Digital Forensics

FARAZ ALI
FarazAli@ucp.edu.pk
+92-321-404-1740
Report Writing

FARAZ ALI
FarazAli@ucp.edu.pk
+92-321-404-1740
A Forensic Report, unlike a clinical report, is written for the benefit of the court and is
typically about the subject rather than for the subject. As the primary work product of
forensic evaluations, forensic reports usually influence the court’s decision. Because of their
importance, they require more care than an average report.

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
Importance of Reports
 A forensic report plays a very important role in the justification of criminal cases in the
courtroom.
 The results of forensic-related investigations are often detailed in a forensic report. These
reports are often used for several purposes, including affidavits and as proof of what was
found or not found.
 Communicate the results of your investigation
 Including expert opinion
 Forensic reports can:
 Provide justification for collecting more evidence
 Be used at a probable cause hearing
 Communicate expert opinion
 Courts require expert witnesses to submit written reports
 State courts are starting to also require them

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
Importance of Reports
 Federal Rules of Civil Procedure requires submission of the expert’s written report that
includes:
 Testimony is based on sufficient facts or data
 Testimony is the product of reliable principles and methods
 Witness has applied the principles and methods reliably to the facts of the case
 The written report must specify fees paid for the expert’s services
 And list all other civil or criminal cases in which the expert has testified
 Keep a copy of any deposition notice or subpoena so that you can include the following:
 Jurisdiction
 Style of the case
 Cause number
 Date and location of the deposition
 Name of the deponent
 Deposition banks
 Examples of expert witnesses’ previous testimonies
 These reports are very important to a case, since the improper processing of the data or
missing key evidence can mean the difference between winning and losing a case.

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
Reports are legal documents
 The forensic report offers evidence to the court of law. As such it must be totally accurate
to the best of the examiner’s ability. This includes not only features of the report, but also
the simplest of identifying information. i.e. a defendant's date of birth.
 The report should have a professional appearance.
 The reports are the property of the court and defendants. Upon court order, facilities or
court may release the reports.

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
Reports Length
 No particular page length is suggested but the following guidelines are offered. Very short
reports often do not include enough data and explanations to be helpful to the court as they
should be.
 Very long reports, on the other hand, may become difficult for the court. It is important to
examine all reports carefully to ensure that they do not contain irrelevant data,
redundancies, or more extensive discussion that is needed to address the matter and legal
issues in the case, clearly and adequately.

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
Reports Length

Short Reports
Approximately three pages.
These reports are essentially the conclusion section of a report, without the preceding data,
along with recommendations.

Standard Reports
Approximately two to ten pages.
Depending on the depth of the test conducted.
This type of report would include a background history, test results, and conclusions.

Comprehensive Reports
Approximately thirty pages.
This type of report should typically not be used unless the referring party specifically
requests it.

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
While creating a forensic report
 Provide accurate information on the examiner’s identity and date of evaluation.
 Describe the manner in which the examiner was informed of the purpose of the evaluation
and the limits of confidentiality.
 List all sources of data for the evaluation.
 Clearly state the legal standard that defines the forensic purpose of the evaluation.
 Including the specific questions, the examiner was asked to address.

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
Organization and Style
 Organize the report in a manner that is logical and assists the reader’s understanding.
 Report only data, not inferences, in one database section of the report.
 Report inferences and opinions in another section, which uses the earlier data but offers no
new data.
 Use language that minimizes the potential for bias or the appearance of free evaluative
judgments.
 Use language that will be understood by the general public, taking care to simplify
complex concepts and professional technical terms.
 Avoiding typographical errors and incomplete sentences.

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
Interpretations and Opinions
 Address only the clinical and forensic questions that were asked in the referral process.
 Provide a clear explanation for every important opinion or conclusion that you offer.
 Summarizing the relevant data and how they logically support the opinion.
 Identify alternative interpretations that might be considered, and explain how the data
were used to weigh these interpretations against the opinion you are offering.
 Produce interpretations and opinions that are logical and internally consistent.
 When opinions or recommendations require specialized knowledge, express opinions only
on matters for which you are qualified and competent.

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
Standard Headings
 Identifying information
 Legal Criteria for Determining Competence to stand trial
 Sources of Information
 Relevant History:
A brief description of any significant points regarding the defendant’s history of family
socialization and personality development:-
• History of social adaptations
• History of substance abuse
• History of criminal justice involvements, including, when available, history of
incarcerations with associated difficulties.
• History of Violence towards others and/or self
• Circumstances of referral

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
Introduction
 The introduction typically includes information about the referring party and the purpose
of the evaluation, identifying information about the subject, and the general procedures
used.
• The case name
• Date
• Examinee name
• Examiner’s name with degree
• License number
• Contact information

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
Summary of the report
Especially important for longer reports, this allows the reader to get a high-level view of
important findings without having to go for looking at all the pages.
Remarks / Notes
The behavior of the examinee or something that a court may be interested in.
Conclusion
Highlight the important issues. This often comes in the form of a numbered list of concise
findings.
Used words should be so clear that can be understood by others too.
Should avoid scientific words
Words commonly and generally used should be applied
Opinion and Recommendations
Leads to believe
Professional opinion
Signature
Signature of the Examiner
Date
Official Initials
Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
Limiting a Report to Specifics
 All reports to clients should start with the job mission or goal
 Find information on a specific subject
 Recover certain important documents
 Recover certain types of files with specific dates and times

