Despite its importance, report writing meets with a lot of ambivalence, and even antipathy, in our industry.
Even though digital forensics is a fairly niche field, there are still a variety of duties, jobs, and skills involved, depending on whether you are in law enforcement, litigation work, intelligence, etc. And there are even differences within the categories: malware examinations will likely vary from those that focus on fraud. But despite these differences, there are skills and duties that are encompassed in them all. One such democratizing duty is report writing. Whether you are writing for a client, an attorney, or your boss, most of us need to be able to communicate our findings in some way.
The funny thing is, despite being a vital skill in the industry, report writing seems to meet with an awful lot of ambivalence, or even antipathy. In an informal poll, the question “How do you feel about writing reports?” was posed to people in the industry. Figure 1 shows the breakout of how 36 respondents from the digital forensics field answered this question. Bear in mind that these are people who have vast amounts of knowledge and experience, and would attack what most would consider a technical nightmare with glee.
Unfortunately, no matter what your feelings toward reports are, they aren’t going away. Report writing, or just communicating findings in general, is essential to the digital forensics field. The very best analysis is useless if it cannot be intelligently conveyed. Luckily for us, writing is a skill. And just like the analytical and technical skills we prize, it can be learned and honed.
The following is an attempt to share some of the guidelines that I have learned along the way and try to adhere to in my reports. A lot of it will probably just sound like common sense. Bear in mind that these guidelines are being written from a civil litigation report standpoint. Law enforcement and intelligence reports will likely differ. Hopefully at least some parts will be applicable to multiple situations.
Start your report before you even begin your examination. There is usually some information that you know before you run a single process. Even if it is filling out serial numbers and contact information, by putting down what you do know in advance you will never be faced with that terrifying blank page once you wrap up your investigation. I would also recommend updating your report as you go along. You can do this by writing down information through each step, or even by keeping notes in a way that will allow for easy transfer to your report.
Don’t fall into the trap of simply listing files and search term hits. While these can undoubtedly be useful, what really adds value to digital forensics is the analysis. Without context, digital evidence is just ones and zeros. If you find the “smoking bit” in a registry key, that’s great, but it won’t do you any good if you can’t explain what it is, how it works, and why it is significant.
Be Cautious of Absolutes
There are few times when you can say with certainty that something is always true, or never occurs. Even if you are very sure of a statement, be careful about using absolutes. (Unless you have tested every eventuality and are sure there will be no subsequent research with opposing conclusions, these situations can create havoc during cross-examinations.) Useful phrases include: “This leads me to believe...”, “It is my professional opinion...”, “The evidence indicates...” I’m not saying that you should be wishy-washy. This language is a means of presenting the information as what it is—a professional opinion—because as expert witnesses we are able to express opinions.
Create a Template
Templates are easy to create and will end up saving you many hours of work down the road. The template doesn’t have to be set in stone, but just having one will make report writing easier, if for no other reason than because you won’t have to remember to include things that are already built-in. They are a great tool for ensuring consistent formatting and standardized language.
Use confidentiality language whenever appropriate. Also, I recommend having the word “Draft” in a header, footer, or watermark on every page until the report is finalized. Those of you familiar with the recent changes to the Federal Rules of Civil Procedure may recall that drafts of expert reports have additional protection from discovery, but it behooves you to make your drafts easily recognizable as such.
Break it Up
Reports can get long and are often very detailed. For the reader, they can seem dry. Also, it seems to me that with almost every report I write, the intended audience tends to focus on one or two items out of the entire report as the items of real interest to them. And while I would like to think that they marvel at every word as a manifestation of genius, I know that what they really want to do is zero in on the really juicy bits and be able to navigate easily to other points as needed. Breaking up the report into sections is an easy way to accommodate your readers. Below are some frequently used sections:
Title Page – This can include information such as the case name, date, investigator name, and contact information.
Table of Contents (ToC) – This is not necessary for short reports or for those without many sections. However, if your report is long and/or is broken out into many different sections, including a ToC can be of great help to the reader.
Executive Summary – Especially important for longer reports, this allows the reader to get the high level view of important findings without having to delve into specifics.
Objectives – This section is especially important to include if you were asked to perform a targeted investigation. Other information to include would be search terms requested by the client.
Evidence Analyzed – This should include serial numbers, hash values (MD5, SHA, etc.), and custodian information, if known. If pictures were taken at the scene, you may want to include them here.
Steps Taken - Be detailed. Remember, your results should be reproducible. Include software and hardware used. Don’t forget to include version numbers.
Relevant Findings – You can further break this section up depending on the length of your report. Subcategories will depend on the purpose of the exam, but can include things like: Documents of Interest; Internet Activity; Software of Note; USB Devices, etc.
Timeline – Some reports will benefit from a concise timeline of important events. A good graphic can go a long way in helping to communicate this information.
Conclusion – Highlight the important issues. This often comes in the form of a numbered list of concise findings.
Signature – Include a signature section that can be printed out and signed.
Exhibits – I typically reserve exhibits A and B for my Curriculum Vitae and Chain of Custody documentation, respectively. Certainly not necessary, but it makes it so that I always remember to include them in my reports. Also, some information can be embedded into the report itself, but if there are items of interest that get long, I highly recommend including them as exhibits and simply hyperlinking when you refer to them in the report.
It can be daunting enough, even for seasoned professionals, to write a report. For those that are new to the field, the task can seem overwhelming. If you are new to the field, or are even transitioning from one area to another, one of the best ways to get familiar with report writing is to read as many forensic reports as you can. If your workplace has many available, this can be a great resource. These reports are especially helpful because it gives you an idea of what is expected. The length, content, and format will vary depending on workplace policies and intended audience. Reading other reports can help you determine not only what works, but also what does not work.
When asked how someone can improve their skills, one of the best answers I know is simply: do it. So get those typing fingers ready and give it a shot. It may prove as useful to your career as any time spent with a new tool or technique. Happy writing!
Melia Kelley is a Senior Forensic Consultant for First Advantage Litigation Consulting. Melia performs forensic investigations for cases ranging from malware to intellectual property theft. First Advantage Litigation Consulting, 350 N. Halstead Street, Pasadena, CA 91107; firstname.lastname@example.org; www.fadvlit.com.