11/7/2017 Report Writing Guidelines

Report Writing Guidelines

Wed, 05/30/2012 - 1:22pm 1 Comment by Melia Kelley

Despite its importance, report writing meets with a lot

of ambivalence, and even antipathy, in our industry.

Even though digital forensics is a fairly niche field, there are

still a variety of duties, jobs, and skills involved, depending on
whether you are in law enforcement, litigation work,
intelligence, etc. And there are even differences within the
categories: malware examinations will likely vary from those
that focus on fraud. But despite these differences, there are
skills and duties that are encompassed in them all. One such
democratizing duty is report writing. Whether you are writing
for a client, an attorney, or your boss, most of us need to be
able to communicate our findings in some way.

The funny thing is, despite being a vital skill in the industry,
report writing seems to meet with an awful lot of ambivalence,
or even antipathy. In an informal poll, the question How do
you feel about writing reports? was posed to people in the
industry. Figure 1 shows the breakout of how 36 respondents
from the digital forensics field answered this question. Bear in
mind that these are people who have vast amounts of
knowledge and experience, and would attack what most would
consider a technical nightmare with glee.

Unfortunately, no matter what your feelings toward reports

are, they arent going away. Report writing, or just
communicating findings in general, is essential to the digital
forensics field. The very best analysis is useless if it cannot be
intelligently conveyed. Luckily for us, writing is a skill. And just
like the analytical and technical skills we prize, it can be
learned and honed.

The following is an attempt to share some of the guidelines

that I have learned along the way and try to adhere to in my
https://www.forensicmag.com/article/2012/05/report-writing-guidelines 1/6
11/7/2017 Report Writing Guidelines

reports. A lot of it will probably just sound like common sense.

Bear in mind that these guidelines are being written from a
civil litigation report standpoint. Law enforcement and
intelligence reports will likely differ. Hopefully at least some
parts will be applicable to multiple situations.

Figure 1: How do you feel about writing reports?

Dont Procrastinate
Start your report before you even begin your examination.
There is usually some information that you know before you
run a single process. Even if it is filling out serial numbers and
contact information, by putting down what you do know in
advance you will never be faced with that terrifying blank page
once you wrap up your investigation. I would also recommend
updating your report as you go along. You can do this by
writing down information through each step, or even by
keeping notes in a way that will allow for easy transfer to your
report.

Include Analysis
Dont fall into the trap of simply listing files and search term
hits. While these can undoubtedly be useful, what really adds
value to digital forensics is the analysis. Without context,
digital evidence is just ones and zeros. If you find the
smoking bit in a registry key, thats great, but it wont do
you any good if you cant explain what it is, how it works, and
why it is significant.

https://www.forensicmag.com/article/2012/05/report-writing-guidelines 2/6
11/7/2017 Report Writing Guidelines

Be Cautious of Absolutes
There are few times when you can say with certainty that
something is always true, or never occurs. Even if you are very
sure of a statement, be careful about using absolutes. (Unless
you have tested every eventuality and are sure there will be
no subsequent research with opposing conclusions, these
situations can create havoc during cross-examinations.) Useful
phrases include: This leads me to believe..., It is my
professional opinion..., The evidence indicates... Im not
saying that you should be wishy-washy. This language is a
means of presenting the information as what it isa
professional opinionbecause as expert witnesses we are able
to express opinions.

Create a Template
Templates are easy to create and will end up saving you many
hours of work down the road. The template doesnt have to be
set in stone, but just having one will make report writing
easier, if for no other reason than because you wont have to
remember to include things that are already built-in. They are
a great tool for ensuring consistent formatting and
standardized language.

Use confidentiality language whenever appropriate. Also, I

recommend having the word Draft in a header, footer, or
watermark on every page until the report is finalized. Those of
you familiar with the recent changes to the Federal Rules of
Civil Procedure may recall that drafts of expert reports have
additional protection from discovery, but it behooves you to
make your drafts easily recognizable as such.

