Forensic investigators must write reports, and those reports must be comprehensive, accurate, and appropriate for a court of law. From the moment an investigator is assigned the case, content for the final report is collected and organized.
Within the report, conclusions and corresponding evidence from the investigation must be clearly presented. A well-written, convincing report may help win the case. Contained in the report are facts of the evidence, the process and steps used to find the evidence, and the expert opinion of the investigator.
Keep in mind that the audience for the report will have both technical and nontechnical backgrounds. Summary-level and detail-level information must be clearly communicated.
Technical details such as processing logs from the tools used to analyze the evidence should also be included. For example, it is important to include the log from EnCase that shows a write blocker was used when making an image copy of the hard drive, and the hash signatures must match from source to copy.
The report must be organized and include all referenced material. The electronic format of the final report should be in noneditable format, such as PDF. For sample reports, see Appendix A in the resource, "Forensic Examination of Digital Evidence: A Guide for Law Enforcement."
References
Abdalla, S., Hazem, S., & Hashem, S. (2007). Teams responsibilities for digital forensic process. Conference on Digital Forensics, Security, and Law. http://proceedings.adfsl.org/index.php/CDFSL/article/download/17/17
Ayers, R., Brothers, S., & Jansen, W. (2014). Guidelines on mobile device forensics, revision 1. NIST Special Publication 800-101. National Institute of Standards and Technology. http://dx.doi.org/10.6028/NIST.SP.800-101r1
Office of Justice Programs, National Institute of Justice, US Department of Justice. (2004). Forensic examination of digital evidence: A guide for law enforcement. Washington, DC: Office of Justice Programs. https://www.ncjrs.gov/pdffiles1/nij/199408.pdf
Resources
- Guidelines on Mobile Device Forensics: Case Report, Contents and Presentation — Reporting (Section 7), page 55.
The following two resources are taken from Forensic Examination of Digital Evidence: A Guide for Law Enforcement:
Check Your Knowledge
Choose the best answer to each question: