TLDR: This is a post about how I document my examinations. I create a word document with a brain dump of my findings which includes a narrative that allows me to read through it in a way that gets me back into the mindset I was in when I completed the examination.
The rationale behind this is that:
- At the end of the case, I have a pretty good idea of what I found and what I need to explain
- Sometimes a long time passes between examination and presentation and it’s better to have it all written down ready to go, along with my submitted report, in a more comprehensive fashion than just “parsed this artefact, exported that file” etc
I’ve been performing analysis tasks for a little while now in my day job and in that time I’ve developed a process I thought others may benefit from reading about.
Documentation is very important – it helps you describe what you have already done in an investigation, and helps to piece the puzzle together from disparate pieces of information. It also allows another examiner understand what you’ve done and maybe even your rationale behind doing so. But the main main main reason documentation is important is for when you come back to the job to present your findings.
Even the smaller jobs that you can hold in your head can come back to haunt you in a year or two when you have to present them at court. I was finding that if I had to explain my findings immediately after my examination it was simple, but if time passed I’d have to pull all the notes and figure it out. That would be fine, it would just take longer. So I changed the way I work to help future me.
N.B.: I usually have a few different types of notes going for each job but this is only going to cover one aspect of my note taking which eventuates in my investigation report. This is because this is the part I think most people will take something away from. This post won’t be including the chain of custody stuff, analysis report (which goes to court), or my step-by-step notes (which usually contains processes run etc but not output/findings/conclusions).
Generally speaking, my investigation report will be much more comprehensive, with technical information/explanations, than the statement or report that goes to court. The reason being that if you try to wow people with your technical brilliance, their eyes glaze over, they stop listening and, worst case, a jury discounts the information because they don’t understand it. That being said, if your forensic report says “I found no indication of this file being accessed” to make it simple for them, you should make sure your notes indicate where you looked. More on that later.
Usually, I will have a few different digital documents that are created:
- Examination Notes – A text file which contains specific steps that have been taken, processes that have been run etc (ie: new case in encase, exported registry, review comdlg32 key with registry explorer, parse sam with samparse regripper plugin).
- Investigation report – A Word document containing scope, data dump/findings, and narrative; and
- Statement/Analysis Report – This is the findings that get submitted to the court.
The investigation report is cut down into the statement/forensic report – this is because my Inv. report usually contains too much technical information and people don’t read it (or they see technical stuff, and skip over it) and you end up having to spend more time explaining it.
Ok! That’s enough of a preface; onto the report itself!
At the start of an analysis task (after receiving or creating images, chain of evidence, verification etc are all completed as per requirements) I will create a new ‘Investigation Report’ based on my template (usually including but not limited to): Scope, Investigation Plan, Questions, Findings, and Narrative.
* I can’t recall who I stole this from, but the only bit that I’ve added to it is the Narrative part, which is the main point of posting this.
Fairly self-explanatory. I write down the questions that the investigator has given me to answer. Sometimes this involves a bit of cajoling/discussion to get a clear understanding of what they’re trying to achieve, not just what they say they want. ‘Find evil’ is not a good scope so you may need to ascertain what information they have and what information they need to help progress their investigation.
This is a brief set of dot points of the tasks I need to complete to achieve said scope. Or at the very least a start point. I list a number of steps that I should be taking at a minimum to progress toward completion.
I find this helpful when I get a case that I don’t know what to look for (ie when tasked to find something that most probably isn’t there). This way I can have a place to start and a next step. Then I can slowly tick off each part.
As the examination progresses, I tend to have questions for the investigators and find that it’s helpful to write them down here so that I can keep track of them. Sometimes further examination leads me to the answers and I can just clarify with them.
This is usually where I expand on my investigation plan and place the output of my tools.
I find that listing out all of the places that I’ve looked helps me organise my thoughts, and also having screenshots means I don’t necessarily have to repeat tasks. For example, you can easily take a screenshot of the ‘Recent’ folder to show that the file you’re investigating does or does not have a corresponding LNK file.
Also having pictures in your notes at court negates some questions pretty quickly because you don’t need to ask for a recess to check certain things that would easily be identified in data dumps/screenshots.
On the topic of reading my notes, this is the main reason I wrote the post; A few years ago I did an examination of a few devices. A previous examiner had done an examination and I had expanded on his work.
Prior to the court case, I had to pull the case data and reports and try and piece together my findings again. It was all well and good that I had my report, but typically I’ll get asked questions that are outside of specifically what I am presenting. Not to worry, I pulled out all the information and spread it out across the desk and got to work refamiliarising myself with the case.
After that, I realised my main issue was the time that passed between an investigation and that sometimes my findings section was little more than a series of extracted data and disparate thoughts that I used to write my reports. It could still be used to re-complete the examination by another examiner but it wasn’t as clear as I wanted it to be.
As a result, I added this narrative section. This allowed me to write everything that I would need to remember the specifics of the case. It also allowed me to work through my thoughts and explain them coherently whilst the case was fresh in my mind. I find that including important details of the case, as well as all the technical details I would like to read in a for-DFIR-eyes-only report was very helpful in allowing me to re-acquaint myself with the case when it was required. This will then get modified into my statement or report to explain it for a less-technical audience.
I don’t have an example from a case that I can share, although some of them I wish I could, quite proud of the explanations.
Overall I’ve found the narrative section to be quite helpful to my understanding of the case. It does take a bit longer, but I believe it allows me to really flesh out my thoughts, and save me time when I need to get back into the examination’s mindset prior to giving evidence. Just this last point, refreshing information before a trial, is the major benefit that I’ve found.
I don’t write the narrative for every case, if there’s little “analysis” involved then it’s not really required; but it has proven useful to write down as much “stream of consciousness” information as you can at the time because you never know what you might need later on to jog your memory.
At the end of the day, the investigation report is really for my benefit, it doesn’t really go to anyone else. But I should be able to read through it, pick up exactly what I was thinking and what I saw and hit the ground running before I have to work on the case again. Future me is usually grateful