COEN 252 Computer Forensics Writing Computer Forensics Reports

COEN 252 Computer Forensics Writing Computer Forensics Reports

Forensics Reports n n Forensics reports only state findings. If they draw conclusions, than they are expert testimony.

Expert Report n n A report that offers an opinion is an expert report. Writer of the report needs to qualify as an expert. An expert report used in court has additional requirements. Expert’s expertise and trustworthiness are on trial, too.

Expert Report n Fundamental Decision: Daubert n n n DAUBERT et ux. , individually and as guardians and litem for DAUBERT, et al. v. MERRELL DOW PHARMACEUTICALS, INC. Juries decides on “matters of fact”, not on “matters of law” What is placed before a jury is tightly regulated n n n Rules of Evidence. Most testimony is limited to relaying sensory experiences, interpreted by the jury according to common sense. Experts provide insight that common sense does not offer.

Expert Report n n An expert offers an opinion by applying the expert’s specific knowledge to the specific circumstances of the case. An export can also testify to general scientific or technical principles and leave their application to the jury.

Expert Report n n n engineers' opinions on whether a product's poor design renders it needlessly unsafe; accountants' opinions on whether someone has followed prudent accounting practices; physicians' opinions on whether some particular bodily insult was the cause of someone's medical condition; economists' opinions on whether a firm possesses monopoly power; statisticians' opinions on whether a firm's employment decisions correlate closely with race or gender; forensic opinions on matches between samples of DNA, blood, hair, etc. ; appraisers' estimates of the value of specific property. http: //www. daubertontheweb. com/Chapter_1. htm

Expert Report n n Expert testimony potentially misleading. Frye test (1929): n n scientific evidence is admissible only if the principles on which it is based have gained “general acceptance” in the scientific community. Federal Rules of Evidence (1973): n n If scientific, technical, or other specialized knowledge will assist the trier of fact to understand the evidence or to determine a fact in issue, a witness qualified as an expert by knowledge, skill, experience, training, or education, may testify thereto in the form of an opinion or otherwise. Does not mention general acceptance.

Expert Report n Daubert (1993): n n n Rule 702 does not supplant Frye No definite checklist or test Pertinent factors: n n n whether theories and techniques employed by the scientific expert have been tested; whether they have been subjected to peer review and publication; whether the techniques employed by the expert have a known error rate; whether they are subject to standards governing their application; whether theories and techniques employed by the expert enjoy widespread acceptance

Testifying as a Forensic Expert n n n Title helps. Experience helps. Reputation is essential. n n Never get caught lying. If you inhale, admit it, or refuse to tell.

Forensic Reports n n Used for legal proceedings and for incidence response. Findings. n n n Why was the evidence reviewed? How did the forensic examiner arrive at conclusions? n Conclusions are n n n Clearly explained. Supported. Possibly lead to recommendations.

Computer Forensics Report n n n n Accurately describe the details of an incident. Be understandable to decision makers. Be able to withstand legal scrutiny. Be unambiguous and not open to misinterpretation. Be easily referenced (Bates numbering) Contains all information required to explain the conclusions Offer valid conclusions, opinions, or recommendations when needed. Be created in a timely manner.

Computer Forensics Report n Document investigative steps immediately and clearly. n n Written notes during an investigation might be discoverable. Notes need to be clear. Missteps in the investigation need to be documented. Keep the goals of your analysis in mind.

Computer Forensics Report n Organization of Report n n n Macro to Micro Template Good style: n n n Use consistent identifiers Attachments and Appendices Proofread by others

Computer Forensics Report n Organization of Report n n Use crypt. secure hash to verify all files. Include metadata in report.

Computer Forensics Report Template n Executive Summary n n n Author, investigators, examiners Why was the investigation undertaken? List significant findings. Include signatures of examiners Objectives n Tasks of the investigation

Computer Forensics Report Template n Computer Evidence Analyzed n n n n Detailed description of evidence Linked with evidence tags. If possible, with digital imagery of evidence Relevant Findings Supporting Details Investigative Leads Additional Report Sections