Hello, and welcome back to the digital forensic concept paths. In this course, course 11, we're going to talk about reporting, and peer review. An overview of this course, we're going to talk about report writing the parts of the report. How we write the report, and to consider things we need to consider when we're writing the report. We're going to take a look at some tool generated reports, and see the pros, and cons to those. And we're also going to talk about peer review, what it is, and why it's important. And in module one, we're going to talk about report writing. Well, report writing starts with preparation. We have to have good note taking, to have a good report. Because you're not going to remember everything you did. And what time you did it. And what were the circumstances. And who was there. So you need to take good notes as you go through your process of your investigation. So take the notes as you take the actions. Don't wait, and try to make the notes up later. Take the notes as you're doing it. We want to make sure we document all our observations, things that we see. Maybe we saw a destructive program running on the screen, and we decided to pull the plug from the back of the machine. We would want to make sure that we documented that screen, took a photograph. You want to document the actions we take. What did we do in response to seeing that? Well, we pulled the plug, we want to document that. You want to document what time that you did that at the date, and time. And that brings us to our next one. We want to document the times our actions were taken. That's very important. And the reasons why we took the actions that we did. The results of our examination need to be reproducible by another examiner. That's what makes them scientifically sound. A well-written report, you want to think about your target audience. Is it another examiner? Is it a group of lay people? Is it your boss? Is it an attorney's office? Who's going to be the audience for your report? You want to make your report very clear, and unambiguous. You don't want to leave things hanging. You want to make sure you explain everything. Make sure it's a detail, but concise. Nobody wants to read a really wordy report, and people usually won't read a really wordy report. So make them detailed, bucket size. Make sure they're fact-based, and unbiased. You can't bring preconceptions of personal biases into your reporting, and findings. And you must include any exculpatory evidence. Our exculpatory findings, and that would be findings that tended to go against what you're trying to prove. Prove the person's innocence, or prove that the act did not happen. Now, parts of the reports, we have our narrative. And then in our narrative we're going to talk about what we did find. We're going to have exhibits, and these can be things like, artifacts within the file system that supports our hypothesis. Maybe your hypothesis is that an employee copied some documents to a USB drive. What you want to have some USB connections with dates, and times that the devices were connected. Serial numbers, volume names, and maybe you think a certain document was copied. You might want to try to look for link files, to find a link file to that volume containing a certain document name. So those are exhibits. The processes you used, what forensic software did you use? What was your process? How did you go about coming to these conclusions? Did you examine the link files with autopsy? Did you export them, and examine them, but not the third party tool? What did you do? And then we want to have the interpretation of our findings. You may find information in the Windows registry just for example. And you want to be able to interpret that. When you're doing your report or investigation. Make sure you're answering each of the questions that pertained to your particular investigation. If the question is, was there malware on the system? You want to make sure that you can find out whether there was, or there was not malware on the system. And you might want to look in some of your persistent artifacts, to see if you can see anything that was set to a run at startup. That you know is known malware. You might want to run a virus program, something that virus total against it. So you want to answer your questions. And you want to support your opinions with facts, and artifacts that you find in the file system. We want to document the examination software tools we use, and what versions of the tools we were using. And you want to make sure you read the release notes on these tools. So if they're already known issues, you know about it ahead of time. You want to be able to explain anything you include in your report. Never put anything in a report that you cannot explain. And if you make a mistake own up to it, don't try to leave it out, or sweep it by. If you make a mistake, document it, and continue on with your investigation. Report considerations, stay away from using statements like, always, and never, because when we're talking about computer forensics. There are very few things that will fall into the category of always being one way, or never being one way. A lot of it depends as part of computer forensics. Be careful about attributing who was the user. Because just because somebody logged on with somebody's credentials. You're going to need a little more supportive evidence than that to say, that this particular person was the one sitting behind the keyboard. And it's okay to say you don't know, inconclusive happens. A good example is this, if you found graphic files in internet cache, temporary internet files. You can say, that at some point that website was visited. But you cannot say, that those images were downloaded to the computer by the user. Or that the user had knowledge that those images were on the computer. So you do want to be careful. In our next module, module two, we're going to look at tools generated reports
