Class: CYBR-405

Notes:

Evidentiary Reporting Overview

Introduction to Reporting

Let's begin by introducing the basic concepts of evidentiary reporting as it pertains to general forensics. These concepts then extend to digital forensics. The greatest portion of this module is spent discussing what the structure of a good forensics report should contain and methods for documentation.

Evidentiary Reporting
The communication of the procedures, evidence, events, and conclusions that occurred in a forensic incident or investigation for the purpose of answering questions for the legal system.

Evidentiary Reporting for General Forensics

Evidentiary reporting, or the reporting of answers to legal questions, is the process by which investigators (forensics specialists, detectives, etc.) formally provide answers to the legal system. Investigators and prosecutors often cooperate throughout the investigation; attorneys continually ask questions and investigators informally provide them with answers. Investigators may also suggest additional questions or provide answers to relevant questions not yet asked by the attorneys. Answers provided can be either inculpatory or exculpatory.

Inculpatory Evidence

Tends to include a particular suspect in the commission of a crime or support a theory of events that shows guilt. Inculpatory evidence suggests that a suspect is guilty of the alleged crime.

Exculpatory Evidence

Tends to exclude a particular suspect in the commission of a crime or support a theory of events that suggests that the suspect is not guilty of the offense.

Expectations of Evidentiary Reporting

Forensic evidence serves as a main component leading to and supporting a theory about a crime. Prosecutors, defense attorneys, and jurors rely upon forensic evidence to formulate opinions and ultimately to discover the truth about what happened in the event.

The process of collecting forensic material and the documentation of the forensic collection process places the evidence in context to reveal a complete story of the event that occurred.

Therefore, the ultimate expectation of a forensic investigator's report is that it needs to show evidence to support the facts surrounding an alleged event. Any sort of bias or personal opinions should be avoided.
The report should support these facts conclusively and expertly so that a factual conclusion can be proven.

The Evidentiary Report Should Answer the Following Questions:

• Who
• Where
• What
• Why
• When
• How

Formal Reports

Documents for a forensics report should include both inculpatory and exculpatory evidence in order to demonstrate investigator objectivity in the case.

Answers to investigative questions can be provided both formally and informally.
A "formal report" describes a report that is usually testimony in a court of law. All other forms of communication are considered to be informal. The result is four forms of communication or documentation that need to be very well understood.

Formal reports are provided by experts in their area of expertise. For example, a forensics chemist would provide a report (oral or written) that included the questions, evidence, and answers in a case that pertains to chemistry. Questions and evidence that do not pertain to chemistry would be excluded from the report. Information outside of the area of the investigator's expertise is not included in a formal report.

Importance of Credible Documentation

The criminal defense attorney has the challenge of evaluating the forensic evidence and demonstrating to the jury that the evidence presented by the prosecution lacks credibility and that critical evidence was missing, overlooked, filtered out, misrepresented, or not collected properly. When evidentiary reports are poorly prepared or are missing critical areas needed to fully understand the case, the case will probably be lost as the jury is likely to come back with a different opinion.

Established guidelines for documentation of crime scene forensics must be followed to prevent the defense attorneys from challenging the evidence as lacking in credibility due to not following benchmark guidelines.

Evidentiary Report Documentation

Defense attorneys have come to expect that formal forensic reports will contain complete descriptions of each step of the crime scene investigation and forensic analysis. Any omitted documentation from any step suggests a deficiency in the evidence acquisition process and, therefore, leaves the credibility of the evidentiary report to be questioned.

Evidentiary report documentation for general forensics is different than report documentation requirements for digital forensics. However, because digital forensics is used to document a digital crime scene, it is important to know what guidelines are needed for evidence recovery, and to ensure that any digital forensic report addresses those basic guidelines.

Digital Forensics Reporting

Evidentiary Requirements

Evidentiary requirements for digital forensics are:

• Proof of control over network access
• Proper access
• Usage controls along with two or multi-factor authentication procedures

Proof of control over network access and digital information is an important evidentiary requirement to ensure integrity of the evidence is maintained while in the custody of law enforcement or the digital forensics lab.
The duty rests on the data holder to ensure that the legally necessary data level protections (including access and usage controls with multifactor authentication) are in place to ensure protection and legal control of business records and public documents.

