Contents

Overview of Digital Forensics Reporting

Digital Evidences Tools
Forensics

•Chapter 1: •Chapter 3: Data •Chapter 4: OS and •Chapter 8: Report

Understanding Acquisition Multimedia Writing & Expert
Digital Forensics Forensics Witness
•Chapter 2: Digital •Chapter 5: Network
Forensics Forensics
Investigation •Chapter 6: E-mail &
Process Social Media
Forensics
•Chapter 7: Various
Internet Forensics

1
Overview
• Digital forensic analysts provide facts and impart knowledge
• Including expert opinion
• Communicate the results of your investigation
• Presents evidence
• Justification for collecting more evidence
• Courts require expert witness to submit written reports
• They must test evidence or gather technical information related to
the case

2
3
Limiting a Report to Specifics
• All reports to clients should start with the job mission or goal
• Find information on a specific subject
• Recover certain significant documents
• Recover certain types of files
• Before you begin writing, identify your audience and the
purpose of the report

4
Types of Reports
• Digital forensics examiners are required to create
different types of reports
Examination Plan Preliminary Report Full Investigative Report

• A guideline for knowing • Less structured or as one • Written report

what questions to expect
when testifying
• Attorney uses the
examination plan to guide • Addresses areas of
in testimony
• Can propose changes to
clarify or define
information
• Helps your attorney learn
the terms and functions
used in computer forensics
created in a software tool
before all the data analysis
is complete
investigation yet to be
completed
• Tests that have not been
concluded
• Interrogatories
• Document production
• Affidavit or declaration
• Limit what you write and
pay attention to details
• Include thorough
documentation and
support of what you
write
5
Guidelines for Writing Reports
• Hypothetical questions based on factual evidence
• Guide and support your opinion
• Opinions based on knowledge and experience
• State the facts needed to answer the question

6
Guidelines for Writing Reports (cont.)
• As an expert witness, you may testify to an opinion, or
conclusion, if four basic conditions are met:
• Opinion, inferences, or conclusions depend on special knowledge or
skills
• Expert should qualify as a true expert
• Expert must testify to a certain degree of certainty
• Experts must describe facts on which their opinions are based, or
they must testify to a hypothetical question

7
What to Include in Preliminary Reports
• Anything we write down as part of our examination for a
report
• Subject to discovery from the opposing attorney
• Considered high-risk documents
• Spoliation
• Destroying the report could be considered destroying or concealing
evidence

8
What to Include in Preliminary Reports
(cont.)
• Additional items to include in preliminary report:
• Summarize billing to date and estimate costs to complete the effort
• Identify the tentative conclusion (rather than the preliminary
conclusion)
• Identify areas for further investigation and obtain confirmation from
the attorney on the scope of your examination

9
Report Structure
• Structure
• Abstract (or summary)
• Table of contents
• Body of report
• Conclusion
• References
• Glossary
• Acknowledgements
• Appendixes

10
Writing Reports Clearly
• Consider
1. Communicative quality
2. Ideas and organization
3. Grammar and vocabulary
4. Punctuation and spelling
• Lay out ideas in logical order
• Build arguments piece by piece
• Group related ideas and sentences into paragraphs
• Group paragraphs into sections

11
Writing Reports Clearly (cont.)
• Avoid jargon, slang, and colloquial terms
• Define technical terms
• Consider your audience
• Consider writing style
• Use a natural language style
• Avoid repetition and vague language
• Be precise and specific
• Use active rather than passive voice
• Avoid presenting too many details and personal observations
• Include signposts
• Draw reader’s attention to a point
• E.g.: “The first step ..”, “The second step ..”, “The problem with this is
..”, “The result shows that ..”

12
Designing the Layout and Presentation of
Reports
Decimal numbering
Legal-sequential numbering
structure
• Divides material into • Used in pleadings
sections • Roman numerals
• Readers can scan heading represent major aspects
• Readers see how parts • Arabic numbers are
relate to each other supporting information
I. Abstract I. Abstract
1.1 XXX 1. XXX
II. Detailed Analysis II. Detailed Analysis
Computer A Computer A
2.1 XXX 2. XXX
2.2 XXX 3. XXX
Computer B Computer B
2.3 XXX 4. XXX
2.4 XXX 5. XXX 13
Designing the Layout and Presentation of
Reports (cont.)
• Providing supporting material
• Use material such as figures, tables, data, and equations to help tell
the story
• Formatting consistently
• How you format text is less important than being consistent in
applying formatting
• Explaining examination and data collection methods
• Explain how you studied the problem, which should follow logically
from the purpose of the report

14
Designing the Layout and Presentation of
Reports (cont.)
• Including calculations
• If you use any hashing algorithms, be sure to give the common name
• Providing for uncertainty and error analysis
• Protect credibility
• Explaining results and conclusions
• Explain findings, using subheadings to divide the discussion into
logical parts
• Save broader generalizations and summaries for the report’s
conclusion

