Writing a Forensics / Expert Report

Introduction

The purpose of this paper is to provide guidance in writing forensics reports. Many training courses concentrate on training the forensic examiner in specific tools or techniques. The writing of the report is either not mentioned or is given very little attention. Unfortunately many forensic examiners, both in law enforcement and in private practice, fail to provide adequate detail in their report. This article is designed to provide guidance on that issue.

Whether you are using an expert as a consultant or as a testifying witness, at some point they will need to provide a report of their findings. Now an informal report for internal use may seem to be less rigorous, however it is usually best to prepare any report as if it were going to be used in court proceedings. For that reason we will examine the requirements of an expert report for court.

Expert Reports

An expert report is much more thorough than a standard forensic report. Forensic reports often detail a single test, or a few related tests, and simply report the facts. An expert report is meant to form the basis of opinions. While there are a variety of laws that relate to expert reports the general rules are:

  1. If it is not in your report, you cannot testify about it
  2. Your report needs to detail the basis for your conclusions
  3. Detail every test conducted, the methods and tools used, and the results.

Expert reports generally start with the experts qualifications. This should be a complete curriculum vitae detailing education, work history, and publications.   Particular attention should be paid to elements of the expert’s history that are directly related to the case at hand. Then the report moves on to the actual topic at hand. An expert report is a very thorough document. It must first detail exactly what analysis was used. How did the expert conduct their examination and analysis. In the case of computer forensics the expert report should detail what tools the expert used, what the results where, the details of the machine tested as well as the machine used to conduct the tests, and the conditions of the tests conducted.

There is another issue, not required by law, but a very good idea. Any claim an expert makes in a report should be supported by extrinsic reputable sources. This is sometimes overlooked by experts because they themselves are sources that are used, or because the claim being made seems obvious to them. For example if an expert report needs to detail how domain name service works to describe a DNS poisoning attack, then there should be references to recognized authoritative works regarding the details of domain name service. The reason being that at trial a creative attorney can often extract nontraditional meanings from even commonly understood terms. And a change in the meaning of a word changes the entire case. In fact in patent infringement cases, one of the early steps is called a Markman hearing and it is expressly for defining terms that might be in dispute between the two parties. If your experts only support for his chosen definition is his own opinion that is not as strong as coupling his opinion with one or more widely recognized resources. This leads to another element an expert report must have, definitions of terms. Any term that is technical or scientific in nature and for which there is any possibility of the opposing attorneys/experts disagreeing on or misinterpreting, should be defined in the expert report.

The next issue with an expert report is its completeness. The report must cover every item the expert wishes to opine on, and in detail. Nothing can be assumed. In some jurisdictions, if an item is not in the expert report, then the expert is not allowed to opine on it during testimony. Whether or not that is the case in your jurisdiction it is imperative that the expert report that is submitted must be very thorough and complete. I always suggest that an expert report should be so complete, that any competent person in your field could take your report and duplicate your tests. And of course it must be error free. Even the smallest error can give opposing counsel an opportunity to impugn the accuracy of the entire report, and the expert’s entire testimony. This is a document that should be carefully proof read by the expert and by the attorney retaining the expert.

As you can see an expert report can quickly become a rather long document. Even small cases often involved expert reports that are in excess of 30 pages. In more complex cases, expert reports that are 100 or more pages long are not unusual. The longest expert report I have ever personally submitted was approximately 1600 pages. However this is not meant to indicate that one should be unnecessarily verbose in a report. Quite the contrary. Be as concise and clear as possible. However the necessity of explaining all the testing and analysis done and defining terms is likely to increase the size of the report.

 

General Guidelines

Whether you are doing a forensic report that simply states facts coming from testing, or an expert report that expresses expert opinions, there are some guidelines you should follow. There are a number of papers and books that make general recommendations about what should be in a forensics report. In this section I will review those items. The SANS institute states the following should be in a forensic report “Taking screenshots, bookmarking evidence via your forensic application of choice (EnCase, FTK, X-Ways Forensics, etc.), using built-in logging/reporting options within your forensic tool, highlighting and exporting data items into .csv or .txt files, or even using a digital audio recorder vs. handwritten notes when necessary.”

[1] This document goes on to describe that a forensics report must thoroughly detail the steps taken, what tools were used, how the analysis was done, etc.

Another SANS paper on the topic of forensics reporting stresses that all the details of the investigation must be in the report, going so far as to state “Finally, create and record the MD5 hashes of the evidence as well as record and include the metadata for every file cited in the forensic report.”[2]

Chapter 5. Documenting and Reporting, of Forensic Examination of Digital Evidence: A Guide for Law Enforcement, begins by stating this principle “The examiner is responsible for completely and accurately reporting his or her findings and the results of the analysis of the digital evidence examination. Documentation is an ongoing process throughout the examination. It is important to accurately record the steps taken during the digital evidence examination.”[3] Note the emphasis on completely reporting results.

Chapter 5 of Digital Evidence: A Guide for Law Enforcement, continues by enumerating those items that must be in a report:

  • Identity of the reporting agency.
  • Case identifier or submission number.
  • Case investigator.
  • Identity of the submitter.
  • Date of receipt.
  • Date of report.
  • Descriptive list of items submitted for examination, including serial number, make, and model.
  • Identity and signature of the examiner.
  • Brief description of steps taken during examination, such as string searches, graphics image searches, and recovering erased files.
  • Results/conclusions.

