Notes - MCS
Computer Systems Forensic Analysis
Notes - MCS
Computer Systems Forensic Analysis
  • Computer Systems Forensic Analysis
  • Overview of Cybercrime
    • Cyberspace
    • Information Security Principles
    • Cybercrime vs. Computer Crime
    • Cybercrime slang
      • Images
    • Digital Evidence
  • Introduction to Digital Forensics
    • Concepts
    • Digital Forensic
    • Digital Investigation
    • Digital Crime Scene Investigation Methodology
    • Digital Evidence Handling
    • Ethical Code
  • Obtaining Evidences
    • Introduction
    • Boot Process
    • Secuere Boot Process
    • Windows Boot Process
    • Forensic Boot Tools
    • Bootable CD-ROMS - Linux Based
    • ADS
    • Forensic Sorting Tools
    • Forensic Acquisition
    • Dealing With Media Errors
    • Hidden Areas
    • Write Protection of Evidence Media
    • Storing Acquired Data
    • Image File Acquisition
    • Hash Values
  • Data Organization
    • Data Organization
    • File System
    • File Content
    • Endianness
    • Character Encoding
    • Data Structures
    • Date and Time
    • Encoding
  • Storage Devices
    • BIOS versus direct access
    • Hard Disk Geometry
    • Advanced Technology Attachment Interface
      • Device Configuration Overlay
    • Small Computer Systems Interface
    • NAND Flash memory
    • Level wearing
    • HDD vs SSD
    • Pen USB vs SSD Comparison
    • SSD Connectors, Interfaces, and Transfer Protocols
  • Volumes and Partitions
    • Concepts
    • Partition Tables
    • Sectors Addresses
    • Logical addresses
    • Volume Analysis
    • Types of Partition Tables
    • Common Partition Tables (MBR)
    • Boot Code
    • MBR examination
    • Removable Storage
    • Common Partition Tables (GPT)
    • Common Partition Tables (BSD)
    • Volumes’ Aggregation
  • RAM Analysis
    • RAM Analysis
    • General Computer Architecture
    • DMA – Direct Memory Access
    • Paging
    • Memory Acquisition
  • Mobile Forensics
    • Forensic value of phones
    • International Mobile Equipment Identifier
    • Potential Evidence
    • Forensics Dangers
    • Data Acquisition
    • Logical acquisition
    • Physical acquisition
    • Hashing
    • Software tools
  • Open Source INTelligence
    • Classical sources of information and intelligence
    • Evolution of OSINT - Open Sources Intelligence
    • Information sources
    • Closed source of information
    • Open sources
    • Information to Intelligence Cycle
    • Skills of the Analyst
    • Open Source Possibilities
    • Automated Processing
    • DarkNet
  • Documentation and Reporting
    • Introduction
    • Physical examination
    • Examining a computer
    • Media Examination
    • Examples of things to write in the report
    • Forensic Report
Powered by GitBook
On this page
  1. Documentation and Reporting

Forensic Report

Report Structure

The forensic report should contain:

  • Preamble – pages with roman numeration.

    • Declaration of honor – sometimes it’s a separate document.

    • List of acronyms in alphabetical order.

    • List of contents.

  • Body – start the Arabic numeration of the pages.

    • Introduction.

    • Several analysis chapters, usually one per device.

    • Conclusions.

  • Epilogue.

    • Bibliography – not always required.

    • Appendixes – not always required.

    • Glossary – recommended.

  • Declaration of honor.

    • usually, it’s a separate document.

    • but can be included in the report.

  • Introduction.

    • what are you looking for and why?

    • list of the devices being analyzed and their IDs.

    • explain the structure of the report.

  • Analysis.

    • one chapter per analysis, e. g. for each device, DNS analysis, etc.

    • for each chapter:

      • detail the device characteristics and ID.

      • the procedures you made on that device, e. g. forensic copy, run anti-virus, etc.

      • explain clearly what you found.

      • anti-virus results.

  • Conclusions.

    • reconstruct the events based on the evidence found.

      • and include a reference to the chapter and section in the report where you detailed how you found the evidence.

    • report all the found evidence, either incriminating or exculpatory.

    • always use clear text and avoid complex technical terms when possible, and if needed reference to a glossary explaining the technical terms.

  • Bibliography.

    • citations help to increase the credibility of the report and the expert.

    • cite reference books in the field, or another medium with a high reputation in the field being analyzed, e. g. RFC.

    • there are many bibliography styles, e. g. APA, Chicago, IEEE, Harvard, ...

      • choose one and be consistent throughout the report.

      • use tools to help format the references, e. g. JabRef, Mendeley, MS Word Reference tool.

  • Appendices.

    • The Appendices section should be used to include information that helps to demonstrate or complements, the expert conclusions.

    • Include documents relevant to the case being analyzed:

      • reports generated by used tools.

      • technical specifications from hardware vendors.

      • reports, or parts of a report, produced by someone else.

  • Glossary.

    • explain technical terms in lay language.

    • this section is important for the non-technical staff that must read the report.

Phishing - Phishing is the attempt to acquire sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money), often for malicious reasons, by masquerading as a trustworthy entity in an electronic communication. The word is a neologism created as a homophone of fishing due to the similarity of using a bait in an attempt to catch a victim. Phishing is typically carried out by email spoofing or instant messaging, and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one.

Last updated 1 year ago