Using Software to Generate Reports | Computer Forensics JumpStart

Nearly all commercial forensics software will produce a report for the beginning of your documentation. Let's look at a sample report from Paraben's Case Agent Companion. To save space, most of the bookmarks have been deleted, but this will give you a general idea of what a generated report looks like.

Case #234-NextGard Technology Copyright Piracy Summary

Header

Agent: Customs Cyber Center

Examiner: D. Brown

Notes

Subject: Software Evidence

Body: The bookmarked files are part of a program that is used to generate software labels.

Author: D. Brown

Created: Fri Sep 10 13:42:28 GMT-07:00 2004

Modified: Sat Sep 11 06:16:35 GMT-07:00 2004

Analysis Logs

A laboratory computer was prepared by the investigator using licensed copies of Windows 2000 Professional, AccessData's FTK version 1.43, and WinHex version 10.45 SR-2.
The FTK evidence files from the desktop computer were copied to the laboratory computer's hard drive.
A new FTK case file was opened, and the notebook computer's evidence files were examined using FTK.
1. Deleted files were recovered by FTK.
2. File data, including filenames, dates and times, physical and logical size , and complete path , were recorded.
3. Keyword text searches were conducted based on information provided by the investigator. All hits were reviewed.
4. Graphics files were opened and viewed .
5. HTML files were opened and viewed.
6. Data files were opened and viewed; four password-protected and encrypted files were located.
7. Unallocated space and slack space were searched.
8. Files of interest were copied from the FTK evidence file to a compact disk.
Unallocated clusters were copied from the FTK evidence file to a clean hard drive, which had been wiped to U.S. Department of Defense recommendations (DoD 5200.28-STD). WinHex was then used to carve images from unallocated space. The carved images were extracted from WinHex, opened, and viewed. A total of 3,592 images were extracted.
The password-protected files were copied to a 1.44MB floppy disk. AccessData's Password Recovery Toolkit was run on the files, and passwords were recovered for the password-protected files. The files were opened using the passwords and then viewed.

Bookmarks

Images Excluded

Contraband Images Included

Full Text Excluded

nero.exe

Description:

Name = nero.exe

Path = C:\Program Files\Ahead\Nero

Created = Sun Dec 16 13:40:06 GMT-07:00 2001

Modified = Wed Feb 20 10:53:58 GMT-07:00 2002

Last Accessed = Sun Apr. 11 13:40:06 GMT-07:00 2004

Size Actual = 18421

Size Allocated = 18421

PFS Type = 10000709

MD5 Hash = fc3031a83d9d82add69ab5df15a0d338

Cluster Map = []

Incident Counter = 0

Deleted = false

Encrypted = false

FOCH Hit = false

Volume = Volume0

System = Windows 2000

Author: D. Brown

Created: Fri Sep 10 13:49:23 GMT-07:00 2004

Modified: Fri Sep 10 13:49:23 GMT-07:00 2004

NeroCmd.exe

Description:

Name = NeroCmd.exe

Path = C:\Program Files\Ahead\Nero

Created = Sun Dec 16 13:40:06 GMT-07:00 2001

Modified = Wed Feb 20 10:53:58 GMT-07:00 2002

Last Accessed = Sun Apr. 11 13:40:06 GMT-07:00 2004

Size Actual = 71266

Size Allocated = 71266

PFS Type = 10000708

MD5 Hash = fe45230445a0b16fb0c3b483b21aa0c5

Cluster Map = []

Incident Counter = 0

Deleted = false

Encrypted = false

FOCH Hit = false

Volume = Volume0

System = Windows 2000

Author: D. Brown

Created: Fri Sep 10 13:49:23 GMT-07:00 2004

Summary

The analysis of the desktop computer recovered 265 files of evidentiary value or investigative interest. The recovered files included: 90 document files including documents containing the suspect's name and personal information; text in the files included names of customer who had purchased the software, their methods of payment, and shipping information. Text describing the counterfeit software and pricing structure was also found. Fifty-seven graphics files including high-resolution image files of software labels and packaging materials, certificates of authenticity, registration cards, and copies of checks made out to Cheepware. Most graphics were scanned. Eighty-three HTML files including Hotmail and Yahoo e-mail inquiries about the software including e- mails between the suspect and customers (which included the concerned citizen corresponding about the inability to register the software purchased). Thirty-one graphics files carved from unallocated space depicting copies of checks. Four password-protected and encrypted files.

The software allows you to add or remove sections and sort them to suit your needs, as shown in the following graphic.

No matter whether you choose to use a reporting method similar to one demonstrated here, or create your own, your report should document facts in a manner that is easily understood . The goals of the report are to accurately account the details of the case in an understandable format while containing the required information to explain your findings and still withstand legal examination.