(for ALL lab assignments except Lab 0; remove red writing before submitting assignments)
Examiner: your name and company (simulated)
Case Background: give an adequate description of the scenario as if the reader knows nothing about this case. why are you conducting this examination? who requested it? This should be more than 2-3 sentences. Use what’s given to you in the lab scenario assignment to establish a quality case background.
Legal Authority: (to conduct exam i.e. warrant, consent, government / organizational property. This must be always stated in a report):
for the readers sake who often are not technical, break up this section into subsections
(include full software versions (simulate when necessary); include hardware i.e. the system you used to conduct the examination with serial numbers (your desktop / laptop). Also, simulate using a hardware write-blocker if the scenario doesn’t specify how the data is write protected.
A write-blocker prevents any writes to the media being examined so the examiner can acquire it safely without altering original evidence.)
Initial Processing (show both acquisition and verification hash sums; list the media examined with description and serial number / see Addendum A) example verbiage: “The processing included inspection, photography, anti-virus scan, and the imaging laptop. The imaging of the media created forensic evidence files for use in the subsequent forensic examination. Methods were forensically sound and verifiable.”
Preliminary Findings: (out of analyzing X number of files, X were of forensic value; briefly describe the partition and file structure of the media examined; this is a synopsis of what you found of forensic value.)
Detailed Findings: (this is where most or all of the case questions can be answered along with whatever else is required in the grading deliverables. This will always be the longest part of your report. If you feel that some detailed findings would be better placed in an Addendum, that’s a good place too).
Conclusions / Further Actions Required: (just state the facts; recommend what other devices could be examined to further the case; recommend interviews of subjects if applicable; are there protected files that need decryption?
Do not make judgment calls i.e. John Smith should be removed from his position; give the client the facts and let them make the decisions on what to do with the information.)
Each Addendum should start on a separate page.
Addendum A: Photos
(simulate with pics of similar devices you find on the Internet. It is always a good idea to include a picture of the evidence you examined.)
The following is a photograph of XXXX
PICTURE(s) SHOWN HERE
The following details the forensic image processing.
example: Seagate Hard Drive, 250GB, Serial #12345:
Digital Forensics Examiner (DFE) created forensic evidence files of XXXX drive #XXXX.
The pre-processing hash results are presented below:
MD5 checksum: XXXX
SHA1 checksum: XXXX
The forensic processing subsequently created XXXX (X) files (simulated).
Forensic Evidence Files Created: XXX.E01 – XXXX.E04 (example with four files)
The forensic imaging process involved a post processing hash verification of the contents of the evidence file compared with the pre-processing hash. The hash analysis is presented below.
MD5 checksum: XXXX: verified
SHA1 checksum: XXXX: verified
The forensic imaging process successfully created a forensically sound and verifiable bit stream copy of the hard drive in the form of forensic evidence files.
Addendum B: Steps Taken
These are your notes on the steps you took while conducting the examination. Often, the examiner must submit their notes along with the forensic report if a case goes to court.
I recommend just numbering your steps i.e. 1, 2, 3 in chronological order.
Start with how you received the media and describe how you sterilized. For example:
1. Original USB drives and CD-Rs received from R. Jones. Items labeled and chain of custody (COC) documentation initiated.
2. Forensically sterilized target media prepared using Paladin vX.XX.XXX. After launching the Paladin tool, the target media was physically connected to the workstation running Paladin. Target media was wiped and verified using command “sudo dcfldd pattern=00 vf=/dev/sdc.” Results were a match, verifying the target media was forensically sterile.
3. describe your analysis steps