Comprehensive Forensic Report Writing: Requirements and Guidelines

Comprehensive forensic reports are written in narrative format. You should use a professional layout for your pages. APA style compliance is not required but, you may find that the APA formatting guidelines are appropriate and provide a professional appearance for fonts, margins, sections, paragraphs, etc.
Outline / Required Content Items:

The paragraph below each item lists the full performance or “A” level requirements for that item.

1. Overview of the Case Provided an overview section that contains an excellent summary of the case. The overview appropriately used information from the scenario. Clearly identified and accurately phrased the case questions.

2. Summary of Findings Provided an excellent summary of the examiner’s findings at or near the beginning of the report. Clearly and accurately summarized the findings related to each case question. Provided clear and concise answers to the case questions.

3. Case Management and Evidence Handling Demonstrated excellence in the handling, management, and documentation of the case. Submission included evidence tagging/labeling, transfer of evidence between the client and the examiner, full provenance of the evidence (as known to the examiner), chain of custody documentation, delivery package inventory, transmittal letter, and hand receipts.

4. Client interview and Onsite examination Provided an excellent, thorough report detailing the conduct of a client interview and all information obtained through direct questions of the individuals who were involved or had knowledge of the incident or evidence. Correctly executed and reported upon the onsite examination (if any). Reporting includes properly labeled pictures or images of the site and all evidence.

5. Evidence Acquisition and Imaging Report correctly explains how the forensic duplicates of the original evidence were created (or explains how this would have been done in cases where an E01 file was provided for the examination). The report includes an appendix which provides an understandable policy which governs the acquisition and forensic imaging of evidence. The policy includes requirements for wiping media (forensic sterilization) prior to use for duplication.

6. Physical and Logical Analysis of the Evidence Report provides an excellent (correct and thorough) explanation of how the examiner analyzed the structure of the physical and logical media. Provides pictures, measurements, and descriptions of the physical media. Provides a logical analysis which includes partition types, file system types, partition names. Analysis included MBR or BPB or VBR, partitioning, root directory structure, and evidence of wiping / formatting (if any). Provides information about file systems contained within partitions (name, type, etc.).

7. Files and Folders: Recovery and Analysis Conducted and reported upon a thorough and procedurally correct examination of active and deleted files and folders in all partitions. Identifies, recovers, and presents important files which provide answers to case questions or otherwise support the examiner’s findings. Examination report includes discussion of findings related to the following:

a.Email files

b.Encrypted or password protected files

c.Internet Explorer cache files

d.MS Office documents, spreadsheets, and presentations (including metadata)

e.Windows Registry files

f.Text files

g.Other file types as found in the image

8. File Carving, Keyword Searches, Password Recovery, and Recovery of Hidden Text or Messages

Conducted and reported upon a thorough and procedurally correct examination of the media which included recovery of files and contents thereof through file carving, password recovery, locating and recovering hidden messages or hidden information. Conducted appropriate keyword searches and reported upon both positive and negative results for all of the above.

9. Policies, Procedures, Ethics Compliance Demonstrates excellence in compliance with ethical and procedural requirements for the conduct of forensics examinations. Report package includes correct and appropriate statements showing ethical use of software and hardware (licensing / authorized use / anti-virus protection). Provided 3 or more policy statements regarding compliance with standard practices, e.g. wiping media, evidence tagging, transfer of evidence, etc. Provided a glossary and bibliography. Provided a brief resume showing examiner’s experience and credentials.

10. Professionalism Submitted work shows outstanding organization and the use of color, fonts, titles, headings and sub-headings, etc. is appropriate to the assignment type.No formatting, grammar, spelling, or punctuation errors. Appropriately uses footnotes or end notes (or other form of citations).