I did hesitate just a bit on posting about this, mostly because it shouldn't be taken as DFIR Gospel (actually, nothing I write in this blog should be taken as such, but I believe you are savvy enough to know that). The following guidelines are just some things I've learned along the way that I try to adhere to in my own reports. A lot of it will probably just sound like common sense. Many of you are probably doing what I lay out, or something much better. That said, if you want to add any ideas of your own, please feel free!
Girl, Unallocated Presents:
Report Writing Guidelines
Resist the Urge to Use Comic Sans
... or any other distracting font. Times New Roman is your friend. And whatever you do, absolutely no Wing Dings.
Balloons explode. They explode suddenly, and unexpectedly. They are filled with the capacity to give me a little fright, and I find that unbearable.
Be Cautious of Absolutes
There are a few times when you can say with certainty that something is always true, or never occurs. Even if you are very sure of a statement, be careful about using absolutes. (Unless you have tested every eventuality and are sure there will be no subsequent research with opposing conclusions... these situations can create havoc during cross-examinations) Useful phrases include: "This leads me to believe..." "It is my professional opinion..." "The evidence indicates...". I'm not saying that you should be wishy-washy. This language is a means of presenting the information as what it is - a professional opinion. Being able to express opinions is what seperates an expert witness from other kinds of witnesses.
Break it Up
Reports can get long and are often very detailed. For the reader, they can seem (le gasp) dry. Also, it seems to me that with almost every report I write, the intended audience tends to focus in on one or two items out of the entire report as the items of real interest to them. And while I would like to think that they marvel over every word as a manifestation of genius, I know that what they really want to do is to zero in on the really juicy bits, and be able to navigate easily to other points as needed. So, like many before me, I oblige by breaking my report up into sections. A few sections that are frequently used by myself and others in the industry are as follows:
Title Page - Include case name, date, investigator name and contact information.
Evidence - This should include serial numbers, hash values, custodian information, etc.
Objectives - Especially important to include if you were asked to perform a targeted investigation. Also a good idea to include any specific search terms requested.
Steps Taken - Be detailed here. Remember, your results should be reproducible.
Relevant Findings - Subcategories will depend on purpose of the exam. They can include: timeline; deleted data; encrypted/password protected; search terms; malware; etc., etc.
Conclusion - Tie it all together.
Exhibits - I reserve exhibits A and B for my CV and Chain of Custody, respectively. Certainly not necessary, but it makes it so I always remember to include them in my reports.
An additional touch that I like to include is hyperlinks within the report to make navigation easier. Some places where hyperlinks prove useful is within the Table of Contents and to referenced exhibits. For example, I will usually include a hyperlink to the Chain of Custody form somewhere in the Evidence section. And if you are now shaking your head and wondering why I make extra work for myself, wonder no more. With a little bit of effort up front, it is fast and easy. If you haven't been introduced into the wonderful world of Report Hyperlinking, please read on...
Create a Template
|Add subsections below the main section using Level 2. |
Any content should be added in regular text underneath a Section or Subsection.
|Add a Table of Contents. Also located on the References tab.|