Goals of a report

1. Accurately describe the details of the incident

2. Be understandable to decision makers
3. Be able to withstand a barrage of legal scrutiny
4. Be unambiguous and not open to misinterpretation
5. Be easily referenced
6. Contain all the information required to support the conclusion
7. Offer valid conclusions and recommendation when needed
8. report should be ready in time.

Guidelines for writing a report

1. Write in active voice

2. Write in past tense
3. Use concise sentences
4. Be specific
5. State what you did, not what you couldn’t do
6. Use acronyms correctly
7. Avoid jargon and ambiguous words
8. Use names consistently
9. Avoid informal language
10. Clearly identify opinion
11. Use consistent font and spacing
12. Pick a standard for representing dates and times
13. Use tables and figures appropriately
14. Use bulleted and numbered lists when appropriate
15. Standardize metadata reporting
16. Create tables or other standard formats to document metadata associated with findings. For
example, if the examination discovers a relevant file, the file’s name, timestamps, path,
MD5, and other metadata should be documented in the same exact format, to include the
fields reported, every time.

Layout of an Investigative report

The following sections are common in most incident reports:

Title page and table of contents A title page is required for an incident report. The title page lists
the affected organization, a brief description of the report that normally includes the incident
number or name, the date published, and the name of the organization that performed the
investigation. When required, the title page also includes caveats and protective markings such as
“Privileged and Confidential.”

Background The incident background should describe how the incident was discovered, what was
discovered, what the response was, and list the goals of the investigation. The background is
normally about two paragraphs long. The background should specify the duration of work,
including a start and stop date, and who sponsored the work.

Findings The incident findings should directly address the goals of the investigation in a very clear
and brief manner. The findings should be summaries of the information presented in the mid-level
findings section. Because these findings are part of what is considered the executive summary, they
should be readable by a broad range of audiences. The incident findings are usually no more than a
page long.

Recommendations Recommendations are categorized into short term and long term. Short-term
recommendations are the actions that are expected to resolve the current incident. They can be
completed in a short amount of time and will remove the current threat. Long-term
recommendations will enhance the overall security posture of the organization and help to prevent
future incidents.

Mid-level sections Mid-level sections are where the findings from multiple individual analysis
reports are aggregated, interpreted, and summarized. Mid- level section names vary, but should
generally relate to the investigative questions. The mid-level sections provide a “bigger picture,”
but still include some technical details. Information in mid-level sections is directly supported by
evidence presented in the individual analysis reports.

Individual analysis reports Full analysis reports, such as forensics, live response, and malware,
are included in this section. Analysis reports are the foundation for all findings in the incident
report.

Appendices The most common use for appendices is to include long listings and excerpts, such as
log file content and file listings, that would take up multiple pages in the main body of the report.
Any table or figure that exceeds one page tends to make a report more unreadable. An appendix is
the perfect place to include those listings.

Need of computer forensic tools

 On which OS does the forensic tool run

 Which operating systems does the tool support
 can the tool analyze more than one file system eg FAT,NTFS
 Can a scripting language be used with the tool to automate repetitive functions
 Does the tool have automated features that can help reduce the time needed to analyse the
data
 What is the vendors reputation for providing support

Types of computer foresics tools

Here are a few computer forensics programs and devices that make computer investigations
possible:

 Disk imaging software records the structure and contents of a hard drive. With such
software, it's possible to not only copy the information in a drive, but also preserve the way
files are organized and their relationship to one another.
 Software or hardware write tools copy and reconstruct hard drives bit by bit. Both the
software and hardware tools avoid changing any information. Some tools require
investigators to remove hard drives from the suspect's computer first before making a copy.
 Hashing tools compare original hard disks to copies. The tools analyze data and assign it a
unique number. If the hash numbers on an original and a copy match, the copy is a perfect
replica of the original.
 Investigators use file recovery programs to search for and restore deleted data. These
 programs locate data that the computer has marked for deletion but has not yet overwritten.
Sometimes this results in an incomplete file, which can be more difficult to analyze.
 There are several programs designed to preserve the information in a computer's random
access memory (RAM). Unlike information on a hard drive, the data in RAM ceases to exist
once someone shuts off the computer. Without the right software, this information could be
lost easily.
 Analysis software sifts through all the information on a hard drive, looking for specific
content. Because modern computers can hold gigabytes of information, it's very difficult and
time consuming to search computer files manually. For example, some analysis programs
search and evaluate Internet cookies, which can help tell investigators about the suspect's
Internet activities. Other programs let investigators search for specific content that may be
on the suspect's computer system.
 Encryption decoding software and password cracking software are useful for accessing
protected data.

Tasks performed by computer forensic tools

Acquision

Sub function catagories are as follows

1. Physical data copy

2. Logical data copy
3. data acquisition format
4. command line acquisition
5. GUI acquisition
6. remote acquisition
7. verification

Egs of acquisition softwares are EnCase,FTK imager etc

Validation and Discrimination

Validation is the process of guaranteeing the integrity of the data copied. Discrimination of data,
includes sorting the data to filter out the data of interest.

The validation and discrimination is achieved using

 Hashing ( used for validation)

 Filtering ( used for discrimination)
 Analysing header files

Extraction

This involves recovery of files of interest.

The sub functions of extraction are

  data viewing
 Keyword searching
 Decompressing
 carving
 De crypting
 Bookmarking

Egs of extraction softwares are EnCase,FTK imager etc

Reconstruction

The purpose of having a reconstruction feature in a forensic tool is to recreate a suspect drive to
display what happened during a crime or an incident.

The sub functions of reconstruction are

 Disk to Disk copy

 Image to disk copy
 partition to partition copy
 image to partition copy

Disk to disk copy can be created using a similar physical device as that of the victim's disk.
Hardware duplicators such as Logicube Talon, logicube forensic MD5, Drive Duplicator can be
used. Software duplicators are slower than hardware duplicators egs SnapBack, SafeBack, EnCase
etc.
Image to disk and Image to partition copies can be carried out using many tools. But they are slow.
Eg SafeBack, SnapBack, EbCase, FTK imager etc.

Reporting

The examiner needs to write a report to complete forensic analysis and examination. This report
should be written in such a way that it is accpetable in the court of law.

The following tools offer report generators displaying bookmarked evidence egs EnCase, FTK
Imager