Writing Case Reports

Forensic investigators must write reports, and those reports must be comprehensive, accurate, and appropriate for a court of law. From the moment an investigator is assigned the case, content for the final report is collected and organized.

Within the report, conclusions and corresponding evidence from the investigation must be clearly presented. A well-written, convincing report may help win the case. Contained in the report are facts of the evidence, the process and steps used to find the evidence, and the expert opinion of the investigator.

Keep in mind that the audience for the report will have both technical and nontechnical backgrounds. Summary-level and detail-level information must be clearly communicated.

Technical details such as processing logs from the tools used to analyze the evidence should also be included. For example, it is important to include the log from EnCase that shows a write blocker was used when making an image copy of the hard drive, and the hash signatures must match from source to copy.

The report must be organized and include all referenced material. The electronic format of the final report should be in noneditable format, such as PDF. For sample reports, see Appendix A in the resource, "Forensic Examination of Digital Evidence: A Guide for Law Enforcement."

References

Abdalla, S., Hazem, S., & Hashem, S. (2007). Teams responsibilities for digital forensic process. Conference on Digital Forensics, Security, and Law. http://proceedings.adfsl.org/index.php/CDFSL/article/download/17/17

Ayers, R., Brothers, S., & Jansen, W. (2014). Guidelines on mobile device forensics, revision 1. NIST Special Publication 800-101. National Institute of Standards and Technology. http://dx.doi.org/10.6028/NIST.SP.800-101r1

Office of Justice Programs, National Institute of Justice, US Department of Justice. (2004). Forensic examination of digital evidence: A guide for law enforcement. Washington, DC: Office of Justice Programs. https://www.ncjrs.gov/pdffiles1/nij/199408.pdf

Resources

The following two resources are taken from Forensic Examination of Digital Evidence: A Guide for Law Enforcement:

Check Your Knowledge

Choose the best answer to each question:

Question 1
Final reports have a limited audience. To read and understand final reports, you must have an expert's understanding of all forensic processes.
True
False
Question 2
A list of the hardware and software tools used during acquisition should be included in your final report.
True
False
Question 3
Your final report should include only facts and should not include the expert's opinion.
True
False