 Before you begin writing, identify your audience and the purpose of the report

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
Types of Reports
 Digital forensics examiners are required to create
different types of reports
 Examination plan
 What questions to expect when testifying
 Attorney uses the examination plan to guide
you in your testimony
 You can propose changes to clarify or define
information
 Helps your attorney learn the terms and
functions used in computer forensics

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
Types of Reports
 Verbal report
 Less structured
 Attorneys cannot be forced to release verbal reports
 Preliminary report
 Addresses areas of investigation yet to be completed
o Tests that have not been concluded
o Interrogatories
o Document production
o Depositions
 Written report
 Affidavit or declaration
 Limit what you write and pay attention to details
o Include thorough documentation and support of what you write

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
Guidelines for Writing Reports
 Hypothetical questions based on factual evidence
 Guide and support your opinion
 Can be abused and overly complex

 Opinions based on knowledge and experience

 State the facts needed to answer the question

 Don’t include any unnecessary facts

 As an expert witness, you may testify to an opinion or conclusion, if four basic conditions are met:
 Opinion, inferences, or conclusions depend on special knowledge, skills, or training
 Witness should qualify as a true expert in the field
 Witness must testify to a reasonable degree of certainty
 Experts must know facts on which their opinions are based, or they must testify to a hypothetical question

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
What to Include in Written
Preliminary Reports?
 Anything you write down as part of your examination for a report
 Subject to discovery from the opposing attorney
 Discovery: the process of opposing attorneys seeking information from each other
 Written preliminary reports are considered high-risk documents
 It’s better if there’s no written report to provide
 Destroying the report could be considered destroying or concealing evidence (spoliation)
 Include the same information as in verbal reports
 Additional items to include in your report:
 Summarize your billing to date and estimate costs to complete the effort
 Identify the tentative conclusion (rather than the preliminary conclusion)
 Identify areas for further investigation and get confirmation from the attorney on the scope of your
examination

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
Report Structure
 Structure
 Abstract (summary)
 Table of contents
 Body of report
 Conclusion
 References
 Glossary
 Acknowledgements
 Appendixes

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
Writing Reports Clearly
 Consider
 Communicative quality
 Ideas and organization
 Grammar and vocabulary
 Punctuation and spelling
 Lay out ideas in logical order
 Build arguments piece by piece
 Group related ideas and sentences into paragraphs
 Group paragraphs into sections
 Avoid jargon, slang, and colloquial terms
 Define technical terms
 Consider your audience

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
Writing Reports Clearly
 Considering writing style
 Use a natural language style
 Avoid repetition, vague language, and generalizations
 Use active rather than passive voice
 Avoid presenting too many details and personal observations
 Project objectivity
o Communicate calm, detached observations
 Including signposts
 Draw reader’s attention to a point
 Assist readers in scanning the text quickly by highlighting the main points and logical development of
information

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
Designing the Layout and
Presentation of Reports
 Two numbering systems are typically used
 Decimal numbering structure
 Divides material into sections
 Readers can scan heading
 Readers see how parts relate to each other
 Legal-sequential numbering
 Used in pleadings
 Roman numerals represent major aspects
 Arabic numbers are supporting information
 Providing supporting material
 Use material such as figures, tables, data, and equations to help tell the story as it unfolds
 Formatting consistently
 How you format text is less important than being consistent in applying formatting
 Explaining examination and data collection methods
 Explain how you studied the problem, which should follow logically from the report’s purpose

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
Designing the Layout and
Presentation
 Including calculations of Reports
 If you use any hashing algorithms, be sure to give the common name
 Providing for uncertainty and error analysis
 Protect your credibility
 Explaining results and conclusions
 Explain your findings, using subheadings to divide the discussion into logical parts
 Save broader generalizations and summaries for the report’s conclusion
 Providing references
 Cite references by author’s last name and year of publication
 Follow a standard format
 Including appendixes
 You can include appendixes containing material such as raw data, figures not used in the body of the report,
and anticipated exhibits
 Arrange them in the order referred to in the report

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
Generating Report Findings with
Forensics Software Tools
 Forensics tools generate reports when performing analysis
 It is still your responsibility to explain the significance of the evidence
 Report formats
 Plaintext
 Word processor
 Spreadsheet
 HTML format

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
Guidelines
 In a forensic report, the referral question is often very specific without any additional issues.
 The numeric data presented should be explained in a way that one who is not aware of the test can understand it
well.
 Opinions should not be offered if they are outside the area of competence.
 This means that reports will likely need to be written so that the layperson can understand the material presented.
 Technical language should be limited.
 Heading can be particularly useful in differentiating data and making the report more reader-friendly.

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
Do’s and Don'ts
 Don’t use overly technical language
 Do avoid grammatical errors, lack of clarity, and poor writing style
 Do write reports so they can be easily understood by all audiences
 Don’t use lengthy language and long sentences
 Do determine what structure report is best for the particular case.
 Don’t overwhelm the reader with needless information
 Do consider length; ask the referring party for guidance
 Do make the conclusion the most important part of the report.

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
Do’s and Don'ts
 Do include all data relevant to the referral questions
 Don’t rely on only one source of data
 Do choose a test that is relevant and necessary to answer the legal questions
 Do use a test that is valid given the subject
 Don’t use a test that will not be understandable to the court
 Don’t use a test that is not valid and reliable

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
Using Autopsy to Generate Reports
Viewing the Desktop Folder

Tagged files in the Desktop folder

Tagged application
folders under Program
Files

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
Thank You
Question and Answers

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)