Sample Analysis Reports

In this section, you'll look at some sample analysis reports. Most of them are taken from the various software programs described in Chapter 8, 'Common Forensics Tools.' The reports in this section show samples of different sections of the reports. In addition to these reports, you can find two sample reports and case summaries in Appendix A of the 'Forensic Examination of Digital Evidence: A Guide for Law Enforcement' document by the National Institute of Justice at www.ncjrs.org/pdffiles1/nij/199408.pdf .

This next sample report starts with a case brief explaining the particulars of the incident.

Case #234-NextGard Technology Copyright Piracy Summary

On May 7, 2004, a concerned citizen contacted the police department regarding possible copyright piracy. He explained that he searched the Internet looking to purchase NextGard Technology accounting and finance software. He purchased the software from a website called Cheepware.com that advertised this software as ' authentic ,' but was unable to register the software he purchased. When the police department contacted NextGard Technology, they were informed that several other buyers complained about their inability to register NextGard Technology software bought from the same website. The case arose from a fourteen-month investigation led by U.S. Immigration and Customs Enforcement in cooperation with the Department of Justice Computer Crimes and Intellectual Property Section.

The investigation was conducted by the Bureau of Immigration and Customs Enforcement. After making an undercover purchase of software from the web- site through the Customs Cyber Center, the agents obtained a warrant to search the suspect's residence for computers and materials used in making counterfeit software and other evidence related to the theft charges. The agents submitted a desktop computer to the computer forensic laboratory for analysis.

Now let's move on to the objective of the case. As you follow along, note some of the particulars of the case, such as:

Computer type
Operating system
Offenses committed with the computer
Case agent
Where the exam took place
Tools used

Objective

Determine if the suspect used the desktop computer as an instrument in the crimes of criminal copyright infringement and/or as a repository of data related to those crimes.

Computer type : Compaq Deskpro desktop computer
Operating system : Microsoft Windows 2000 Professional
Offenses : Criminal copyright infringement
Case agent : Customs Cyber Center investigator , D. Brown
Where examination took place : Computer Forensic Laboratory
Tools/Software used : AccessData's Forensic Toolkit (FTK) and Password Recovery Toolkit

Initial Assessment

This section of the report gives an initial assessment of the case. It establishes that the proper documents were provided, the goals of the examination were set, and that the case was assigned.

The initial documentation provided by the investigator was reviewed. This review determined that:
1. Legal authority was established by a search warrant obtained specifically for the examination of the computer in a laboratory setting.
2. Chain of custody was properly documented on the appropriate departmental forms.
3. The request for service and a detailed summary explained the investigation, provided keyword lists, and provided information about the suspect, the counterfeit software, and the Internet web address.
The computer forensic investigator met with the case agent and discussed the investigative avenues and potential evidence being sought in the forensic examination.
Evidence intake was documented:
1. The computer was marked and photographed.
2. A file was created and the case information was entered into the laboratory database.
3. The computer was properly stored in the laboratory's property room.
The case was assigned to a computer forensic investigator.

Disk Imaging

The next section of the report documents the analysis. It explains how the evidence was assessed, how the drive was imaged , and how the data was analyzed .

The desktop computer was examined and photographed.
1. The computer cover was removed and the hardware was examined and documented.
2. A controlled boot disk was placed in the computer's floppy drive. The computer was powered on, and the BIOS setup program was entered. The BIOS information was documented, and the system time was compared to a trusted time source and documented. The boot sequence was checked and documented; the system was already set to boot from the floppy drive first.
3. The desktop computer was powered off without making any changes to the BIOS.
Access Data's FTK was used to create an evidence file containing the image of the desktop computer's hard drive.
1. The desktop computer was connected to a laboratory computer through a null-modem cable, which connected to the computers' parallel ports.
2. The notebook computer was booted to the DOS prompt with a controlled boot disk.
3. The laboratory computer, equipped with a hard drive with the same storage capacity, was booted to the DOS prompt with a controlled boot disk. FTK Imager was started, and evidence files for the desktop computer were acquired and written to the laboratory computer's hard drive.
4. When the imaging process was completed, the computers were powered off. The desktop computer was returned to the laboratory property room, and the hard drive containing the FTK evidence files was write- protected and entered into evidence.

Analysis

This section of the report describes the evidence and the steps taken to process the evidence.

A laboratory computer was prepared by the investigator using licensed copies of Windows 2000 Professional, AccessData's FTK version 1.43, and WinHex version 10.45 SR-2.
The FTK evidence files from the desktop computer were copied to the laboratory computer's hard drive.
A new FTK case file was opened, and the notebook computer's evidence files were examined using FTK.
1. Deleted files were recovered by FTK.
2. File data, including filenames, dates and times, physical and logical size , and complete path , were recorded.
3. Keyword text searches were conducted based on information provided by the investigator. All hits were reviewed.
4. Graphics files were opened and viewed .
5. HTML files were opened and viewed.
6. Data files were opened and viewed; four password-protected and encrypted files were located.
7. Unallocated space and slack space were searched.
8. Files of interest were copied from the FTK evidence file to a compact disk.
Unallocated clusters were copied from the FTK evidence file to a clean hard drive, which had been wiped to U.S. Department of Defense recommendations (DoD 5200.28-STD). WinHex was then used to carve images from unallocated space. The carved images were extracted from WinHex, opened, and viewed. A total of 3,592 images were extracted.
The password-protected files were copied to a 1.44MB floppy disk. AccessData's Password Recovery Toolkit was run on the files, and passwords were recovered for the password-protected files. The files were opened using the passwords and viewed.

Findings

This section summarizes the findings that are valuable to the investigation.