Break it Up
Reports can get long and are often very detailed. For the
reader, they can seem dry. Also, it seems to me that with
almost every report I write, the intended audience tends to
focus on one or two items out of the entire report as the items
of real interest to them. And while I would like to think that
they marvel at every word as a manifestation of genius, I
know that what they really want to do is zero in on the really
juicy bits and be able to navigate easily to other points as
needed. Breaking up the report into sections is an easy way to
accommodate your readers. Below are some frequently used
sections:

https://www.forensicmag.com/article/2012/05/report-writing-guidelines 3/6
11/7/2017 Report Writing Guidelines

Title Page This can include information such as the case

name, date, investigator name, and contact information.

Table of Contents (ToC) This is not necessary for short

reports or for those without many sections. However, if your
report is long and/or is broken out into many different
sections, including a ToC can be of great help to the reader.

Executive Summary Especially important for longer

reports, this allows the reader to get the high level view of
important findings without having to delve into specifics.

Objectives This section is especially important to include if

you were asked to perform a targeted investigation. Other
information to include would be search terms requested by the
client.

Evidence Analyzed This should include serial numbers,

hash values (MD5, SHA, etc.), and custodian information, if
known. If pictures were taken at the scene, you may want to
include them here.

Steps Taken - Be detailed. Remember, your results should be

reproducible. Include software and hardware used. Dont
forget to include version numbers.

Relevant Findings You can further break this section up

depending on the length of your report. Subcategories will
depend on the purpose of the exam, but can include things
like: Documents of Interest; Internet Activity; Software of
Note; USB Devices, etc.

Timeline Some reports will benefit from a concise timeline

of important events. A good graphic can go a long way in
helping to communicate this information.

Conclusion Highlight the important issues. This often comes

in the form of a numbered list of concise findings.

Signature Include a signature section that can be printed

out and signed.

Exhibits I typically reserve exhibits A and B for my

Curriculum Vitae and Chain of Custody documentation,

https://www.forensicmag.com/article/2012/05/report-writing-guidelines 4/6
11/7/2017 Report Writing Guidelines

respectively. Certainly not necessary, but it makes it so that I

always remember to include them in my reports. Also, some
information can be embedded into the report itself, but if there
are items of interest that get long, I highly recommend
including them as exhibits and simply hyperlinking when you
refer to them in the report.

It can be daunting enough, even for seasoned professionals, to

write a report. For those that are new to the field, the task can
seem overwhelming. If you are new to the field, or are even
transitioning from one area to another, one of the best ways to
get familiar with report writing is to read as many forensic
reports as you can. If your workplace has many available, this
can be a great resource. These reports are especially helpful
because it gives you an idea of what is expected. The length,
content, and format will vary depending on workplace policies
and intended audience. Reading other reports can help you
determine not only what works, but also what does not work.

When asked how someone can improve their skills, one of the
best answers I know is simply: do it. So get those typing
fingers ready and give it a shot. It may prove as useful to your
career as any time spent with a new tool or technique. Happy
writing!

Melia Kelley is a Senior Forensic Consultant for First

Advantage Litigation Consulting. Melia performs forensic
investigations for cases ranging from malware to intellectual
property theft. First Advantage Litigation Consulting, 350 N.
Halstead Street, Pasadena, CA 91107; melia.kelley@fadv.com;
www.fadvlit.com.

RELATED READS

Digital Forensic
Insider:
Cybercrime in
Perspective

Prosecutors Slammed for Lack of Moral Compass,

Withholding Evidence in Widening Mass. Drug Lab
https://www.forensicmag.com/article/2012/05/report-writing-guidelines 5/6
11/7/2017 Report Writing Guidelines

Scandal

Subjective DNA
Mixture Analysis,
Used in
Thousands of
Cases, Blasted by WH Panel

Report Identi es
25 Distinct Types
of Human
Tra cking

1 Comment Forensic Magazine

1 Login

Sort by Best
Recommend 1 Share

Join the discussion

LOG IN WITH
OR SIGN UP WITH DISQUS ?

Name

Mark Robinson 2 years ago

Its great artricle but what would make it even better for us students of Forensics are some
actual template or examples.
2 Reply Share

Subscribe d Add Disqus to your siteAdd DisqusAdd Privacy

https://www.forensicmag.com/article/2012/05/report-writing-guidelines 6/6