Reporting Phase of Digital Forensics:

Reporting as a Phase of the Digital Forensic Process:

Forensic reporting is the final phase of any forensic process (5 Steps for
Conducting Computer Forensics Investigations, 2020).As far as digital forensics
go, a report will show the digital evidence found and display your methods for the
whomever reads your findings to see how you arrived at your conclusions.
Usually, the reports must be tailored to whoever will eventually read the report, be
it an attorney, a client, an investigator and etc. (Content, Hagen, Institute and
Zeltser, 2020)
The way the information is structured may vary significantly in each report, but a
forensic report generally contains information regarding what vulnerability was
exploited, how the attack was performed and the possible information regarding
when it happened. This phase is supposedly the most important phase, as it is the
cumulation of everything gathered from the first three phases. (Writing an Expert
Witness Report | Institute of Forensics and ICT Security, 2020)
A digital forensic report will likely contain a lot of information found at the crime
scene. Given that the scene is in fact virtual, the evidence is called digital evidence.
Digital evidence is basically any type of evidence found on a computer of device
with internet access found at the site of attack or was deemed responsible for said
attack. This includes audio files, videos and image files. This data my not always
be so easy to find as it can be hidden using various techniques; examples being
steganography and encryption. It is the investigators’ job to uncover said evidence
and fins the culprit, or in this case, determine the method of attack used to breach
the security of the device. This evidence will then be used to make a report that
will be interpreted by other parties to examine and look through the findings.
(Garrie and Garrie, 2020)

The Importance of a Report.

Practitioners may need to present their investigative findings to courts of law. It is
fairly common that investigators include their findings on digital evidence items,
which are known as data objects associated with such digital evidence at the time
of acquisition or seizure (Anson & Bunting, 2007). Digital evidence items
comprise a myriad of computer-based data word documents, jpeg files, or any data
that could reside on a storage medium. Some digital forensics software tools
implement a reporting functionality which allows forensic examiners to generate
reports regarding digital (Garrie and Garrie, 2020)
Despite the obviously mundane nature of paperwork, a report has a crucial role in
any setting. The main purpose of any report is to provide information to the reader.
This information can either be factual and based in the present moment, or highly
theoretical and abstract with almost no concepts of time. However, the one thing
that is certain is that the data that is provided by the report is integral for all
decision making and planning. This is based on the assumption that the data is in
fact reliable and an accurate representation of any and all situations involved in any
action to be taken to change it. Aside from that, good report writing also suggests
that there lies a certain level of communication between two parties. Essentially
speaking, the purpose of reports can also be to establish communication between
two entities. This level of communication can provide feedback to companies
about the vulnerabilities exploited in attacking the company as well as suggest
alternative ways to upgrade their security. On top of that, it is fairly obvious that
the report is to suggest solutions to an existing issue that has either been brought to
the attention of the organization, or is brought up in the report itself. In many cases
with a digital forensic report, the solution is likely an upgrade in security or a new
system implemented altogether. Finally, this report can lead to the heads of the
organization creating better policies about the company. These policies can help
tighten security and even to an extent

Important Aspects to be Considered when Reporting Digital Evidence:

The report should contain a detailed review on the processes carried out on the
evidence and throughout the investigation. This should include how the evidence is
collected, the process used too make copies, devices used, the operating system of
both the victimized pc and attacker’s pc along with the software used. The
reporting phase also includes two different parts, technical and legal evaluation.
Another two issues that hold a lot of weight in the reporting phase is the integrity
of the evidence procured and presented, and the clear, transparent and repeatable
nature of the investigative method, despite any exceptional circumstances.
Aside from that, digital forensic experts are encouraged to show their work on
electronic evidences to those with detailed information on the subject. This will
ensure the sound vocabulary when trying to explain their findings. Experts should
always be aware of this as they will need to ensure they appear both competent and
well-versed in the subject matter, when dealing with topics of interest of the
readers. Moreover, it would prove beneficial to state the occupation of whoever
will have to read the report. Furthermore, all reports should attempt to convey
evidence that directly prove the attack. This is known as the “direct evidence
principle”, direct evidence being evidence that means the evidence directly
correlates with the crime or event that occurred, thus clearly proving the validity or
occurrence of the crim/event. However, circumstantial evidence is evidence that
had no direct correlation to said crime, but can be used to infer the occurrence of
said crime. (Varol, 2017)
Section B: Hex-Editor for Data Carving

Hex Editor is used to analyze, view and run hexadecimal encoded files. Said files
are usually used for storing binary files that can be used by the computer.