Two or Multi-Factor Authentication
Requires the use of two or multiple different factors to verify a user's identity. Includes something the user knows, something the user has and/or something the user is.

Documentation for Digital Forensics Reporting

Documentation for a digital forensics report must include the examination results of relevant sources of digital evidence collected at the scene. The resulting report must present facts from evidence collected according to evidentiary standards.

The report and notes created by the investigator should document the collection of the digital evidence and provide an outline of the alleged offense, a description of the digital forensic tools involved in the examination, the processes used during the examination procedure, and answers to the questions posed in the examination request.

FBI Documentation Guidelines were developed by Supervisory Special Agent (SSA) Dale M. Moreau at the FBI National Academy in a publication entitled Practical Suggestions Regarding Crime Scene Administration and Management. These guidelines outline a 12 -step approach to crime scene forensic analysis. Transferring these steps to cyber-crime investigations and understanding the digital crime scene is critical in order to end up with an admissible report.

1. Prepare
2. Approach the Scene
3. Secure and Protect the Scene
4. Conduct Preliminary Survey
5. Evaluate Physical Evidence Possibilities
6. Prepare Narrative Description
7. Photograph Scene
8. Sketch Scene
9. Conduct Search
10. Collect, Record, Mark, and Preserve Evidence
11. Conduct Final Survey
12. Release the Scene

Evidentiary Reporting for Digital Crime Scenes

The evidentiary report for a digital crime scene must address the 12 steps previously discussed and apply the steps in a cyber-crime format. Digital evidentiary reports should also include the following information:

• What actions were taken to secure and collect the digital evidence to ensure the integrity of the evidence?
• Experience and qualifications of the people conducting the digital evidence examinations.
• Exhaustive outline and detailing what steps were taken to preserve the digital evidence during the seizure, examination, storage, and transfer activities.
• Clear presentation, from the point of the digital examiner, of what policies and procedures were followed.
• Outline with the evidence assessment procedure and detail of who examined what, how, with what method or procedure, the tools involved, and how the acquisition was accomplished.
• Detailed explanation of the examiner's conclusions.

Sections of an Evidentiary Report

After following the steps for a crime scene/digital crime scene, a digital evidentiary report is issued that usually has the following sections:

• Policy and Procedure Development
• Evidence Assessment Procedures
• Evidence Acquisition Procedures
• Evidence Examination Procedures
• Documentation and Reporting Procedures
• Summary/Findings/Conclusion
• Appendix: Supporting Documents/Charts/Graphs/Images
• Glossary

Preparation Step of Reporting

The preparation step of the report, prior to starting the investigation, is typically the most sensitive step. Preparation is the area most likely to be omitted or handled improperly at a digital crime scene, and inadequate preparation may lead to the report's inadmissibility. It is vital that a report correctly documents the scene immediately upon arrival so what actually happened can be determined.

Therefore, during the preparation phase, every potential piece of evidence must be identified, marked, and documented. Often, obvious, critical pieces of evidence are forgotten or overlooked.

Computer Systems:

• Computer systems include the hardware, software, monitor or video display devices, keyboard, mouse, peripheral or externally connected drives, devices, and components. Computer systems can include laptops, desktops, tower computers, rack-mounted systems, mainframe computers, and mini computers as well as their peripheral devices such as routers, printers, scanners, modems, and docking stations.

Storage Devices:

• Storage devices are hard drives (both external and internal) and removable media such as flash drives (USB drives, thumb drives). These are often disguised as pocket-size tools, keychains, wristwatches, kid skateboards, toys, eyeglasses, and many other commonly used items. These memory devices may contain important information such as emails, Internet browsing history, chat logs, photographs, databases, financial records, image files, and calendar event logs.

