Tuesday, August 20, 2013

Enterprise IT Forensic Process - Reporting

So far, I have covered 3 of the 5 key processes of Enterprise IT Forensic Process:

1) Approval - Ensuring that we are allowed to do what we want to do
2) Acquisition - Ensuring that we collect and acquire the evidence in a forensically sound manner
3) Analysis - Performing the analysis and investigation, also in a forensically sound manner

The next one is Reporting. Well, I agree, there is no rocket science about this one.

First of all, a forensic report should be written purely based on evidence and reference to the mentioned evidence must be made clear. An examiner or investigator should not write something based on assumptions.

In general, a forensic report should contain the following:
1) Introduction - Describe the background of the forensic investigation.
2) Objective - Describe the objective of the investigation. What is the purpose, what you were asked to look  for.
3) Executive Summary -  This section is to provide quick management summary. State the main highlights or findings and summary or conclusion.
4) Detailed Observations - List all observations, in detail , with reference to evidence. For example:
Based on the email (REF: Appendix 1, Item No.8) sent out by the suspect (Joe Black) to Mary Margaret on 18 Jul 2012 04:21:02 AM, it is possible that the suspect was aware that the invoice (REF: Appendix 1, Item No.10) that were given to her (Jane Doe) was a forged one.
5) Evidence Information - Detailed information of all evidence obtained and analysed.
6) Appendix - List all referred evidence and their contents here.