COEN 252 Computer Forensics Writing Computer Forensics Reports
Forensics Reports • Forensics reports only state findings. • If they draw conclusions, than they are expert testimony.
Expert Report • A report that offers an opinion is an expert report. • Writer of the report needs to qualify as an expert. • An expert report used in court has additional requirements. • Expert’s expertise and trustworthiness are on trial, too.
Expert Report • Fundamental Decision: Daubert • DAUBERT et ux., individually and as guardians and litem for DAUBERT, et al. v. MERRELL DOW PHARMACEUTICALS, INC. • Juries decides on “matters of fact”, not on “matters of law” • What is placed before a jury is tightly regulated • Rules of Evidence. • Most testimony is limited to relaying sensory experiences, interpreted by the jury according to common sense. • Experts provide insight that common sense does not offer.
Expert Report • An expert offers an opinion by applying the expert’s specific knowledge to the specific circumstances of the case. • An export can also testify to general scientific or technical principles and leave their application to the jury.
Expert Report • engineers' opinions on whether a product's poor design renders it needlessly unsafe; • accountants' opinions on whether someone has followed prudent accounting practices; • physicians' opinions on whether some particular bodily insult was the cause of someone's medical condition; • economists' opinions on whether a firm possesses monopoly power; statisticians' opinions on whether a firm's employment decisions correlate closely with race or gender; • forensic opinions on matches between samples of DNA, blood, hair, etc.; • appraisers' estimates of the value of specific property. http://www.daubertontheweb.com/Chapter_1.htm
Expert Report • Expert testimony potentially misleading. • Frye test (1929): • scientific evidence is admissible only if the principles on which it is based have gained “general acceptance” in the scientific community. • Federal Rules of Evidence (1973): • If scientific, technical, or other specialized knowledge will assist the trier of fact to understand the evidence or to determine a fact in issue, a witness qualified as an expert by knowledge, skill, experience, training, or education, may testify thereto in the form of an opinion or otherwise. • Does not mention general acceptance.
Expert Report • Daubert (1993): • Rule 702 does not supplant Frye • No definite checklist or test • Pertinent factors: • whether the theories and techniques employed by the scientific expert have been tested; • whether they have been subjected to peer review and publication; • whether the techniques employed by the expert have a known error rate; • whether they are subject to standards governing their application; • whether the theories and techniques employed by the expert enjoy widespread acceptance
Testifying as a Forensic Expert • Title helps. • Experience helps. • Reputation is essential. • Never get caught lying. • If you inhale, admit it, or refuse to tell.
Forensic Reports • Used for legal proceedings and for incidence response. • Findings. • Why was the evidence reviewed? • How was the evidence reviewed? • How did the forensic examiner arrive at conclusions? • Conclusions are • Clearly explained. • Supported. • Possibly lead to recommendations.
Computer Forensics Report • Accurately describe the details of an incident. • Be understandable to decision makers. • Be able to withstand legal scrutiny. • Be unambiguous and not open to misinterpretation. • Be easily referenced (Bates numbering) • Contains all information required to explain the conclusions • Offer valid conclusions, opinions, or recommendations when needed. • Be created in a timely manner.
Computer Forensics Report • Document investigative steps immediately and clearly. • Written notes during an investigation might be discoverable. • Notes need to be clear. • Missteps in the investigation need to be documented. • Keep the goals of your analysis in mind.
Computer Forensics Report • Organization of Report • Macro to Micro • Template • Good style: • Use consistent identifiers • Attachments and Appendices • Proofread by others
Computer Forensics Report • Organization of Report • Use crypt. secure hash to verify all files. • Include metadata in report.
Computer Forensics ReportTemplate • Executive Summary • Author, investigators, examiners • Why was the investigation undertaken? • List significant findings. • Include signatures of examiners • Objectives • Tasks of the investigation
Computer Forensics ReportTemplate • Computer Evidence Analyzed • Detailed description of evidence • Linked with evidence tags. • If possible, with digital imagery of evidence • Relevant Findings • Supporting Details • Investigative Leads • Additional Report Sections