Monday, September 19, 2011

On Writing

Every now and then, I see requests for sample reports from people in the field.  And while I can't share reports I've written due to confidentiality issues, I thought it might make for an interesting post to write about some of the guidelines that I like to follow when writing. 

I did hesitate just a bit on posting about this, mostly because it shouldn't be taken as DFIR Gospel (actually, nothing I write in this blog should be taken as such, but I believe you are savvy enough to know that).  The following guidelines are just some things I've learned along the way that I try to adhere to in my own reports.  A lot of it will probably just sound like common sense.  Many of you are probably doing what I lay out, or something much better.  That said, if you want to add any ideas of your own, please feel free!

Girl, Unallocated Presents:
Report Writing Guidelines

Resist the Urge to Use Comic Sans

... or any other distracting font.  Times New Roman is your friend.  And whatever you do, absolutely no Wing Dings.

Balloons explode. They explode suddenly, and unexpectedly. They are filled with the capacity to give me a little fright, and I find that unbearable.

Be Cautious of Absolutes

There are a few times when you can say with certainty that something is always true, or never occurs.  Even if you are very sure of a statement, be careful about using absolutes.  (Unless you have tested every eventuality and are sure there will be no subsequent research with opposing conclusions... these situations can create havoc during cross-examinations)  Useful phrases include: "This leads me to believe..."  "It is my professional opinion..."  "The evidence indicates...".  I'm not saying that you should be wishy-washy.  This language is a means of presenting the information as what it is - a professional opinion.  Being able to express opinions is what seperates an expert witness from other kinds of witnesses. 

Break it Up

Reports can get long and are often very detailed.  For the reader, they can seem (le gasp) dry.  Also, it seems to me that with almost every report I write, the intended audience tends to focus in on one or two items out of the entire report as the items of real interest to them.  And while I would like to think that they marvel over every word as a manifestation of genius, I know that what they really want to do is to zero in on the really juicy bits, and be able to navigate easily to other points as needed.  So, like many before me, I oblige by breaking my report up into sections.  A few sections that are frequently used by myself and others in the industry are as follows:

Title Page - Include case name, date, investigator name and contact information. 
Evidence - This should include serial numbers, hash values, custodian information, etc. 
Objectives - Especially important to include if you were asked to perform a targeted investigation.  Also a good idea to include any specific search terms requested.
Steps Taken - Be detailed here.  Remember, your results should be reproducible.
Relevant Findings - Subcategories will depend on purpose of the exam.  They can include:  timeline; deleted data; encrypted/password protected; search terms; malware; etc., etc.
Conclusion - Tie it all together. 
Exhibits - I reserve exhibits A and B for my CV and Chain of Custody, respectively.  Certainly not necessary, but it makes it so I always remember to include them in my reports. 

An additional touch that I like to include is hyperlinks within the report to make navigation easier.  Some places where hyperlinks prove useful is within the Table of Contents and to referenced exhibits.  For example, I will usually include a hyperlink to the Chain of Custody form somewhere in the Evidence section.  And if you are now shaking your head and wondering why I make extra work for myself, wonder no more.  With a little bit of effort up front, it is fast and easy.  If you haven't been introduced into the wonderful world of Report Hyperlinking, please read on...

Create a Template

Templates are easy to create and will end up saving you many hours of work down the road.  The template doesn't have to be anything crazy, but just having one will make report writing easier, if for no other reason than because you won't have to remember to include things that are already built-in.  Templates can also make your life easier by automating or simplifying boring things like page numbers, footnotes, and hyperlinks.

Speaking of hyperlinks, the steps below are a simple outline of how to create sections within your report that will allow for quick and easy hyperlinking.

On the References Tab, select "Add Text."  Add top level sections using Level 1.

Add subsections below the main section using Level 2. 
Any content should be added in regular text underneath a Section or Subsection.
Add a Table of Contents.  Also located on the References tab.

Your TOC includes page numbers and is automatically hyperlinked to each of your sections.
Note:  You will need to update the TOC if changes are made to the report.

Added  bonus for hyperlinking elsewhere within your report!
Select item/text to be hyperlinked and choose "Place in The Document."
You will be given your Sections as hyperlink location options.

Note:  Though hyperlinks don't work if you print out the report (obviously!), they will still work if you convert the report to PDF within MS Word.  Awesomesauce all around. 

Confidentiality/Draft Language

Additional benefits to a report template include consistent formatting and standardized language.  Use Confidentiality language whenever appropriate.  Also, I recommend having the word "Draft" in a header, footer or watermark on every page until the report is finalized.  Those of you familiar with the recent changes to the FRCP may recall that drafts of expert reports have additional protection from discovery, but it behooves you to make your drafts easily recognizable as such.


I hope that this information may help someone out there is some small way.  Obviously, reports are something that could be discussed for much longer.  Again, feel free to share any of your own little tidbits. 


  1. For what it's worth, I posted an example report to the Files section of the Win4n6 Yahoo group, based on the analysis of an example image available on the intertubes.

  2. @Keydet89 Awesome! Will definitely check it out. You rock, as always!

  3. Very nice job on a post that other examiners will surely find helpful and instructive. Thanks.

  4. @Craig Ball Thank you very much! I have learned from your articles many, many times over the years, and your feedback really means a lot.

  5. I really dislike Time Roman as the default font. I prefer Bookman Old Style or Century Schoolbook. They are more readable, especially in the smaller sizes.

    Write a papagraph in 10 point Times Roman. Copy the paragraph, convert it to Bookman Old Style, then compare.

    Jay Stevens

  6. Found your blog just the other day, and love the way you present information. Relatively informal but extremely practical, useful, and funny posts. Makes you feel like you're part of a community in an industry that can sometimes seem like it's run by robots.

    And for every negative comment you get, know that there's ten people reading your blog and loving it.

    -a guy in the industry for 4ish years

  7. @4ishYears Thank you so much! It really is great to have feedback... and the positive stuff is even better. You have seriously made my day. What you put is exactly what I have been shooting for, so its nice to see it translates at least in part!