The purpose of a computer forensics investigator’s report is to detail findings, not to convey an opinion or convince a jury that a suspect is guilty. The report is a statement of facts, and the jury must decide on the issue of guilt. An investigator must not only state findings, but also provide full details about the process of the investigation, which must always include mistakes investigators made or failings of an inquiry.


Recording the Use of Forensic Tools

As previously mentioned, an investigator must use multiple tools during an investigation of digital media; the lab technicians must have benchmarktested all forensic tools; and the investigator should know these findings, including known error rates. In relation to this last point, the investigator should note limitations of the examination, such as areas of storage media that were unreadable, as with negative sectors on a hard disk drive, bad blocks, files that failed to open, or any other inaccessible data. Being proactive should mitigate some awkward questions by defense attorneys.


Time Zones and Daylight Saving Time (DST)

Obviously, dates and times are extremely important. The investigator must note the current time, the source of the current time (for example, iPhone 6, cellular service provided by Verizon, time set to auto-adjust based on current location). All system times of the devices being examined must be noted and compared to the investigator’s time. The website timeanddate.com can assist you with date and time formats when working out time zones and can answer other important questions you may have. For example, you can check the time in another state or another country today or at a date in the future.


Daylight Saving Time (DST)

Ireland is 5 hours ahead of New York, but there are exceptions; the 1-hour adjustment of Daylight Saving Time and subsequent corrections do not occur on the same weekend. Daylight Saving Time (DST) is the practice of advancing time by one hour in the spring and then decrementing time by one hour in the fall. In the United States, DST was written into federal law in 1966. However, a state may choose not to observe DST. 

Observing DST primarily occurs in Europe and the United States. DST is one of the most problematic practices for investigators to deal with when synchronizing times from varying computers and devices across the United States and internationally.

The growth of cloud computing has meant that servers are even more scattered and likely to be located in multiple time zones for an organization. DST is simply not an international issue. Additionally, if an incident occurred over a weekend when the changeover to DST happened, times are even more difficult to determine.


Mountain Standard Time (MST)

Mountain Standard Time (MST) is a time zone in the United States that includes Arizona, Utah, Colorado, New Mexico, Wyoming, Idaho, and Montana. MST is seven hours behind UTC. 

Arizona does not observe Daylight Saving Time and remains in MST. Therefore, during DST, the time in Arizona is the same time as in California, but at other times of the year, Arizona is one hour ahead of California and other states in Pacific Standard Time (PST). To make this scenario even more interesting, consider the fact that the Navajo Nation, in Northern Arizona, observes DST. This might seem of little consequence looking at the big picture, but even though your investigation does not involve a Native American Indian, some servers reside in these areas.

DST is also not practiced in Hawaii, American Samoa, Guam, Puerto Rico, and the Virgin Islands.


Coordinated Universal Time (UTC)

Universal Time Coordinated (UTC) is an international time standard that is based on longitude and uses a 24-hour clock format. UTC is calculated from 0 degrees longitude, which runs through the Royal Observatory in Greenwich, England. UTC uses an atomic clock to maintain accuracy and account for leap seconds. A leap second is a second that is added to clocks to allow for inconsistencies between the Earth’s rotation and the time recorded by our everyday devices (watches, computers, and so on.). The Leap Second Bug refers to computer glitches that can occur as a result of a leap second that is added to atomic clocks in order to coordinate with the Earth’s rotation. There are 24 time bands that run east and west of Greenwich, and each band accounts for 1 hour (or time zone).


Greenwich Mean Time (GMT)

Greenwich Mean Time (GMT) is the time recorded at 0 degrees longitude. All time zones around the world are coordinated with this time. GMT does not recognize Daylight Saving Time. UTC is important for investigators because the system clock on a computer is based on UTC. When creating a new investigation file, most professional computer forensics software will ask the investigator the time zone for synchronizing evidence files.


Creating a Comprehensive Report

Every detail in the report must be technically precise, yet the report also needs to be comprehensive so that someone with limited technical knowledge can understand the investigator’s actions and the report findings. Computer scientists talk a different language with their peers, as do doctors and lawyers. Therefore, the report should not have acronyms unless they are explained earlier in the report (for example, instead of using NIST, use National Institute of Science and Technology) and also should not use shortened words (such as apps instead of applications) or technical terms without an explanation. For example, instead of saying, “We made a hash of the disk,” say, “We used the MD5 algorithm to create an alphanumeric code that uniquely identifies the hard disk drive from the computer. This is a standard for computer forensics investigators to ensure that the copy they are working from is unaltered from the original media seized from a suspect’s computer.” You could also include a separate section for technical definitions. If you have conducted a prudent investigation and publish the facts of the case, you should have nothing to worry about. Remember, you have a duty to be fair to both the prosecution and the defense.

No ambiguity should surround anything stated in the report. Have someone else review your report for accuracy and potential inconsistencies, to identify confusion, and see if someone with no technical background can understand it. Ultimately, your report should be detailed enough for someone to use your report to re-create the same analysis and retrieve the same results.


