Using Software to Generate Reports


Nearly all commercial forensics software will produce a report for the beginning of your documentation. Let's look at a sample report from Paraben's Case Agent Companion. To save space, most of the bookmarks have been deleted, but this will give you a general idea of what a generated report looks like.

start sidebar
Case #234-NextGard Technology Copyright Piracy Summary

Header

Agent: Customs Cyber Center

Examiner: D. Brown

Notes

Subject: Software Evidence

Body: The bookmarked files are part of a program that is used to generate software labels.

Author: D. Brown

Created: Fri Sep 10 13:42:28 GMT-07:00 2004

Modified: Sat Sep 11 06:16:35 GMT-07:00 2004

Analysis Logs

  1. A laboratory computer was prepared by the investigator using licensed copies of Windows 2000 Professional, AccessData's FTK version 1.43, and WinHex version 10.45 SR-2.

  2. The FTK evidence files from the desktop computer were copied to the laboratory computer's hard drive.

  3. A new FTK case file was opened, and the notebook computer's evidence files were examined using FTK.

    1. Deleted files were recovered by FTK.

    2. File data, including filenames, dates and times, physical and logical size , and complete path , were recorded.

    3. Keyword text searches were conducted based on information provided by the investigator. All hits were reviewed.

    4. Graphics files were opened and viewed .

    5. HTML files were opened and viewed.

    6. Data files were opened and viewed; four password-protected and encrypted files were located.

    7. Unallocated space and slack space were searched.

    8. Files of interest were copied from the FTK evidence file to a compact disk.

  4. Unallocated clusters were copied from the FTK evidence file to a clean hard drive, which had been wiped to U.S. Department of Defense recommendations (DoD 5200.28-STD). WinHex was then used to carve images from unallocated space. The carved images were extracted from WinHex, opened, and viewed. A total of 3,592 images were extracted.

  5. The password-protected files were copied to a 1.44MB floppy disk. AccessData's Password Recovery Toolkit was run on the files, and passwords were recovered for the password-protected files. The files were opened using the passwords and then viewed.

    Bookmarks

    Images Excluded

    Contraband Images Included

    Full Text Excluded

    nero.exe

    Description:

    Name = nero.exe

    Path = C:\Program Files\Ahead\Nero

    Created = Sun Dec 16 13:40:06 GMT-07:00 2001

    Modified = Wed Feb 20 10:53:58 GMT-07:00 2002

    Last Accessed = Sun Apr. 11 13:40:06 GMT-07:00 2004

    Size Actual = 18421

    Size Allocated = 18421

    PFS Type = 10000709

    MD5 Hash = fc3031a83d9d82add69ab5df15a0d338

    Cluster Map = []

    Incident Counter = 0

    Deleted = false

    Encrypted = false

    FOCH Hit = false

    Volume = Volume0

    System = Windows 2000

    Author: D. Brown

    Created: Fri Sep 10 13:49:23 GMT-07:00 2004

    Modified: Fri Sep 10 13:49:23 GMT-07:00 2004

    NeroCmd.exe

    Description:

    Name = NeroCmd.exe

    Path = C:\Program Files\Ahead\Nero

    Created = Sun Dec 16 13:40:06 GMT-07:00 2001

    Modified = Wed Feb 20 10:53:58 GMT-07:00 2002

    Last Accessed = Sun Apr. 11 13:40:06 GMT-07:00 2004

    Size Actual = 71266

    Size Allocated = 71266

    PFS Type = 10000708

    MD5 Hash = fe45230445a0b16fb0c3b483b21aa0c5

    Cluster Map = []

    Incident Counter = 0

    Deleted = false

    Encrypted = false

    FOCH Hit = false

    Volume = Volume0

    System = Windows 2000

    Author: D. Brown

    Created: Fri Sep 10 13:49:23 GMT-07:00 2004

    Summary

    The analysis of the desktop computer recovered 265 files of evidentiary value or investigative interest. The recovered files included: 90 document files including documents containing the suspect's name and personal information; text in the files included names of customer who had purchased the software, their methods of payment, and shipping information. Text describing the counterfeit software and pricing structure was also found. Fifty-seven graphics files including high-resolution image files of software labels and packaging materials, certificates of authenticity, registration cards, and copies of checks made out to Cheepware. Most graphics were scanned. Eighty-three HTML files including Hotmail and Yahoo e-mail inquiries about the software including e- mails between the suspect and customers (which included the concerned citizen corresponding about the inability to register the software purchased). Thirty-one graphics files carved from unallocated space depicting copies of checks. Four password-protected and encrypted files.

end sidebar
 

The software allows you to add or remove sections and sort them to suit your needs, as shown in the following graphic.

click to expand

No matter whether you choose to use a reporting method similar to one demonstrated here, or create your own, your report should document facts in a manner that is easily understood . The goals of the report are to accurately account the details of the case in an understandable format while containing the required information to explain your findings and still withstand legal examination.




Computer Forensics JumpStart
Computer Forensics JumpStart
ISBN: 0470931663
EAN: 2147483647
Year: 2004
Pages: 153

Similar book on Amazon

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net