Mobile Devices:

• Mobile devices include communication devices which are portable data storage devices, such as mobile phones, smartphones, PDAs, iPads, digital multimedia devices, digital cameras, and global positioning (GPS) systems. It is important to note that data or digital evidence may be lost if power on these devices is not maintained. On some devices, such as mobile or smartphones, data can be overwritten or deleted while the device remains activated and connected to a network via a cellular signal. Most mobile devices can be remotely wiped, rendering the evidence unusable and inaccessible.

Peripheral Devices:

• Peripheral devices and other potential sources of digital evidence include microphones, surveillance equipment, digital video recorders, digital audio recorders, Voice over Internet Protocol (VoIP) phones, MP3 players, satellite audio/video receivers, access cards, video gaming consoles, chat headsets, iPads, SIM card readers, thumb-print readers, wireless devices, network switches, and power supplies.

Cloud:

• Cloud includes servers, cloud storage, password vaults, email and application hosting providers, encryption services, and anonymizers that may be used in the commission of the crime(s).

Tactics for Presenting Acceptable Evidence

When testifying in court or compiling evidence in a report, it is very important to establish facts that cannot be challenged. The forensic expert must subjugate all evidence through correct legal procedures when obtaining, analyzing, and reporting evidence.

Technology can play a tremendously critical role in evidence reporting. Certified forensic technologies greatly reduce the risk of challenges because many of their features have been:

• Vetted over time
• Endorsed by the scientific community
• Endorsed by the legal system

Reports as Admissible Evidence

Technology simply cannot resolve every potential problem that must be addressed in the forensic report. The most troublesome is perhaps the problem of admissible evidence. During investigation, evidence may be collected that reveals facts about the case but fails to meet a legal standard for evidence. Therefore, it cannot be used in court.

As far as the legal system is concerned, evidence that cannot be used in court does not exist. Therefore, evidence that is not admissible fails to answer questions for the legal system.

The standards for admissible evidence vary greatly in civil and criminal court. Therefore, a report which is admissible in a criminal court may include more or less information than a report on the same case provided to a civil court.

Contents of a Digital Forensics Report

Forensic Report Contents

Evidence and evidence collection/analysis procedures are assumed to be true until they are challenged. Once a question of validity is made, the evidence or procedure is often assumed to be flawed until proven correct. Averting these challenges requires a report that is clear and well-structured (although there is no legal requirement for either).

• Neutral but Pointed
  • A forensic report must be objective and neutral, but it must also have a point. The point is usually to support or refute a particular theory with evidence that responds to pointed questions about the case. Evidence should never be manufactured or excluded to favor a theory. However, the evidence collected should be presented in an organized manner and all conclusions supported by facts.
• Accurate and Precise
  • The expectation is that the evidence is as accurate and precise as possible. All conclusions should be warranted by the evidence.
• Collected Legally
  • The court may rule that evidence is unacceptable if it was collected illegally. There are many reasons why evidence may be ruled unlawful.
  • Analysis of one portion of evidence may create leads that cause additional evidence to be revealed. If the original piece of evidence is assessed to be illegally collected, then the original evidence and all subsequent evidence may be challenged and excluded.
• Fully Documented
  • The report itself should contain all the information needed to understand the evidence: all the legally collected and acceptable evidence, the circumstances of collecting the evidence, who collected the evidence, who analyzed the evidence, and the procedures applied to analyze it. All results and conclusions should reference the evidence.
• Acceptable Evidence
  • Evidence presented to the court may be challenged directly by the court or attorneys in a case if it appears that the evidence is not the most precise, not the most accurate, or not neutral. If the evidence is not fully documented (for example), all the forensic evidence may be excluded on the basis of incompetence or bias on the part of the forensic investigators/reporter.
• Analysis and Collection Procedures
  • Evidence presented to the court may be challenged directly if the procedure for collecting evidence was not followed correctly, out of date, or incompatible with court standards for evidence collection.