 

Note in particular items such as “Brief description of steps taken during examination, such as string searches, graphics image searches, and recovering erased files.”

In their introductory computer forensics course, the InfoSec institute requires that students create a report that includes “a general overview of the methodology that you will use, and provide a reasoned argument as to why the particular methodology chosen is relevant.”[4]

From the Official (ISC)2® Guide to the CCFP CBK, we find this description of what should be in a forensics report “When you are asked to produce a report at the conclusion of your work, you could be requested to describe, in detail, who did what and when. You will need to recreate a detailed inventory of what you were asked to do, what you did, what results you uncovered in your investigation. One recommendation to help you create your report is to take copious notes that document what you were doing with the electronic evidence. By doing this, you will be armed with the information necessary to produce a report of exactly what is requested.”[5]

Official (ISC)2® Guide to the CCFP CBK chapter 17 has more to say about reports, including the following quotations:

“Acquisition – Describe the process in which you acquired evidence. You should be comprehensive in detailing your process/ methodology. Keeping in mind that you are satisfying both industry best practices and the legal requirements to admit this evidence at trial. It is typical to see some form of data validation listed in this section – for example MD5/ SHA1 values for the evidence collected.”

“Analysis – This section can vary based on the scope of your analysis, but you should describe what tools/ techniques you used as well as your results. If you used multiple tools you should provide tool version numbers so your results can be cross-validated by another examiner. This section should provide enough information so another examiner who was provided your evidence files should be able to confirm/ dispute your findings.”

The website ‘Digital Forensics Investigator’ states that a forensic report should include, among other things, the following[6]:

“Evidence Analyzed – This should include serial numbers, hash values (MD5, SHA, etc.), and custodian information, if known. If pictures were taken at the scene, you may want to include them here.”

“Steps Taken – Be detailed. Remember, your results should be reproducible. Include software and hardware used. Don’t forget to include version numbers.”

From one of my own books, on page 109 of The CCFP all in one guide: “In most cases, forensic labs require you to create a report of your forensic process. This report will detail what tests you conducted and the results.”[7] Later in that text, beginning on page 112, I provide examples of what should be in the report.

Legal Challenges

The Frye standard was used in Federal Courts for many years and stated, essentially, that scientific evidence was only admissible if it was widely accepted by the scientific community. The Daubert standard expanded this, making the judge the gatekeeper of what is admitted as scientific evidence. In the Daubert case the court defined scientific evidence/knowledge as that which is based on scientific methods and methodology. The court used several factors: Empirical testing, peer review, standards and controls, and known error rate.

In general this means two things:

  1. The person testifying must be an expert by virtue of their training, education, and experience.
  2. The evidence presented must be based on scientific methods.

The second part is critical. It is important that you use well known and tested tools and techniques. But you must also clearly document what you did in your report. It is not enough to make a vague statement that you conducted tests. You need to describe exactly what tools you used, what methods you applied, and what the results were. The report should be thorough enough that any competent forensic examiner can take your report, and duplicate your tests. It is also highly recommended that you use citations. It is very likely that the opposing side will disagree with your findings. In order for this to not turn into a battle of the experts, you need to back up your statements with citations from reputable sources. If you say that a particular technique is valid, cite studies/textbooks/papers that support that statement.

 

[1] Garnett, B. (2010). Intro to Report Writing for Digital Forensics. http://digital-forensics.sans.org/blog/2010/08/25/intro-report-writing-digital-forensics/

[2] Maher, M. (2004). Writing a Computer Forensic Technical Report. http://www.sans.org/reading-room/whitepapers/forensics/forensic-investigator-1453

[3] U.S. Department of Justice (2004). Forensic Examination of Digital Evidence: A Guide for Law Enforcement. https://www.ncjrs.gov/pdffiles1/nij/199408.pdf

[4] Thipursian, E. et. al (2004). Computer Forensics Investigation – A Case Study. http://resources.infosecinstitute.com/computer-forensics-investigation-case-study/

[5] Stephenson, Peter (2014-06-20). Official (ISC)2® Guide to the CCFP CBK ((ISC)2 Press) (Kindle Locations 6766-6769). Auerbach Publications. Kindle Edition

[6] Kelley, M. (2012). Report Writing Guidelines. http://www.forensicmag.com/articles/2012/05/report-writing-guidelines

[7] Easttom, C. (2014). All In One Certified Cyber Forensics Professional Certification. McGraw Hill.

 

See this article on LinkedIn

2016-10-23T11:05:12+00:00

About the Author:

I am a computer scientist, inventor, consultant, and author. I have over 20 years of professional experience in the IT industry, over 15 years teaching/training, and over 11 years in litigation support/expert witness work including 39 cases and testimony at trial, depositions, and hearings. I have authored 19 published books (including our on security, three on forensics, and one on cryptography), have 6 patented inventions, have been a guest speaker at multiple locations including the Harvard Computer Society, Columbia Chapter of the ACM, Southern Methodist University Computer Science and Engineering Colloquium, University Texas at Dallas ACM chapter, Hacker Halted security conference, Takedown security conference, ISC2 Security Congress, Hackon India, and multiple other locations. I have conducted training and provided consulting for major companies, law enforcement agencies (local, state and federal), and various government agencies as well as friendly foreign governments. I conduct research in cryptography, forensics, and related topics. I also consult on computer security and forensics.