Chapter 13

Maintain Evidence-Based Reporting

Abstract

Some objectives for executing any investigation is to use digital evidence as a means of answering questions about an incident or event and demonstrate credibility behind these answers. Supporting these requires organizations to follow a metrology by which their investigative reporting capability is based on the presentation of factual evidence-based conclusions.

Keywords

Credibility; Exculpatory; Factual; Inculpatory; Reports

 

This chapter discusses the ninth step for implementing a digital forensic readiness program as the need to provide answers to questions that arise during the investigation and demonstrate, through evidence-based reporting, why those answers are credible. Ultimately, the purpose of completing this step is to develop and implement a governance framework (ie, policies, procedures) that will be used to describe how evidence-based reporting should be constructed during an investigation.

Introduction

Conducting an investigation is more than simply supporting the business risk scenarios discussed in chapter “Define Business Risk Scenarios.” From conducting an investigation, organizations must also be able to provide answers to questions—who, where, what, when, why and how—and demonstrate how their digital evidence supports the credibility of these answers.

Achieving these goals requires that forensic viability of digital evidence, including the authenticity and integrity of the data, is maintained by following the steps outlined throughout this book; such as the need for governance over the collection, handling, and storage of digital evidence. Furthermore, by applying an evidence-based methodology for managing an investigation, organizations will be in a better position to establish credibility in the answers to questions as they arise.

Importance of Factual Reports

Having processed all digital evidence, a formal report must be created to communicate the findings of the investigation. However, one of the biggest downfalls of any investigation is the deficiencies in the final report. Ultimately, if decision-makers cannot understand and interpret the information detailed within the report, the entire investigation could result in failure.

As with any investigation, organizations should always conduct themselves on the basis that the matter will escalate into some form of legal proceeding. Therefore, creating a formal report should not only be done to share information within the context of the organization, but also created with the intention to present evidence as testimony in a court of law.

Required under Rule 26 of the US Federal Rules of Civil Procedure, any person(s) who will be presenting evidence as testimony has a duty to disclose a written report.

These reports must disclose all “facts or data” considered by the person(s) during the investigation, the basis how they established these “facts or data,” and the information that was used in order to arrive at these “facts or data.”

It is important to understand that Rule 26 defines the intent to exclude theories or opinions and the need for creating a credible investigative report that limits the disclosure of “facts or data” to only information that is “material of a factual nature.”

Types of Reports

Completed during the presentation stage of the digital forensic readiness model, discussed further in chapter “Investigative Process Models,” investigative reports are essential in communicating facts about the evidence analyzed to various different stakeholders, such as presenting evidence as legal testimony.

As the first step to creating a report, it is important that the author(s) identify the target audience and the purpose for creating the report. Authors need to ensure that the content of the report is structured to be clear, concise, easy to follow, and understandable to their target audience. For example, when a report is being provided to management, the author(s) should consider accompanying any technical content with references or educational materials to clarify or further elaborate this information so that the reader does not become withdrawn from the report.

With the audience established the next step is to decide which type of report is required. Typically, investigative reports can be grouped into one of the following categories:

• Verbal formal reports are typically quite structured and are commonly used to present information to management or in front of a jury without producing any form of document. An important consideration when using this presentation style is the amount of time available to communicate the facts. If the pace is quick, there is a chance that the audience will not clearly understand the information; alternatively if the pace of delivering the report is too long, the author may not have enough time to share important pieces of information contained within the report. Author(s) must ensure that they organize the presentation of information in a way that clearly and concisely focuses on the facts of the investigation.

• Verbal informal reports are typically less structured and are commonly used to present information to management or in an attorney’s office without producing any form of document. With respect to using this style for management communication, it is commonly done as an “elevator speech”¹ where the facts of the investigation need to be shared quickly. Alternatively, this presentation style can also be used when communicating with attorneys where there is a need to reduce the amount of written information that can later be discovered as part of a legal proceeding. Author(s) must ensure that they are prepared to deliver this style of report by focusing on key, relevant, and meaningful facts of the investigation to avoid confusion or misinterpretation.

• Written formal reports are typically quite structured and result in the creation of a document that will be used to present information to management or as part of legal proceedings. Regardless of whom the audience is, this style of report is considered legally discoverable and can be used in a court of law. These reports require author(s) to pay a great deal of attention to detail and ensure that the report is focused specifically on communicating credible and factual information only. When writing these reports, it is recommended that the author(s) use a natural language, as discussed below, and not use words or grammar that is difficult for readers to understand. The arrangement of these reports is discussed in the section “Arranging Written Reports.”

