9.7 Reporting


9.7 Reporting

The last stage of a digital evidence examination is to integrate all findings and conclusions into a final report that conveys the findings to others and that the examiner may have to present in court. Writing a report is one of the most important stages of the process because it is the only view that others have of the entire process. Unless findings are communicated clearly in writing, others are unlikely to appreciate their significance. A well-rendered report that clearly outlines the examiner's findings can convince the opposition to settle out of court, while a weakly rendered report can fuel the opposition to proceed to trial. Assumptions and lack of foundation in evidence result in a weak report. Therefore, it is important to build solid arguments by providing all supporting evidence and demonstrating that the explanation provided is the most reasonable one.

Whenever possible, support assertions with multiple independent sources of evidence and include all relevant evidence along with the report since it may be necessary in court to refer to the supporting evidence when explaining findings in the report. Clearly state how and where all evidence was found to help decision-makers to interpret the report and to enable another competent examiner to verify results. Presenting alternative scenarios and demonstrating why they are less reasonable and less consistent with the evidence can help strengthen key conclusions. Explaining why other explanations are unlikely or impossible demonstrates that the scientific method was applied - that an effort was made to disprove the given conclusion but that it withstood critical scrutiny. If there is no evidence to support an alternative scenario, state whether it is more likely that relevant evidence was missed or simply not present. If digital evidence was altered after it was collected, it is crucial to mention this in the report, explaining the cause of the alterations and weighing their impact on the case (e.g. negligible, severe).

A sample report structure is provided here:

  • Introduction: case number, who requested the report and what was sought, who the wrote report, when, and what was found.

  • Evidence Summary: summarize what evidence was examined and when, MD5 values, laboratory submission numbers, when and where the evidence was obtained, from whom and its condition (note signs of damage or tampering).

  • Examination Summary: summarize tools used to perform the examination, how important data were recovered (e.g. decryption, undeletion), and how irrelevant files were eliminated (see Chapter 24).

  • File System Examination: inventory of important files, directories, and recovered data that are relevant to the investigation with important characteristics such as path names, date-time stamps, MD5 values, and physical sector location on disk. Note any unusual absences of data.

  • Analysis: describe and interpret temporal, functional, and relational analysis and other analyses performed such as evaluation of source and digital stratigraphy.

  • Conclusions: summary of conclusions should follow logically from previous sections in the report and should reference supporting evidence.

  • Glossary of Terms: explanations of technical terms used in the report.

  • Appendix of Supporting Exhibits: digital evidence used to reach conclusions, clearly numbered for ease of reference.

In addition to presenting the facts in a case, digital investigators are generally expected to interpret the digital evidence in the final report. Interpretation involves opinion and every opinion rendered by an investigator has a statistical basis. Therefore, in a written report, the investigator should clearly indicate the level of certainty he/she has in each conclusion and piece of evidence to help the court assess what weight to give them. The C-Scale (Certainty Scale) described in Chapter 7 provides a method for conveying certainty when referring to digital evidence and qualify conclusions appropriately. Some digital investigators use a less formal system of degrees of likelihood that can be used in both the affirmative and negative sense: (1) Almost definitely, (2) Most probably, (3) Probably, (4) Very possibly, and (5) Possibly.

When determining the certainty level of a given piece of digital evidence it may be important to consider the context. For instance, many Macintosh computers are unauthenticated and allow any user to change the system clock, making it more difficult for digital investigators to have confidence in the date-time stamps and to attribute activities to an individual. Computers that were not handled properly causing evidence to be altered or destroyed, make it more difficult to make strong assertions about the evidence they contain. Additionally, a wily offender may arrange evidence to misdirect digital investigators and the certainty of the evidence is reduced if there is no corroborating data from multiple independent sources.

In addition to a final, full-blown, technical report, digital investigators may be required to write reports for less technical decision-makers. For instance, managers in an organization may need to know what transpired to help them determine the best course of action. The public relations department may need details to relay to shareholders. Attorneys may need a summary report to help them focus on key aspects of the case and develop search or arrest warrants or interview and trial strategy. A measure of hard work and creativity is required to create clear, non-technical representations of important aspects in a case such as timelines, relational reconstructions, and functional analyses. However, the effort required to generate such representations is necessary to give attorneys, juries, and other decision-makers the best chance of understanding important details and making informed decisions.




Digital Evidence and Computer Crime
Digital Evidence and Computer Crime, Second Edition
ISBN: 0121631044
EAN: 2147483647
Year: 2003
Pages: 279

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net