Report Writing Guidelines

Wed, 05/30/2012 - 1:22pm

Melia Kelley
Originally published in Digital Forensics Investigator News

Despite its importance, report writing meets with a lot of ambivalence, and even
antipathy, in our industry.

Even though digital forensics is a fairly niche field, there are still a variety of duties, jobs,
and skills involved, depending on whether you are in law enforcement, litigation work,
intelligence, etc. And there are even differences within the categories: malware
examinations will likely vary from those that focus on fraud. But despite these differences,
there are skills and duties that are encompassed in them all. One such democratizing duty
is report writing. Whether you are writing for a client, an attorney, or your boss, most of us
need to be able to communicate our findings in some way.

The funny thing is, despite being a vital skill in the industry, report writing seems to meet
with an awful lot of ambivalence, or even antipathy. In an informal poll, the question “How
do you feel about writing reports?” was posed to people in the industry. Figure 1 shows the
breakout of how 36 respondents from the digital forensics field answered this question. Bear
in mind that these are people who have vast amounts of knowledge and experience, and
would attack what most would consider a technical nightmare with glee.

Unfortunately, no matter what your feelings toward reports are, they aren’t going away.
Report writing, or just communicating findings in general, is essential to the digital forensics
field. The very best analysis is useless if it cannot be intelligently conveyed. Luckily for us,
writing is a skill. And just like the analytical and technical skills we prize, it can be learned
and honed.

The following is an attempt to share some of the guidelines that I have learned along the
way and try to adhere to in my reports. A lot of it will probably just sound like common
sense. Bear in mind that these guidelines are being written from a civil litigation report
standpoint. Law enforcement and intelligence reports will likely differ. Hopefully at least
some parts will be applicable to multiple situations.

Don’t Procrastinate
Start your report before you even begin your examination. There is usually some
information that you know before you run a single process. Even if it is filling out serial
numbers and contact information, by putting down what you do know in advance you will
never be faced with that terrifying blank page once you wrap up your investigation. I would
also recommend updating your report as you go along. You can do this by writing down
information through each step, or even by keeping notes in a way that will allow for easy
transfer to your report.

Include Analysis
Don’t fall into the trap of simply listing files and search term hits. While these can
undoubtedly be useful, what really adds value to digital forensics is the analysis. Without
context, digital evidence is just ones and zeros. If you find the “smoking bit” in a registry

1
key, that’s great, but it won’t do you any good if you can’t explain what it is, how it works,
and why it is significant.

Be Cautious of Absolutes
There are few times when you can say with certainty that something is always true, or
never occurs. Even if you are very sure of a statement, be careful about using absolutes.
(Unless you have tested every eventuality and are sure there will be no subsequent
research with opposing conclusions, these situations can create havoc during cross-
examinations.) Useful phrases include: “This leads me to believe...”, “It is my professional
opinion...”, “The evidence indicates...” I’m not saying that you should be wishy-washy. This
language is a means of presenting the information as what it is—a professional opinion—
because as expert witnesses we are able to express opinions.

Create a Template
Templates are easy to create and will end up saving you many hours of work down the
road. The template doesn’t have to be set in stone, but just having one will make report
writing easier, if for no other reason than because you won’t have to remember to include
things that are already built-in. They are a great tool for ensuring consistent formatting and
standardized language.

Use confidentiality language whenever appropriate. Also, I recommend having the word
“Draft” in a header, footer, or watermark on every page until the report is finalized. Those
of you familiar with the recent changes to the Federal Rules of Civil Procedure may recall
that drafts of expert reports have additional protection from discovery, but it behooves you
to make your drafts easily recognizable as such.

Break it Up
Reports can get long and are often very detailed. For the reader, they can seem dry. Also, it
seems to me that with almost every report I write, the intended audience tends to focus on
one or two items out of the entire report as the items of real interest to them. And while I
would like to think that they marvel at every word as a manifestation of genius, I know that
what they really want to do is zero in on the really juicy bits and be able to navigate easily
to other points as needed. Breaking up the report into sections is an easy way to
accommodate your readers. Below are some frequently used sections:

Title Page – This can include information such as the case name, date, investigator name,
and contact information.

Table of Contents (ToC) – This is not necessary for short reports or for those without
many sections. However, if your report is long and/or is broken out into many different
sections, including a ToC can be of great help to the reader.

Executive Summary – Especially important for longer reports, this allows the reader to
get the high level view of important findings without having to delve into specifics.

Objectives – This section is especially important to include if you were asked to perform a
targeted investigation. Other information to include would be search terms requested by the
client.

2
Evidence Analyzed – This should include serial numbers, hash values (MD5, SHA, etc.),
and custodian information, if known. If pictures were taken at the scene, you may want to
include them here.

Steps Taken - Be detailed. Remember, your results should be reproducible. Include

software and hardware used. Don’t forget to include version numbers.

Relevant Findings – You can further break this section up depending on the length of your
report. Subcategories will depend on the purpose of the exam, but can include things like:
Documents of Interest; Internet Activity; Software of Note; USB Devices, etc.

Timeline – Some reports will benefit from a concise timeline of important events. A good
graphic can go a long way in helping to communicate this information.

Conclusion – Highlight the important issues. This often comes in the form of a numbered
list of concise findings.

Signature – Include a signature section that can be printed out and signed.

Exhibits – I typically reserve exhibits A and B for my Curriculum Vitae and Chain of
Custody documentation, respectively. Certainly not necessary, but it makes it so that I
always remember to include them in my reports. Also, some information can be embedded
into the report itself, but if there are items of interest that get long, I highly recommend
including them as exhibits and simply hyperlinking when you refer to them in the report.

It can be daunting enough, even for seasoned professionals, to write a report. For those
that are new to the field, the task can seem overwhelming. If you are new to the field, or
are even transitioning from one area to another, one of the best ways to get familiar with
report writing is to read as many forensic reports as you can. If your workplace has many
available, this can be a great resource. These reports are especially helpful because it gives
you an idea of what is expected. The length, content, and format will vary depending on
workplace policies and intended audience. Reading other reports can help you determine not
only what works, but also what does not work.

When asked how someone can improve their skills, one of the best answers I know is
simply: do it. So get those typing fingers ready and give it a shot. It may prove as useful to
your career as any time spent with a new tool or technique. Happy writing!

Melia Kelley is a Senior Forensic Consultant for First Advantage Litigation Consulting. Melia
performs forensic investigations for cases ranging from malware to intellectual property
theft. First Advantage Litigation Consulting, 350 N. Halstead Street, Pasadena, CA
91107; melia.kelley@fadv.com; www.fadvlit.com.

TOPICS
COMPUTER FORENSICS, SUMMER 2012, FORENSIC SERVICES, EDUCATION, CASE
MANAGEMENT