http://www.4ensics.net/home/2014/4/2/r8nqt1isgo3lvaxtbcx7xy8iyqu6uq
ON REPORT WRITING FOR DFIR
Previously I was talking in this space about how the truth should be your main client. About how you have to let go all preconceptions of things you think you know. Today I want to talk a bit about reporting.
The report of your digital forensic investigation is the product you are expected to deliver. While your investigation might have lead you to have to reverse engineer malware or delve deep into Windows internal processes , your report should be completely clear for someone who hasn't ever touched a computer in his life.
Challenging ? You bet ! It's a true art to be able to translate tech talk into "human" speech. The guys from the "IT Crowd" television series also get a Communication Manager assigned to them - because people don't understand their technobabble.
When you're around fellow geeks all the time you actually lose your ability to discern what is tech-talk and what isn't. I remember someone asking me what a Trojan horse virus is and the question took me by surprise. I really thought that guy was joking. What you think is clear and needs no explanation, might be a new concept for the reader of your report.
You have a tall mountain to climb if you have to try to explain someone how a hard drive works or what a hash calculation is. Both explanations are usually found in reports.
You have to always remember who the audience is for your report. I work for a private company that mostly takes assignments from corporations. We do not do police work. But we do share a certain audience with police investigators for our reports and that is the fine peeps of the legal profession. Lawyers.
Lawyers have their own language. They have the same challenge when explaining the law to their customers. They plan to take the report and plead their client's case with the report they got from you. If they don't understand what you have written then it's worthless to them.
Also, your report will also be read by the opposing parties lawyers. One thing I have learned quickly when transitioning into forensics and when writing reports is that you cannot leave assumptions in your text. It might be a simple word but they will try to discredit your work based on a simple word you left in there. For example : "possibly" or "perhaps" , or "maybe" are words you don't want in there.
Only write something if you're absolutely 200 percent sure that that is what happened.
Also, when I started out doing this I was sometimes outraged at what the subject of my investigation had done. These investigations don't fall out of thin air and usually there is something to be found (not always though!). So my outrage made it into my first report attempts. Which is bad, because - and I mentioned this in a previous blogpost- whoever hired you your only real client is the truth. If the customer doesn't like what's in your report that's their problem.
Another audience for us is the corporate world : CEOs, CFOs , CTOs , COOs and God help us CXOs. They also have their separate language they use and view the world (and your report) through different perspectives. There is one thing they have in common : these are typically very busy people and they don't have any time to read through 50 pages of you explaining everything you find.
Especially for them I add a section called "Executive Summary" where I immediately spoil the end result of the investigation. It's a bit like explaining the plot of the movie you're about to see. The Executive Summary gives these people exactly what they need to know to be able to decide quickly what they're going to do based on your report.
So I have some basic report writing tips for digital forensics.
- Every word and every sentence needs to be deliberate
- Build a report template where you lay out your methodology and explain technical concepts
- Add an executive summary
- Find someone in your company to reread your report
- Use screenshots but explain your screenshots
- If a certain fact is illustrating or proving the main fact, don't be afraid to leave it out or put it in the appendix
- Be very critical
Whoever or whatever you're investigating , your report will probably have an impact on a business or even on someone's life. You owe it to them to be absolutely clinical and correct. When you go into the hospital you wouldn't want your doctor "phoning it in" as they say. You would want them to be focused and on the ball.
The quality of your reports is what makes or breaks you as an investigator or as a company.
Be sure to get it right !
'old > Forensic' 카테고리의 다른 글
| [자료] windows ShellBag (0) | 2014.04.22 |
|---|---|
| [자료] Windows7 아티팩트 간단 정리 (0) | 2014.04.15 |
| [정리] Windows7 응용프로그램 실행흔적 분석 (0) | 2014.04.03 |
| [정리] 레지스트리 분석 - 1 (0) | 2014.03.15 |
| [자료] memory forensic 교육 자료 (0) | 2014.01.31 |
http://www.4ensics.net/home/2014/4/2/r8nqt1isgo3lvaxtbcx7xy8iyqu6uq
ON REPORT WRITING FOR DFIR
Previously I was talking in this space about how the truth should be your main client. About how you have to let go all preconceptions of things you think you know. Today I want to talk a bit about reporting.