The analysis of the desktop computer recovered 265 files of evidentiary value or investigative interest. The recovered files included:

Ninety document files including documents containing the suspect's name and personal information. Text in the files included names of customers who had purchased the software, their methods of payment, and shipping information. In addition, text that described the counterfeit software and pricing structure was found.
Fifty-seven graphics files including high-resolution image files of software labels and packaging materials, certificates of authenticity, registration cards, and copies of checks made out to Cheepware. Most graphics were scanned.
Eighty-three HTML files including Hotmail and Yahoo e-mail inquiries about the software including e- mails between the suspect and customers (which included the concerned citizen corresponding about the inability to register the software purchased).
Thirty-one graphics files carved from unallocated space depicting copies of checks.
Four password-protected and encrypted files.
1. Microsoft Word 2000 document containing a list of personal information about several individuals including names, addresses, dates of birth, credit card numbers and expiration dates, and other information. Password: [gotya] .
2. Microsoft Word 2000 document containing information on how to crack the license for the NextGard software products. Password: [crack] .
3. Microsoft Excel spreadsheet containing the dates and dollar amounts of payments made through PayPal and eBay. Password: [money] .
4. Microsoft Excel spreadsheet containing a list of various software and their licensing key numbers. Password: [moremoney] .

Supporting Documentation

This section contains the most detailed information. It describes how you arrived at the conclusions in the findings sections. It includes documents and tables that outline all the steps you took to meet the objective. You can start the section by providing details about the media analyzed and then move on to subsections showing string searches and log file analysis.

The following graphic is the file overview. It summarizes the number of items included in the case.

Aug 6, 2004
Evidence Items
Evidence Items: 4

File Items
Total File Items: 5002
Flagged Thumbnails: 0
Other Thumbnails: 2025/

File Status
KFF Alert Files: 0
Bookmarked Items: 1645
Bad Extension: 394
Encrypted Files: 0
From E-mail: 13
Deleted Files: 0
From Recycle Bin: 0
Duplicate Items: 880
OLE Subitems: 277
Flagged Ignore: 0
KFF Ignorable: 180

File Category
Documents: 679
Spreadsheets: 0
Databases: 0
Graphics: 2025
E-mail Messages: 13
Executables: 198
Archives: 26
Folders: 0
Slack/Free Space: 0
Other Known Type: 150
Unknown Type: 1924

The following graphic is a sampling of the evidence list. These are some of the items you would include in the supporting documentation part of the report.

Aug 6, 2006
Display Name: Cookies
Evidence File Name: Cookies
Evidence Path: C:\Documents and Settings\Diane Barrett
Identification Name/Number:
Evidence Type: Contents of a folder
Added: 8/6/2004 12:53:47 PM
Children: 17
Descendants: 17
Investigator's Name: D. Barrett
Comment:

Display Name: Documents and Settings
Evidence File Name: Documents and Settings
Evidence path: C:
Identification Name/Number:
Evidence Type: Contents of a folder
Added: 8/6/2004 1:01:46 PM
Children:
Descendants: 4659
Investigator's Name: D. Barrett
Comment:

Display Name: Favorites
Evidence File Name: Favorites
Evidence path: C:\Documents and Settings\Diane Barrett
Identification Name/Number:
Evidence Type: Contents of a folder
Added: 8/6/2004 12:53:52 PM
Children: 3
Descendants: 7
Investigator's Name: D. Barrett
Comment:

Display Name: Temp
Evidence File Name: Temp
Evidence path: C:\Windows
Identification Name/Number:
Evidence Type: Contents of a folder
Added: 8/6/2004 12:53:50 PM
Children: 2
Descendants: 17
Investigator's Name: D. Barrett
Comment:

As you can see, this is the starting point for your reports. From here you formulate a report that is understandable to a judge and jury.

Additional Report Subsections

Often your reports may include additional subsections, especially if the case is quite extensive or contains data from many devices and computers. If the report becomes too long, include a table of contents so that everything is organized in a logical fashion. The audience can scan it and get a better idea of the purpose of the report.

If the event you are investigating is an intrusion, you could include a methodology section on attacks to help the audience understand how attacks are conducted or how the particular attack in the case took place. If the case involves an employee illegally accessing confidential information on a vendor website, a section on Internet activity could be added to show the browsing history and Inter- net activity of the employee. This section could also be used to show the download of malicious tools or evidence erase programs. When an employee has illegally accessed confidential information on a vendor website, a user applications section is usually included. The applications section should include a list of all installed applications such as 'hacker tools' or malicious software and a description of what they do.

Sometimes a final summary and/or conclusion is included with a report. In the copyright piracy case, the final summary and conclusion might look like the following ones.

Summary

Based on the information revealed by the computer analysis, several new avenues of investigation were opened. By contacting the victims listed in the password- protected Microsoft Word document, investigators learned that the victims had all purchased software from the suspect through either his website or direct mail. The Hotmail and Yahoo e-mail found on the suspect's computer provided information on additional victims. The password-protected Microsoft Excel spread- sheet containing the dates and dollar amounts of payments made through PayPal and eBay documented that the suspect had sold 2,578 illegal copies of NextGard software with a retail value of $750,250.00.

Conclusion

The suspect eventually pled guilty and was incarcerated for 5 years .

Instead of a final summary or conclusion, your report can contain a section on recommendations. This can be especially helpful if the case probably won't end up in court -for example, when the company doesn't want to prosecute and just wants to know how to reduce its risk in the future.

You can use a glossary to define technical terms that the average person might not understand. You might also want to include an appendix for detailed information that would interrupt the flow if it were included in the report proper. When investigating accounting fraud, you will frequently come across large spreadsheets. These sheets are hard to print in a format that is easily viewable. In instances such as this, you will want to attach an electronic appendix.