examiner or set of examiners.
We all make mistakes and while the examples cited here have been seen sporadically
through the years, they are fortunately not the norm in digital
forensics. The goal is to help avoid complacency,
inaccuracy and sloppy report writing in the future. We’re all in this to find the truth, wherever
that may lead and to whom ever benefit or detriment. There’s an old saying that is drilled into
police recruits heads in law enforcement basic training – IF YOU DIDN’T
WRITE IT DOWN, IT DIDN’T HAPPEN!
This is a great rule to live by when it comes to everything from note-taking
to writing your final summary/narrative reports.
What we do is important. Many times, the methods we undertake and the
conclusions at which we arrive can mean a long prison sentence for some or a
loss of a great deal of money or custody of their children for others. We owe it to the stake-holders in the case
and to the digital forensic community to adhere to a high standard when issuing
our findings. It’s the best way to
ensure that justice is served, no matter the case.
Author:
Patrick J. Siewert
Principal Consultant
Professional Digital Forensic
Consulting, LLC
Virginia DCJS #11-14869
Based in Richmond, Virginia
Available Wherever You Need Us!
We Find the Truth for a
Living!
Computer Forensics --
Mobile Forensics -- Specialized Investigation
About the Author:
Patrick Siewert is the Principal Consultant of Pro Digital Forensic
Consulting, based in Richmond, Virginia.
In 15 years of law enforcement, he investigated hundreds of high-tech
crimes, incorporating digital forensics into the investigations, and was
responsible for investigating some of the highest jury and plea bargain child exploitation
investigations in Virginia court history. Patrick is a graduate of SCERS, BCERT, the
Reid School of Interview & Interrogation and multiple online investigation
schools (among others). He is a
Cellebrite Certified Operator and Physical Analyst as well as certified in
cellular call detail analysis and mapping. He continues to hone his digital forensic
expertise in the private sector while growing his consulting &
investigation business marketed toward litigators, professional investigators
and corporations, while keeping in touch with the public safety community as a
Law Enforcement Instructor.
Email: Inquiries@ProDigital4n6.com