15
Designing the Layout and Presentation of
Reports (cont.)
• Providing references
• Cite references by author’s last name and year of publication
• Follow a standard format
• Including appendixes
• Include appendixes containing material such as raw data, figures not
used in the body of the report, and anticipated exhibits
• Arrange them in the order referred to in the report

16
Generating Report Findings with
Forensics Software Tools
• Forensics tools generate reports when performing analysis
• Report formats
• Plaintext
• Word processor
• Spreadsheet
• HTML format

17
Using Autopsy to Generate Reports

18
19
Fact Witness VS Expert Witness
Fact Witness
• Provide only the facts found
in the investigation.
• Present the evidence and
explain what it is and how
it was obtained.
• No conclusions, only the
facts and ordinary
inferences based on that
evidence.
Expert Witness
• Provide opinions about
what have found or
observed.
• Form these opinions from
experience and deductive
reasoning based on facts
during an investigation.
• Opinion based on
education, training and
experience.
20
Preparing for Testimony

Documenting Creating and

and Preparing Maintaining
Evidence CV

Preparing
Technical
Definitions
21
Documenting and Preparing Evidence
• Document your steps in gathering and preserving evidence.
• Make sure they are repeatable.
• Ensure the integrity of the evidence:
• Validate tools and verify evidence with hash algorithms.
• Collect evidence and record the tools used in designated file folders or
evidence containers.
• Chain of custody of evidence.
• When collecting evidence, be careful not to get too little or too much
information.
• Note the date and time of forensic workstation when starting analysis.
• State how keywords used relate to the case.
• Keep note simple and specific to the investigation.
• List only the evidence that relevant to the case in a report.
• Define digital forensics procedures use to conduct analysis.

22
Creating and Maintaining CV
• Curriculum vitae (CV) – list education, training, and professional
experience and is used to qualify testimony.
• Should describe tasks performed that define specific accomplishments
and basic and advanced skills.
• List general and professional education and professional training.
• Include coursework sponsored by government agencies or organizations
that train government agency personnel and courses sponsored or
approved by professional associations, such as bar associations.
• Note any professional training provided or contributed to.
• Include a testimony log that reflects every testimony have given as an
expert.
• Reflects professional background.

23
Preparing Technical Definitions
• Prepare definitions of technical concepts for a non-technical
audience.
• Examples: MD5, SHA-1 hashing algorithms, image files, file
slack, file timestamps, computer log files, folder or directory,
hardware, software, operating system.

24
Testifying in Court

Understanding Provide
Guidelines on
the Trial Qualifications
Testifying
Process for Testimony

Testifying Testifying
during Direct during Cross-
Examination Examination

25
Understanding the Trial Process

26
Provide Qualifications for Testimony
• After the attorney has completed this examination on
qualifications, he/she asks the court to accept the witness.
• The opposing counsel might object and is allowed to examine
(cross-examination) the expert witness.

27
Guidelines on Testifying
• Be professional and polite.
• Before the trial, learn the jury, judge, and other attorneys’
level of knowledge toward computers and technology.
• Two responses to use often as a witness:
• “That is beyond the scope of my expertise” or “I was not asked to
investigate that”
• “Can you please rephrase the question?”
• Reject restatement by saying “No, that isn’t what I said,” and
restate by starting with “What I said was.”

28
Testifying during Direct Examination
• Direct testimony  answer questions from the attorney who
hired the expert witness.
• Get the right language that communicates message to the
audience (judge, jury).
• Prepare a clear overview of findings and have a systematic and
easy-to-follow plan for describing evidence-collection
methods.
• Give answers that emphasize the factual findings and opinions.
• Remember to tailor the language to the judge/jury’s
educational level.

29
Testifying during Cross-Examination
• Cross-examination  answering questions from the opposing
attorney.
• Be aware of leading questions such as “Isn’t it true that
forensics experts always failed to recover pictures?”
• Question such as “Did you use more than one tool to verify the
evidence?”
• If we make a mistake in the testimony, correct it, and get back
on track with the testimony.
• Good technical credentials and related experience are the
most effective defense against cross-examination.

30
Preparing for a Deposition or Hearing
• Deposition:
• No jury or judge, both attorneys are present and ask questions to the
expert witness.
• Purpose: for the opposing attorney to preview your testimony before
trial.
• Hearing:
• Generally comparable to testify at a trial.
• Conducted in front of a judge and held in a hearing room.
• Purpose: To determine whether the charges imposed are worth
pursuing or not.