Written Evidentiary Report

The written evidentiary report is the summation of notes that have been retained throughout the investigation procedures. It should be objective, logical, and accurate in its organization, provide all details related to the incident, reasonable, and rational. It should also provide all information required to support the conclusions which should be valid, rational, and based on evidence. The report should be clearly articulated, easy to understand, and capable of withstanding legal scrutiny. The written evidentiary report should systematically provide details of the event that occurred so that the truth about the event can be determined.

Table of Contents

• Reporting Agency
• Case Number
• Case Investigator
• Submitter of Report
• Date of Receipt
• Date of Report
• List of Items Examined
• Identity and Signature of Examiner
• Forensic Software and Hardware Tools Used with Versions
• Executive Summary
• Findings Details
• Examination Process
• Appendix
• Supporting Materials
• Glossary

Findings Details

The Executive Summary may briefly summarize the examination results performed on items submitted for analysis. All findings listed in the Executive Summary should be contained in the Findings Details section of the report. The Findings Details section should describe in greater detail the results of the examinations.

NOTE: Reports should be peer reviewed before considered final.

Examples of what is typically found in this section include:

• Graphic image analysis
• Ownership indicators (program registration data, software licensing information)
• Specific files related to the investigative request
• Deleted files and any other files that support the findings
• Internet-related evidence such as chat logs, cache files, emails, newsgroup activity, or website traffic analysis reports
• String searches, keyword searches, and text string searches
• Anonymizers used as well as any techniques found to hide or mask data, such as encryption, steganography, hidden attributes, hidden partitions, and file name anomalies

Formal vs. Informal Reports

Similarly, informal reports may contain information that is not found in formal reports. Formal reports are almost exclusively made for courts or other government bodies. Informal reports can be made to anyone.
For example, a business owner may have evidence that an employee has committed a crime. The evidence would be provided to the business owner via an informal report. (Remember, an informal report is almost always oral and almost never written.) When the forensic investigator produces a formal report for law enforcement, the evidence that is the "smoking gun" may be excluded if the evidence does not meet an admissibility standard.

This highlights the key difference between what is known and what is provable. There are several rules of law that the forensic investigator must keep in mind while collecting and analyzing evidence. Each rule must be addressed in formal communications and should be considered in all informal communications. Since this course focuses on digital forensics rather than general forensics, these rules are examined with a strong bent toward computers and surrounding issues.

Informal Reports

Informal reports can be emails, status updates, and phone conferences. It is generally a good practice to not put anything in an informal report that cannot be obtained via a court order. Therefore, informal reports are carefully worded so as to withstand the same scrutiny as formal reports. Informal reports should be used very carefully, provided only as requested, and every word within the report subject to the same legal standards as the formal written forensics report.

Informal telephone calls can be recorded and still end up being used as evidence that can be obtained by attorneys. Therefore, even telephone calls to relay formal reports should be held to the same legal standards as the formal forensics report. Do not say anything that will conflict with your reported findings. If you have not reached a conclusion, do not offer any opinions. Wait for the evidence to be analyzed completely before offering even informal opinions. To do so otherwise may jeopardize your Expert Witness status and result in the inadmissibility of your report as credible evidence.

The purpose of informal reports is to provide information about a case to parties who are not in the legal system and information to the legal system prior to an actual trial.

Contents of Written Reports

The structure of written reports is extremely critical because the report documents an electronic crime scene and creates a record for the investigation. The report must accurately record the following:

• Location of the scene
• The scene itself
• The state of the scene
• Power status
• Encryption status of any running computer storage devices
• Condition of computers, storage media, wireless network storage devices, smartphones, and other data storage devices

Documentation must also include detailed records using video, photography, notes, and sketches that help recreate the details of the scene. It must also accurately record all activity and processes displayed on any screens and must be appropriately and fully recorded according to legally accepted methods.

Evidentiary Reports and Oral Testimony

A digital forensics evidentiary report also provides structure for oral testimony. This structure acts as a tool that guides the development of the plot and ensures the result of the investigation is clearly and unambiguously understood.
Once the evidence is examined and a solid conclusion can be made, structuring these processes for an oral report provides a professional way to communicate technical evidence in a manner that can be understood to follow legal crime scene evidence collection procedures. The oral testimony would be a summation of the written report along with expert witness responses

Expert Witness
An Expert Witness is a person with specialized knowledge, skills, education, or experience in a particular field who is called upon to provide their expertise in legal proceedings to assist the court with understanding complex technical or scientific issues. regarding the findings of the investigation.

