Forensic Report and Export a file inventory
good123
ForensicReportTemplate.docxYour Organization / Company LLC
Case Name / Case ####
DIGITAL FORENSIC ACTIVITY REPORT
|
Case Title
|
Case Number
|
|
Organization / Company, LLC Address |
Report Date
|
|
Examiner: |
Examiner Signature:
|
|
Report Subject Digital Evidence Report – description of media |
BACKGROUND
On September 12, 2017, XXXX
TABLE OF CONTENTS
(Feel free to add Addendums to your report as necessary / page #s will vary.)
Background ………………………………………………………………………………… 1
Tabl e of Contents………………………………………………………………………….. . 2
Legal Authority…………………………………………………………………………….. 3
Initial Processing…………………………………………………………………………… 3
Preliminary Findings………………………………………………………………………..3
Detailed Analysis…………………………………………………………………………... 4
Conclusions………………………………………………………………………………… 8
Software Utilized………………………………………………………………………....... 8
Hardware Utilized………………………………………………………………………….. 8
Digital Media Processing………………………………………………………………....... 8
Disposition of Evidence……………………………………………………………………. 9
Glossary…………………………………………………………………………………….10
ADDENDUM A (Evidence Photograph /Hash Verifications)……..…..…………………..11
ADDENDUM B (Steps Taken)………………….…………………………………………12
LEGAL AUTHORITY
(search warrant, consent, abandoned, or organizational property)
INITIAL PROCESSING
On date, your organization processed the submitted XXXX HD, USB, etc. The processing included inspection, photography, anti-virus (AV) scan, and the forensic imaging of the USB drive. The forensic imaging of the digital media created forensic evidence files for use in subsequent forensic examination of the digital media. Methods were forensically sound and verifiable
During an AV scan, XXXXX was identified as containing XX infected files.
Include acquisition and verification hash sums here.
See ADDENDUM A "Evidence Photos" and ADDENDUM B, “Steps Taken” for more information.
PRELIMINARY FINDINGS
XXXX This is where you give the reader an overview of your findings / forensic files of interest.
Out of analyzing X number of files, X were of forensic value; briefly describe the partition and file structure of the media examined.
Include description of the media i.e. size, file system, structure.
Please see “Detailed Findings” below for more information.
DETAILED FINDINGS / ANALYSIS
XXXX This is the bulk of the report.
CONCLUSIONS
XXXX
Further investigation and analysis is recommended to confirm these findings and conclusions and may be the subject of future digital forensic reports.
SOFTWARE UTILIZED
Collecting the evidence involved the following software
|
SOFTWARE |
HOW USED |
|
|
|
|
|
|
|
|
|
HARDWARE UTILIZED
Collecting the evidence involved the following hardware.
|
HARDWARE |
HOW USED |
|
|
|
|
|
|
DIGITAL MEDIA PROCESSED
The following digital media was submitted and processed.
|
PHOTOGRAPH OF DIGITAL MEDIA& IMAGING PROCESS |
DESCRIPTION OF ITEMS SUBMITTED |
|
See ADDENDUM A |
Include serial numbers and how marked as evidence. |
DISPOSITION OF EVIDENCE
XXXX Drive marked as “XXXX” and assigned inventory #XXXX is currently secured in the evidence locker at XXXX
Note that each piece of evidence in this case has been secured and filed with its own individual chain of custody form.
GLOSSARY
Data Carving– A process involving the examination of media for content relating to
multiple types of empty space (i.e. slack space, unused space, unallocated space).
Deleted Files–Files that may have been deleted by the computer user or operating system. Normally deleted files are not removed from the hard drive. The deletion process only alters a directory entry in most cases. This leaves deleted files accessible to forensic examinations.
Digital Evidence– Information stored or transmitted in binary form that may be relied upon in court.
File Slack – The space between the end of the file data and the end of the cluster. File slack may contain data from previous files that has been previously overwritten.
Forensic Image – A bit stream copy of the available data. The result may be encapsulated in a proprietary format (e01, ad1, etc).
Forensic Copy – The data from the source (original) media is copied “bit by bit” and written to other media in the same bit-by-bit order that it was obtained.
Forensic Evidence File – Consist of one or more files that contain the data from the source media that can be restored to other media in such a manner that the “bit by bit” order on the source drive is the same as the restored drive. The file may contain “additional” data written by the backup software. The additional data is program overhead.
Hash–Numerical values, generated by various hashing functions, used to substantiate the integrity of digital evidence and/or for inclusion / exclusion comparisons against known value sets.
Message Digest 5 (MD5) Hash–A 128-bit value that uniquely describes the contents of a file. This is a standard hash value used in digital forensics.
New Technology File System–NTFS (NT file system; sometimes New Technology File System) is the file system that the Windows NT operating system uses for storing and retrieving files on a hard disk. NTFS is the Windows NT equivalent of the Windows 95 file allocation table (FAT) and the OS/2 High Performance File System (HPFS).
Removable Media– Items (e.g., floppy disks, CDs, DVDs, USB Drives, tape) that store data and can be easily removed.
Unallocated Space – also called free space, is defined as the unused portion of the hard drive.
Universal Time Coordinated– UTC / GMT is the basis for local times worldwide. Other names include Universal Time Coordinated / Universal Coordinated Time. UTC is the successor to Greenwich Mean Time (GMT).
ADDENDUM A
The following is a photograph of XXXX
PICTURE(s) SHOWN HERE
The following details the forensic image processing.
example: Seagate Hard Drive, 250GB, Serial #12345:
Digital Forensics Examiner (DFE) created forensic evidence files of XXXX drive #XXXX. The pre-processing hash results are presented below:
MD5 checksum: XXXX
SHA1 checksum: XXXX
The forensic processing subsequently created XXXX (X) files (simulated).
Forensic Evidence Files Created: XXX.E01 – XXXX.E04 (example with four files)
The forensic imaging process involved a post processing hash verification of the contents of the evidence file compared with the pre-processing hash. The hash analysis is presented below.
MD5 checksum: XXXX: verified
SHA1 checksum: XXXX: verified
The forensic imaging process successfully created a forensically sound and verifiable bit stream copy of the hard drive in the form of forensic evidence files.
ADDENDUM B
Steps Taken:
1.
2.
ETC.
Ensure to describe your target media sterilization process i.e. what media you used to store the acquired image files. Include your chain of custody procedures in steps taken also i.e. when you received the media, by whom, where it is stored, when it was returned, etc.
