Forensic Report

Report Structure

The forensic report should contain:

Preamble – pages with roman numeration.
- Declaration of honor – sometimes it’s a separate document.
- List of acronyms in alphabetical order.
- List of contents.
Body – start the Arabic numeration of the pages.
- Introduction.
- Several analysis chapters, usually one per device.
- Conclusions.
Epilogue.
- Bibliography – not always required.
- Appendixes – not always required.
- Glossary – recommended.
Declaration of honor.
- usually, it’s a separate document.
- but can be included in the report.
Introduction.
- what are you looking for and why?
- list of the devices being analyzed and their IDs.
- explain the structure of the report.
Analysis.
- one chapter per analysis, e. g. for each device, DNS analysis, etc.
- for each chapter:
  - detail the device characteristics and ID.
  - the procedures you made on that device, e. g. forensic copy, run anti-virus, etc.
  - explain clearly what you found.
  - anti-virus results.
Conclusions.
- reconstruct the events based on the evidence found.
  - and include a reference to the chapter and section in the report where you detailed how you found the evidence.
- report all the found evidence, either incriminating or exculpatory.
- always use clear text and avoid complex technical terms when possible, and if needed reference to a glossary explaining the technical terms.
Bibliography.
- citations help to increase the credibility of the report and the expert.
- cite reference books in the field, or another medium with a high reputation in the field being analyzed, e. g. RFC.
- there are many bibliography styles, e. g. APA, Chicago, IEEE, Harvard, ...
  - choose one and be consistent throughout the report.
  - use tools to help format the references, e. g. JabRef, Mendeley, MS Word Reference tool.
Appendices.
- The Appendices section should be used to include information that helps to demonstrate or complements, the expert conclusions.
- Include documents relevant to the case being analyzed:
  - reports generated by used tools.
  - technical specifications from hardware vendors.
  - reports, or parts of a report, produced by someone else.
Glossary.
- explain technical terms in lay language.
- this section is important for the non-technical staff that must read the report.

Phishing - Phishing is the attempt to acquire sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money), often for malicious reasons, by masquerading as a trustworthy entity in an electronic communication. The word is a neologism created as a homophone of fishing due to the similarity of using a bait in an attempt to catch a victim. Phishing is typically carried out by email spoofing or instant messaging, and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one.

Last updated 1 year ago

Report Structure

The forensic report should contain:

Preamble – pages with roman numeration.

Declaration of honor – sometimes it’s a separate document.
List of acronyms in alphabetical order.
List of contents.

Body – start the Arabic numeration of the pages.

Introduction.
Several analysis chapters, usually one per device.
Conclusions.

Epilogue.

Bibliography – not always required.
Appendixes – not always required.
Glossary – recommended.

Declaration of honor.

usually, it’s a separate document.
but can be included in the report.

Introduction.

what are you looking for and why?
list of the devices being analyzed and their IDs.
explain the structure of the report.

Analysis.

one chapter per analysis, e. g. for each device, DNS analysis, etc.
for each chapter:
- detail the device characteristics and ID.
- the procedures you made on that device, e. g. forensic copy, run anti-virus, etc.
- explain clearly what you found.
- anti-virus results.

Conclusions.

reconstruct the events based on the evidence found.
- and include a reference to the chapter and section in the report where you detailed how you found the evidence.
report all the found evidence, either incriminating or exculpatory.
always use clear text and avoid complex technical terms when possible, and if needed reference to a glossary explaining the technical terms.

Bibliography.

citations help to increase the credibility of the report and the expert.
cite reference books in the field, or another medium with a high reputation in the field being analyzed, e. g. RFC.
there are many bibliography styles, e. g. APA, Chicago, IEEE, Harvard, ...
- choose one and be consistent throughout the report.
- use tools to help format the references, e. g. JabRef, Mendeley, MS Word Reference tool.

Appendices.

The Appendices section should be used to include information that helps to demonstrate or complements, the expert conclusions.
Include documents relevant to the case being analyzed:
- reports generated by used tools.
- technical specifications from hardware vendors.
- reports, or parts of a report, produced by someone else.

Glossary.

explain technical terms in lay language.
this section is important for the non-technical staff that must read the report.