P a g e |1

SUMMARY REPORTS FOR DIGITAL FORENSICS

EDWIN SEBASTIÁN ROJAS BELTRÁN

JULI ANDREA MARTÍNEZ FORERO

ECCI UNIVERSITY

Systems Engineering Program

Computer Forensics

Bogotá

2024.
 P a g e |2

Summary Reports for Digital Forensics

Digital Forensics consists of the processes of collecting, analyzing, and preserving electronic data in
support of an investigation or legal proceeding; where the expert or examiner must follow a series of
standardized procedures in order to guarantee the integrity and admissibility of the evidence before a
court. From the concept of Digital Forensics, 2 main components stand out: The review process, which
involves studying the data collected identifying the most relevant information, and the report, which
presents the findings obtained in a clear and concise way so that it can be admitted.

When preparing the digital forensic report, it must be considered that it will reach a court, so it must
meet the standards that the court itself expects, and can be seen as the first testimony of the case. That
is why most U.S. courts require expert witnesses to provide written reports, explaining their research
and conclusions in civil cases. To this end, it is possible to speak of 2 standards: Daubert, establishes that
the testimony of expert witnesses must be based on sufficient facts and data as a result of reliable
principles and methods, therefore, their testimony must be scientifically proven; and Frye, which
indicates that testimony is inadmissible unless it is deduced from a recognized scientific principle or
basis, so it must be accepted.

Now, regardless of the standard that applies, the forensic report must include: all opinions and bases
thereof, related exhibits, photographs, diagrams, charts, curriculum vitae (including publication history
multiplied by 10 years, fees paid multiplied by 4 years, jurisdiction, mainly). On the other hand, an
important tip that some experts have is to always keep the transcripts of the testimony given by the
expert witness, since the other party's lawyers use deposition benches, which are warehouses where
they keep examples of expert witness testimony and use them to ensure that they are not changing their
testimony. In addition to listing the opinions and annexes, the report must contain information on the
fees paid for expert services in the last 4 years.

With regard to the technical content of the report, it is important to identify who the recipients are
and the purpose of the report, in order to focus on these aspects. In other words, if the public does not
have much technical knowledge, they will probably have to be instructed in some details of the report,
but without using many concepts that are difficult to understand. In addition to this, it helps a lot to
develop an exam plan that serves as a starting point for possible questions. Another aspect to keep in
mind is that only the facts that answer a question should always be captured, opinions should be
expressed in response to hypothetical questions. In other words, an expert witness states an opinion
when it is based on his or her professional knowledge and experience.
 P a g e |3

Also in some cases, preliminary reports are prepared, which can sometimes reflect a position contrary
to that found in the report or final testimony, which can be used by the opposing party's lawyer to
discredit the testimony of the expert witness, so if it is not necessary, it is advisable not to prepare a
preliminary report. However, it is not recommended to destroy a preliminary report, or the notes that
are taken from the case, or anything related, since this can be considered destruction or concealment of
evidence. It is advisable to keep the notes or notes that have been made, and to keep an order or control
of them, relate a case number to them, or keep them in a file, a drawer or any place where they are kept
and that if required they can be accessed.

We now go into a little more detail about the general structure that the report must follow (the order
may vary), which will include the following sections: Summary, Table of Contents, Body of the Report,
Conclusion, References, Glossary, Acknowledgements and Appendices (each of the sections must have a
title and the summary, which is located at the end). It should also include the same information that
would be included in the informal verbal report and summarize everything that has been achieved, such
as the identification of the systems examined, the tools used and what has been seen, as well as
indicating the preservation and/or protection processes used on the evidence (chain of custody). A
summary of the billing up to the date of preparation of the report and the estimated costs until all the
work is completed can then be made and finally include a tentative conclusion and possible areas that
require further investigation.

Once the most relevant aspects of the structure and content of the forensic report have been
addressed, we can return to some important aspects in terms of the wording, form and style such as:

 How is it written?, that is, if the document is easy to read and the audience to which it is aimed was
taken into account, if it is organized in a coherent way, if the language used is simple, direct and
precise, in addition to checking the grammar, spelling and punctuation.
 Writing style: Natural language should be used (speaking in the first person), not use vague language
and generalizations, avoid repeating yourself or being too specific in some details. Finally, objectivity
and impartiality must be projected.
 Use signs: Use sequential language where the steps that were followed are described, highlight the
most important points so that readers can identify them quickly, mainly.
 P a g e |4

 Consistent formatting: Although formatting is less important than consistency, it is a factor that must
be taken care of so as not to detract from the presentation. For this reason, the same font should be
used throughout the document, when talking about percentages or a measure, the same font should
always be used (example: the % symbol or the word percentage, but not both).
 Numbering: have a sequential numbering since it indicates a hierarchical order, and allows dividing
the content into sections where the relative importance of the information can be observed. Thus,
those who read the report will be able to identify through the titles how one part of the report
relates to the other.
 Figures: care must be taken that the legends of the figures provide descriptive information of what is
being captured, and as for their location, they should always go after the paragraph in which they are
discussed.
 Follow a standard format such as APA or MLA.

Other aspects that must be taken care of are the inclusion of calculations and information such as: the
common names of the hash algorithms, explaining the reasons why it was chosen, the declaration of
uncertainty and the limitations of knowledge. The latter can be expanded on in an error analysis, which
can help protect the credibility of the expert, and it should also be made clear that there is no absolute
guarantee about the timestamp of a file that is the actual creation time.

As for the results and conclusions section, the findings found should be described (and not what was
expected to be found), explanations by presenting the results in a logical way using titles and
subheadings that give greater clarity, supporting the discussion in figures and tables, in a coherent way.
In other words, objectivity must be preserved in the description of the fact, and of the data obtained,
never what was sought. And we must not forget the references section, the material used as a source for
the content of the document should always be cited, giving as much detail as possible so that another
person can consult this information if required.

Finally, it is feasible to attach the report generated by the tool used to the expert witness's report in
order to provide much more specific details such as timestamps, operating system version, among
others, which gives greater strength to the results and final conclusions.