Digital Forensics Reporting for Businesses and Enterprises

In business settings, forensics helps to protect the business by answering questions needed by the legal system. The challenge is that attorneys are not usually the first or only consumer of that information.

Digital Forensics Reporting for Criminal Investigations
Formal digital forensic investigative reports are often provided to:

• Lead detectives
• Forensic team project manager
• Attorneys
• Peers who wish to subsequently review or reexamine the evidence
• Informal reports are usually oral and not written. Emails, memos, and other written documents are avoided prior to completing the final, formal report.

Informal Report
All forms of communication, other than a formal written report.

Oral Reports

Oral Reporting

The reporting of forensics facts, evidence, procedures, and conclusions by speaking to an audience is the oral reporting of forensics. The impact of oral testimony helps win and lose many legal cases. An accomplished expert can provide clarity and understanding where only cold facts exist. Like written reports, oral reports can be either formal or informal.

• Goal of oral reports: Answer questions. The audience seeking these answers is most frequently the legal system.
• Purpose of the oral formal report: Provide answers through spoken testimony and not paragraphs and charts.

Oral Evidentiary Reports

Documented oral communications are better at conveying information unambiguously. However, the documented oral communication bears a larger risk as it is subject to discovery. The most frequent informal oral presentation that is documented is called a deposition. A deposition is the pre-trial interrogation of a witness by an attorney.

As a general rule, courts prefer the evidence formally, which is to hear the presentation of the evidence in court through direct examination. However, litigation can take many months or years, during which time any number of events may occur that cause direct examination to become unavailable In such a case, the best evidence may become the deposition. The rules for accepting depositions in place of testimony vary from court to court.

Depositions do partially separate the presenter from the report, the assessment of the facts, and the presentation. The deposition of a witness may be called by an attorney to assess the evidence and facts of the case, but in fact it is the presenter and the presentation that are under scrutiny.

A good presenter can use weak or bad evidence to convince a judge or jury, while a bad presenter may not be able to convince the jury of the truth even with good evidence. Therefore, all depositions should be handled with the same professionalism as would be expected if the oral testimony were provided in direct or cross-examination.

Formal Oral Reports

Formal reports present answers as testimony in court and in the presence of the court judge or judges, a jury of peers, attorneys for the prosecution, and attorneys for the defense. The oral statements are documented by a court reporter who transcribes the spoken words of the attorneys, judges, and witnesses into a written record. The format and style of oral reports do not vary greatly from public to private investigations.

In both civil and criminal cases, judges and jury members can assess the presentation, the presenter, and the report in one setting by taking oral testimony in court. The attorneys of the case will have equal opportunity to obtain testimony by interactively directing questions to the investigator. Testimony obtained from questions asked by the attorney who hired the investigator is called direct examination. Testimony obtained by the opposing attorney is called cross-examination.

Formal Oral Communication

Formal oral communication generally occurs after the process of prosecuting a criminal case has begun, or the process for pursuing civil action has started. This form of communication and evidentiary reporting must be very clear, precise, and accurate. The accuracy and veracity of each statement are subject to scrutiny by the attorneys, judge(s), and jury members. Formal oral reporting must also conform to any legal procedural specifications required by the particular court to which the evidence is being reported.

Formal oral presentations bear a certain risk to a prosecution. Litigation (legal presentation of a case to a court) is about convincing a jury or judge that a particular set of events occurred and that a particular person criminally participated in those events.

Do not say anything that will conflict with your reported findings. If you have not reached a conclusion, do not offer any opinions. Wait for the evidence to be analyzed completely before offering even informal opinions. To do so otherwise may jeopardize your professional reputation and result in the inadmissibility of your report as credible evidence.

