Open In App

Computer Forensic Report Format

Improve
Improve
Like Article
Like
Save
Share
Report

The main goal of Computer forensics is to perform a structured investigation on a computing device to find out what happened or who was responsible for what happened, while maintaining a proper documented chain of evidence in a formal report. Syntax or template of a Computer Forensic Report is as follows :

  1. Executive Summary :
    Executive Summary section of computer forensics report template provides background data of conditions that needs a requirement for investigation. Executive Summary or the Translation Summary is read by Senior Management as they do not read detailed report. This section must contain short description, details and important pointers. This section could be one page long. Executive Summary Section consists of following :

    • Taking account of who authorized the forensic examination.
    • List of the significant evidences in a short detail.
    • Explaining why a forensic examination of computing device was necessary.
    • Including a signature block for the examiners who performed the work.
    • Full, legitimate and proper name of all people who are related or involved in case, Job Titles, dates of initial contacts or communications.

  2. Objectives :
    Objectives section is used to outline all tasks that an investigation has planned to complete. In some cases, it might happen that forensics examination may not do a full fledged investigation when reviewing contents of media. The prepared plan list must be discussed and approved by legal council, decision makers and client before any forensic analysis. This list should consist tasks undertaken and method undertaken by an examiner for each task and status of each task at the end of report.


  3. Computer Evidence Analyzed :
    The Computer Evidence Analyzed section is where all gathered evidences and its interpretations are introduced. It provides detailed information regarding assignment of evidence’s tag numbers, description of evidence and media serial numbers.


  4. Relevant Findings :
    This section of Relevant Findings gives summary of evidences found of probative Value When a match is found between forensic science material recovered from a crime scene e.g., a fingerprint, a strand of hair, a shoe print, etc. and a reference sample provided by a suspect of case, match is widely considered as strong evidence that suspect is source of recovered material. However, probative value of evidence can vary widely depending on way in which evidence is characterized and hypothesis of its interest. It answers questions such as “What related objects or items were found during investigation of case ?”.


  5. Supporting Details :
    Supporting Details is section where in-depth analysis of relevant findings is done. ‘How we found conclusions outlined in Relevant Findings?’, is outlined by this section. It contains table of vital files with a full path name, results of string searches, Emails/URLs reviewed, number of files reviewed and any other relevant data. All tasks undertaken to meet objectives is outlined by this section. In Supporting Details we focus more on technical depth. It includes charts, tables and illustrations as it conveys much more than written texts. To meet outlined objectives, many subsections are also included. This section is longest section. It starts with giving background details of media analyzed. It is not easy to report number of files reviewed and size of hard drive in a human understandable language. Therefore, your client must know how much data you wanted to review to arrive at a conclusion.


  6. Investigative Leads :
    Investigative Leads performs action items that could help to discover additional information related to the investigation of case. The investigators perform all outstanding tasks to find extra information if more time is left. Investigative Lead section is very critical to law enforcement. This section suggests extra tasks that discovers information needed to move on case. e.g. finding out if there are any firewall logs that date any far enough into past to give a correct picture of any attacks that might have taken place. This section is important for a hired forensic consultant.


  7. Additional Subsections :
    Various additional subsections are included in a forensic report. These subsections are dependent on clients want and their need. The following subsections are useful in specific cases :

    • Attacker Methodology –
      Additional briefing to help reader understand general or exact attacks performed is given in this section of attacker methodology. This section is useful in computer intrusion cases. Inspection of how attacks are done and what bits and pieces of attacks look like in standard logs is done here.

    • User Applications –
      In this section we discuss relevant applications that are installed on media analyzed because it is observed that in many cases applications present on system are very relevant. Give a title to this section, if you are investigating any system that is used by an attacker .e.g Cyber Attack Tools.

    • Internet Activity –
      Internet Activity or Web Browsing History section gives web surfing history of user of media analyzed. The browsing history is also useful to suggest intent, downloading of malicious tools, unallocated space, online researches, downloading of secure deleted programs or evidence removal type programs that wipe files slack and temporary files that often harbor evidence very important to an investigation.

    • Recommendations –
      This section gives recommendation to posture client to be more prepared and trained for next computer security incident. We investigate some host-based, network-based and procedural countermeasures are given to clients to reduce or eliminate risk of incident security.

Last Updated : 27 Jul, 2020
Like Article
Save Article
Previous
Next
Share your thoughts in the comments
Similar Reads