The report of your digital forensic investigation is the product you are expected to deliver. While your investigation might have lead you to have to reverse engineer malware or delve deep into Windows internal processes , your report should be completely clear for someone who hasn't ever touched a computer in his life.
Challenging ? You bet ! It's a true art to be able to translate tech talk into "human" speech. The guys from the "IT Crowd" television series also get a Communication Manager assigned to them - because people don't understand their technobabble.
When you're around fellow geeks all the time you actually lose your ability to discern what is tech-talk and what isn't. I remember someone asking me what a Trojan horse virus is and the question took me by surprise. I really thought that guy was joking. What you think is clear and needs no explanation, might be a new concept for the reader of your report.
You have a tall mountain to climb if you have to try to explain someone how a hard drive works or what a hash calculation is. Both explanations are usually found in reports.
You have to always remember who the audience is for your report. I work for a private company that mostly takes assignments from corporations. We do not do police work. But we do share a certain audience with police investigators for our reports and that is the fine peeps of the legal profession. Lawyers.
Lawyers have their own language. They have the same challenge when explaining the law to their customers. They plan to take the report and plead their client's case with the report they got from you. If they don't understand what you have written then it's worthless to them.
Also, your report will also be read by the opposing parties lawyers. One thing I have learned quickly when transitioning into forensics and when writing reports is that you cannot leave assumptions in your text. It might be a simple word but they will try to discredit your work based on a simple word you left in there. For example : "possibly" or "perhaps" , or "maybe" are words you don't want in there.
Only write something if you're absolutely 200 percent sure that that is what happened.
Also, when I started out doing this I was sometimes outraged at what the subject of my investigation had done. These investigations don't fall out of thin air and usually there is something to be found (not always though!). So my outrage made it into my first report attempts. Which is bad, because - and I mentioned this in a previous blogpost- whoever hired you your only real client is the truth. If the customer doesn't like what's in your report that's their problem.
Another audience for us is the corporate world : CEOs, CFOs , CTOs , COOs and God help us CXOs. They also have their separate language they use and view the world (and your report) through different perspectives. There is one thing they have in common : these are typically very busy people and they don't have any time to read through 50 pages of you explaining everything you find.
Especially for them I add a section called "Executive Summary" where I immediately spoil the end result of the investigation. It's a bit like explaining the plot of the movie you're about to see. The Executive Summary gives these people exactly what they need to know to be able to decide quickly what they're going to do based on your report.
So I have some basic report writing tips for digital forensics.
- Every word and every sentence needs to be deliberate
- Build a report template where you lay out your methodology and explain technical concepts
- Add an executive summary
- Find someone in your company to reread your report
- Use screenshots but explain your screenshots
- If a certain fact is illustrating or proving the main fact, don't be afraid to leave it out or put it in the appendix
- Be very critical
Whoever or whatever you're investigating , your report will probably have an impact on a business or even on someone's life. You owe it to them to be absolutely clinical and correct. When you go into the hospital you wouldn't want your doctor "phoning it in" as they say. You would want them to be focused and on the ball.
The quality of your reports is what makes or breaks you as an investigator or as a company.
Be sure to get it right !
'old > Forensic' 카테고리의 다른 글
| [자료] windows ShellBag (0) | 2014.04.22 |
|---|---|
| [자료] Windows7 아티팩트 간단 정리 (0) | 2014.04.15 |
| [정리] Windows7 응용프로그램 실행흔적 분석 (0) | 2014.04.03 |
| [정리] 레지스트리 분석 - 1 (0) | 2014.03.15 |
| [자료] memory forensic 교육 자료 (0) | 2014.01.31 |