Using Graphic Representations

A graphical representation is often superior to the written word. The saying that a picture can tell a 1,000 words is true. For example, a spreadsheet with a call log is far less effective than a graphic displaying a picture of the suspect with lines to contacts he or she communicated with the most, including any co-conspirators or a victim. A graphical timeline of events is also superior to a simple list. Likewise, a graphic of networked friends on a Facebook network is more appropriate than a list of friends. Additionally, the use of maps can indicate how file metadata can place the movements of a suspect, including his or her presence at the scene of a crime.

Many cell site analysis tools provide this type of map for cellphone activity.


Structuring the Report

Investigative reports vary, but you might want to structure your report as follows:

  • Cover Page
  • Table of Contents
  • Executive Summary
  • Purpose of the Investigation
  • Methodology
  • Electronic Media Analyzed
  • Report Findings
  • Investigation Details Connected to the Case
  • Exhibits/Appendices
  • Conclusion
  • Glossary


The Cover Page

The cover page should include at least the following items:

  • Report Title
  • Author
  • Department and Organization
  • Investigation Number
  • Report Date

The cover page might also include the signature and date lines for those involved in the investigation.


The Table of Contents

A well-organized report should include a table of contents to assist prosecuting attorneys and their defense attorneys, as well as any expert witnesses that might be called upon to examine the report.


The Executive Summary

This portion of the report will provide a synopsis of the purpose of the examination and the investigator’s major findings. In law enforcement, a separation of duties often occurs, particularly in larger computer forensics labs. This means that one officer works the investigation, and another officer performs the forensic analysis.

Therefore, the work of more than one law enforcement agent is included in the report, and that must be clearly outlined in the report.


The Purpose of the Investigation

This section is optional because the report writer may have explained the reason for conducting the investigation in the Executive Summary. To set the tone for the report, the report writer might want to explain the reason for the investigation and the scope of the warrant, which will later help explain the types of computing devices that were examined and the areas of memory that were analyzed. For example, picture and video files will be important in a suspected pedophile case, whereas emails might be particularly important in a corporate insider investigation, and bank information is important in an embezzlement investigation.


The Methodology

The methodology can be included as a separate section in the report or can be included later. The methodology explains the science behind the examination. It should explain the approach the forensics examiner took, which might include the choice of software or hardware tools. The investigator may also reference standard practices for computer forensics examinations that were used in the examination—these could be lab specific, could come from the Department of Justice, or could be recommendations from NIST.

Predictive Coding

Predictive coding is a scientific methodology used to find keywords, patterns, or relevant content on a computer. For example, in an eDiscovery case, a forensics examiner may perform searches relating to a contractual dispute, which might include a keyword search for company names or key personnel involved in contract negotiations. When investigating fraud, a GREP search may be performed to search for patterns of numbers that look like credit card numbers, Social Security numbers, or ABA routing numbers. As with all tools used in an examination, the investigator should explain the use of this methodology. Furthermore, at trial, the plaintiff may be required to show how the tool works, discuss benchmark tests completed with the tool before it was used in an actual examination, and explain the “seed data sets” that were used when initially testing the tool.


The Electronic Media Analyzed

Once again, this information might be included in another section of the report. It is important, however, to describe in detail the media examined, how the storage media related to other media examined, and how these objects related to the suspect. Consider an example:

An examination of property list files on the suspect’s computer indicated that other devices had been synced to his MacBook. Property list files are configuration files that show any changes to the configuration of a computer. When an iPhone, an iPod, or other device is connected to a computer via a USB cable the device type and a unique identifying serial number is also recorded on the computer. This information led the investigator to request a search warrant for the suspect’s iPhone, which was then seized on August 15, 2013. The suspect’s iPhone was then examined.... Details about the suspect’s iPhone found in the property list files then led the examiner to analyze the backup files on the suspect’s MacBook. The backup file was located at....

All dates and times must be clearly outlined, in detail, for every step taken in the examination.


The Report Findings

As previously noted, the report should be clear about the findings related to the nature of the investigation and within the scope of all search warrants. All technical terms should be comprehensively explained. It is important for the investigator to state the facts and be careful about interpretations—that is for the attorneys and, potentially, the jury to decide. Consider an example of proper phrasing versus improper statements:

Improper: Joe Doe downloaded thousands of images of children being abused.

Proper: An analysis was performed on the hard disk drive removed from the Dell computer Model E6400, Service Tag 4X39P5. This computer was seized from the residence of John Doe, 123 River Road, Sterling City, New York 10028. A total of 578,239 images of children were downloaded to this computer. John Doe noted in his statement to police, dated January 27, 2014, that he was the only user of that computer at the residence. During the analysis, it was discovered from an analysis of Windows Registry that only one user was set up on that computer. The examiner also discovered a login and password on this Dell computer.


The Investigation Details Connected to the Case

This is not necessarily a separate section, but it is important to note supporting evidence to the investigation that is not digital. These might include statements from the suspect and witnesses.


The Exhibits/Appendices

Exhibits can include photos of seized objects, screenshots of the computer screen, tagged photographs, printed emails, and any other files of interest. Appendixes can include forms, like the evidence list and the search warrant.


Glossary

Placing a comprehensive glossary at the end of the report is good practice. Defense counsel often argues that they were at a disadvantage because of the lack of resources available to their investigation compared to those available to law enforcement. By assisting and cooperating with the defense counsel and including a glossary, footnotes, and other helpful resources you will diminish these arguments of inequality.


Senast ändrad: måndag, 3 februari 2020, 16:20