Challenges in Digital Forensic Reporting

There are multiple challenges investigators face when developing digital forensics reports including: credible and accurate reports, legal acceptance of a report, objectivity, entropy, drawing conclusions, structure and style of report, and addressing the audience.

Credible and Accurate Report Challenges

There are a number of challenges when producing a credible, accurate report that can be used in a legal setting, including:

• Failure to be comprehensive when documenting evidence.
• Overlooking specific items that may influence the outcome of the case.
• Failure to obtain evidence using evidence bags.
• Exposing digital evidence to magnetic fields, moisture, dust, elements that may damage or destroy it.
• Failure to preserve power sources causing valuable digital evidence to be lost.
• Failure to label each piece of evidence correctly with a unique number or letter.
• Failure to preserve trace biological evidence such as sweat or DNA.
• Use proper evidence bags and envelopes for packaging and sending digital evidence to protect against static electricity or humidity which may damage or destroy the evidence.
• Leave mobile devices in the power state in which they were found (leave on or off).
• Ensure that mobile devices have been isolated from any Wi-Fi, Bluetooth or Cellular networks.
• Package mobile devices in signal-blocking packages (Faraday isolation bags) to prevent data messages from being sent or received by the devices.
• Collect power supplies and adapters for the electronic devices seized.
• Look for evidence of cloud servers and information stored on the cloud.

Legal Acceptance of a Report

The second challenge is for the legal system to accept a digital forensics report. The forensics process itself must be rigorously tested and validated. Computer systems are constantly maturing with new hardware and software technology. Each new hardware or software component introduces the potential that an existing test or process may not perform as expected. This challenge is ongoing and must be constantly combated throughout the text of the report. The forensic examiner will need to ensure that the tools used have been tested, verified, and validated.

Drawing Conclusions

The third challenge is one of reasonable conclusions. This challenge speaks to the problem of drawing conclusions from the evidence that has been collected.

Conclusions drawn from the digital evidence must be especially clear, precisely written, and leave no reasonable doubt. Where conclusions are unclear, the reader can take away something unintended from the report. For example, the reader may:

• Assume facts that are not present in the report.
• Misinterpret facts or conclusions.
• Apply incorrect significance to facts.
• Completely miss facts.

Objectivity

The fourth challenge is objectivity. If the reader senses a lack of objectivity in the report, the natural assumption is to assume the investigation is tainted. For instance, an example of an objective statement might be, "The website in question was accessed from the IP address xxx.xx.xx.x at 3:02pm CST."

An example of a biased statement might be, "The suspect accessed the website at 3:02pm CST." In this case, the investigator should not assume that it was the suspect who accessed the website.

This challenge of user attribution is common to all forensic fields but holds a particular place of significance in digital forensics. Computers are often assumed to be able to produce any result; at the core of this belief is an assumption of bias or lack of objectivity.

Structure and Style of Report

The fifth challenge is the challenge of appropriate structure and style. A digital forensics report must contribute specific information critical to the investigation. Inclusion of all the evidence produces a well-written, factual report the legal community can use as evidence.

Failure to provide a report in a standard considered "usual and customary" in the digital forensics field may result in the forensics investigator being viewed as an amateur, unprofessional, or without credibility.

Entropy

The sixth challenge is the conflict of entropy. This difficulty results from the fact that evidence ages and legal actions can extend for years. Ideally, both the evidence and the report would be available for as long as necessary. In reality, hardware will age and fail and software will become less available as it ages. Time deters extended scrutiny of the evidence.

The report produced in the original investigation should preserve the conclusions of the investigation. It should be clear and complete enough that the details of the investigation can be reexamined 10 or 20 years after the fact. Similarly, the report itself should be available 20 years after the fact. The software itself may be digital, but as we have established, software will age and a paper report may become unreadable.

Addressing the Audience

The seventh and final challenge is the question of addressing the audience. Every report has a specific audience that will be consuming the information.

The report must be appropriate in the level of abstraction as well as the style and formality for that audience. Reports are written for the legal community, jurors' understanding, and use in business and government agencies.