31
Preparing Forensics Evidence for
Testimony
• Example:
• Based on your analysis of John’s computer, the general counsel at ABC
Corporation has obtained an electronic discovery demand and received a
forensic disk image of former employee Jack’s personal computer.
• The general counsel sent the forensic disk image and instructed a forensics
examiner to search for all e-mails from John.
• The e-mail accounts to look for are [email protected] and
john_ali@gmail. com.
• After the forensics examiner have collected the e-mails, the general counsel
wants the forensics examiner to prepare to testify at a deposition hearing
about their contents.
• He also stated that the forensics examiner need to testify on how he/she
extracted the e-mails and how the chain of custody was maintained.
• Another examiner has already created a forensic image of Jack’s computer,
and gave the file to the forensics examiner.
32
Preparing a Defense of Evidence-
Collection Methods
• Question 1: How did you find e-mails in the image of Jack’s
computer?
• Answer 1: I used Sleuth Kit’s Autopsy for Windows to access and search the
AA32.001 image of Jack’s computer.
• Question 2: How did you search for e-mails on Jack’s computer?
• Answer 2: In Autopsy, I used the Email Parser ingest module to find all Jack’s
e-mails. I then sorted the received e-mails and found all from John.
• Question 3: After you found these e-mails, what did you do?
• Answer 3: I used Autopsy to extract specific data items—in this case, e-
mails—and copy them to a report. Then I used Autopsy to create an Excel
spreadsheet of the extracted data.

33
Preparing a Defense of Evidence-
Collection Methods (cont.)
• Question 4: What’s an image file?
• Answer 4: An image file is a copy of a computer’s disk drive. It copies all
areas of a disk drive, including deleted files.
• Question 5: When did you perform this examination?
• Answer 5: I performed this examination on November 7, 2020, at about 2:00
p.m.
• Question 6: How many e-mails on Jack’s computer were from John?
• Answer 6: I found twenty-two e-mails.
• Question 7: After finishing your examination, what did you do?
• Answer 7: I sent the case report with the spreadsheet data to the general
counsel. I then closed Autopsy and secured the external disk drive
containing the forensic image of Jack’s computer in the evidence locker.

34
Expert Witness
• A person who testifies at a trial because he or she has
specialized knowledge of a particular subject area.
• To help the court understand complex technical processes
related to the digital evidence.
• To present the digital forensic analysis using clear explanations
and visual representations when necessary.

35
CyberSecurity Malaysia's Digital Forensic
Lab
• The first laboratory in the Asia-Pacific region to be
accredited by ASCLD / LAB in the field of 'Digital &
Multimedia Evidence‘
• Based on ISO/IEC 17025:2005 and the ASCLD / LAB –
International Supplemental Requirements (2011 Edition) for
digital forensic laboratories.
• Services:
• Digital Forensic, Computer Forensics, Mobile Phone
Forensics, Audio Forensics, Video Forensics, First Responder,
Data Recovery, Data Sanitisation, Expert Witness
Source: https://www.malaysia.gov.my/portal/content/30885 36
Applying Ethics and Codes to Expert
Witnesses
• People need ethics to help maintain their balance.
• Forensics examiners usually relying on an internal code of
ethics.
• Expert witnesses are expected to present unbiased,
specialized, and technical evidence to a jury.
• Ethics are a tool to identify and control biases or prejudices.

37
Codes of Ethics
• Look at the standards of other organizations.
• The ethical guidelines of organizations can have a great impact on
expert’s testimony.
• E.g.: International Society of Forensics Computer Examiners (ISFCE)
• In all forensic examinations, the investigator should maintain the greatest
objectivity and present accurate findings.
• All matters should be testified to truthfully before the court.
• The examiner shouldn’t take any action that would appear to be a conflict
of interest later on.
• Examinations must be based on well-established and validated principles.
• The examiner is forbidden to reveal any confidential information without
the client’s permission or a court order.
• The investigator is not allowed to misrepresent credentials or associated
memberships.

38
Code of Ethics (cont.)
• E.g.: High Technology Crime Investigation Association (HTCIA)
• HTCIA members use specialized techniques and advanced technologies to
uncover the “truth” so as to avoid wrongful conviction.
• The HTCIA values its members’ integrity and the truth they reveal through
computer forensics best practices, involving effective techniques used to
collect digital evidence.
• International Association of Computer Investigative Specialists
(IACIS)
• Members should maintain the utmost objectivity in all forensics
investigations and present the facts accurately.
• The evidence should be examined and analyzed thoroughly.
• Only unbiased opinions should be given.
• Members must not conceal any findings that would cause the facts of a case
to be distorted or misrepresented.
39
Summary
• Reports should answer the questions you were retained to
answer.
• A well-defined report structure contributes to readers’ ability
to understand the information you’re communicating.
• Includes clearly labelled sections and follows a numbering
scheme consistently.
• Clarity of writing is critical to a report’s success.

40