A typical window of Hex Editor looks something like this. It has three areas which
are;
 The address bar on the left
 The hexadecimal display in the center
 The right side with characters displayed
The hex editor displays raw data, it doesn’t require an interpreter to show the text
in an understandable way for the user. The byte form of every command is written
in the code stored in the hex file, which allows the physical location and memory
of objects to be seen when opened inside Hex Editor.
Step 1: Go to the image file
Step 2: Open Hex Editor and click on file and select open

Step 3: Open this image

Step 4: Go to Gary Kessler and select the jpg header and trailer tags, then search
for them here
Step 4: Select all the way to FF F9.

Step 5: Cut and paste in a new page or file and save it.
Step 6: Click on the jpg file.
This is the result.
References:
1. Anson, S., Bunting, S.: Mastering Windows Network Forensics and
Investigation. Wiley Publishing, Inc., Canada (2007).
2. Varol, A., 2020. Review Of Evidence Analysis And Reporting Phases In
Digital Forensics Process. [ebook] p.4. Available at:
<https://www.researchgate.net/publication/320829880_Review_of_evidence
_analysis_and_reporting_phases_in_digital_forensics_process> [Accessed
28 June 2020].
3. Garrie, D. and Garrie, D., 2020. Understanding A Digital Forensics Report.
[online] Legal Executive Institute. Available at:
<https://www.legalexecutiveinstitute.com/understanding-digital-forensics-
report/#> [Accessed 28 June 2020].
4. Techopedia.com. 2020. What Is A Hex Editor? - Definition From
Techopedia. [online] Available at:
<https://www.techopedia.com/definition/7561/hex-editor> [Accessed 28
June 2020].
5. Institute of Forensics and ICT Security. 2020. Writing An Expert Witness
Report | Institute Of Forensics And ICT Security. [online] Available at:
<https://www.forensicsinstitute.org/writing-an-expert-witness-report/>
[Accessed 28 June 2020].
6. Content, R., Hagen, P., Institute, S. and Zeltser, L., 2020. SANS Digital
Forensics And Incident Response Blog | Intro To Report Writing For Digital
Forensics | SANS Institute. [online] Sans.org. Available at:
<https://www.sans.org/blog/intro-to-report-writing-for-digital-forensics/>
[Accessed 28 June 2020].
7. Institute of Forensics and ICT Security. 2020. Writing An Expert Witness
Report | Institute Of Forensics And ICT Security. [online] Available at:
<https://www.forensicsinstitute.org/writing-an-expert-witness-report/>
[Accessed 28 June 2020].
8. Crawford, V., 2020. Example Of An Expert Witness Digital Forensic
Report. [ebook] Available at:
<https://www.academia.edu/12324822/Example_of_An_Expert_Witness_Di
gital_forensics_Report> [Accessed 28 June 2020].
9. OpenLearn. 2020. Digital Forensics. [online] Available at:
<https://www.open.edu/openlearn/science-maths-technology/digital-
forensics/content-section-4.1> [Accessed 28 June 2020].
10.Norwich University Online. 2020. 5 Steps For Conducting Computer
Forensics Investigations. [online] Available at:
<https://online.norwich.edu/academic-programs/resources/5-steps-for-
conducting-computer-forensics-investigations> [Accessed 28 June 2020].
11. Norwich University Online. 2020. 5 Steps For Conducting Computer
Forensics Investigations. [online] Available at:
<https://online.norwich.edu/academic-programs/resources/5-steps-for-
conducting-computer-forensics-investigations> [Accessed 28 June 2020].