This is the process of presenting the evidence in a legally acceptable and understandable manner. If the matter is presented in court the people involved must all be able to understand what is presented and how it relates to the original.
The report must aid in clear communication of facts and findings and must consider the target audience. A standard Digital Forensics and Evidence Report includes the following sections:
- Name and background of person providing documentation
- Summary of Observations
- Sources of Evidence and Evidence Collected
- Attributes of the Digital Evidence that were Collected and Analyzed
- Description of Process and Procedure (both Technical and Operational) Adopted for Analysis
- Description of Process and Procedure (both Technical and Operational) Adopted for Investigation
- Description of Process and Procedure (both Technical and Operational) Adopted for Examination
- Factual Results of Investigation with Detailed Description of the Findings
- Listing and Description and any Possible Impact of the Tools Used
- Possible Chronological Sequence of Events as Deduced from the Evidence Collected.
- Chain of Custody of Evidence Highlights
- Hard and Soft Copies of Evidences
- Actions Initiated (Corrective, Communications, etc.)
- Interpretation of Results by Subject Matter Expert (SME), if required
- Report Criteria of Precision, Truthfulness and Accuracy
Please remember the preparation of the reporting documentation is an ongoing process throughout the examination. This also helps as any specific steps and/or actions taken during investigation are immediately recorded instead of the need to rely on memory if done retrospectively.
The reports should be prepared in a manner which makes the report admissible in the court of law and submitted to the following stake holders for review before any release:
- Chief Information Security Officer (CISO)
- Head of the Legal and Internal Audit
- Members of the ISIRT Team
The investigation reports and the supporting evidences should be shared in password protected and encrypted format using pre-shared keys known only to the recipients of the report to maintain confidentiality and integrity of information.