• Written informal reports are considered at high risk because the information being documented might not yet be proven as factual to the investigation. If this style of report must be produced, it is important for organizations to understand that these documents are discoverable in a court of law. Instead of making preliminary statements about information, may not be factual, author(s) should include the same level of information provided through a verbal informal report discussed above.

Creating Understandable Reports

Writing a report should flow just as naturally and logically as we think or speak. Each related fact and piece of information should be grouped together into a single paragraph and build upon each other from beginning to end.

The use of jargon or slang terminology should be avoided at all times. Where technical terms need to be used, they must be defined in a natural language as part of taxonomy, discussed further in Appendix F: Building a Taxonomy. Additionally, when using acronyms or abbreviations, they should be written in full expression on the first use and defined as part of the taxonomy.

Information being communicated most typically occurred before the report was written which means the author(s) should primarily write in the past tense; but can decide to change tense to use either present or future where appropriate.

Arranging Written Reports

Regardless of whether the investigation will proceed into a court of law, all investigative reports should be structured to communicate relevant and factual information. At a minimum, author(s) should ensure that the following goals are consistently applied to every type of report that is being presented:

• Report contains an accurate description of all event and incident details

• Content is clear, concise, and understandable to relevant decision-makers

• Content is deemed admissible and credible in a court of law

• Content not portray opinions or information that is open to misinterpretation

• Report contains sufficient information to establish factual relevance of conclusions

• Report is completed and presented in a timely manner

With verbal reports, whether formal or informal, the intention is to speak about the facts of the investigation. Alternatively, when using a written report the author(s) should ensure that they follow a consistent approach in the layout and presentation of the facts. In addition to ensuring the above-noted goals are achieved, a standardized template should be used that establishes a repeatable standard for how facts and information will be presented.

Understanding that the inclusion of information in a written formal report is subjective to the organization’s needs, the minimum components required of a standardized report template should include the following:

• Executive summary: The subsections included within the executive summary are intended to provide readers with a high-level summary of the investigation. Most commonly, this section might be all that management reads to get an understanding of the investigation. For this reason, it is important that the information contained in these subsections is written in a natural and business language that does not include unnecessary technical details.

• Background: Describes the event(s) or incident(s) that brought about the need for the investigation, the objectives of performing the investigation, as well as who authorized the investigation to be conducted.

• Summary of findings: Summarizes the significant findings as a result of the investigation.

• Conclusions: Establishes credible answers to questions that came about from the investigation.

• Investigative details: The subsections included within the investigative details are intended to provide readers with detailed information about the investigations. While the information contained within places emphasis on the digital evidence, it must be focused on detailing the credibility of facts as identified during the investigation.

• Chain of evidence: Describes the continuity of all digital evidence relating to where it was identified, the techniques used to seize it, and methods used to transport it.

• Gathering of evidence: Specifies the methodologies, tools, and equipment used to collect and preserve digital evidence.

• Processing of evidence: Specifies the methodologies, tools, and equipment used to examine digital evidence.

• Analysis of evidence: Details the meaningful, relevant, and factual findings from analyzing digital evidence.

• Addendums: The subsections included within the investigative details are intended to provide readers with in-depth supplementary information that supports the findings outlined in the previous section. Examples of supplementary information that can be included are the following:

• tables listing the full pathnames of significant digital evidence

• the total number of digital evidence reviewed during the investigation

• all keywords, phrases, and search terms used and results of these searches

A template for creating written formal reports has been provided as a reference in the Templates section of this book.

Inculpatory² and Exculpatory³ Evidence

While the objective of performing an investigation is to determine root cause or identify a culprit, all conclusions derived from the analysis of evidence must be factual and credible. However, as conclusions are being drawn, it may become clear that there is the existence of inculpatory (indication of guilt) and exculpatory (indication of innocence) evidence that need to be considered further before any factual and credible conclusions can be established.

The totality of all digital evidence, whether inculpatory or exculpatory, is an important consideration when establishing credible facts. The suppression of exculpatory evidence, which indicates innocence, is a violation of the US Supreme Court Rules and can result in implausible facts. Organizations must ensure that they have clearly defined in their governance documentation, such as standard operation procedures, how to handle exculpatory evidence when it is encountered.

Brady v. Maryland 373 U.S. 83 (1963) is a milestone in court rulings that has set precedence for establishing the requirement to disclose all exculpatory evidence.

The State of Maryland prosecuted Brady for murder to which he claimed a companion has committed the actual crime. The prosecution willfully withheld from the defendants a written statement by the companion where a confession was made to committing the murder.

Under the Brady Rule, named after this matter, the Supreme Court ruled that suppression of evidence that is favorable to defendant is a violation of due process and established that evidence of information that proves innocence must be disclosed.

Summary

When communicating the findings of an investigation, it is important that reports are created to focus specifically on the credible facts that have been established during the investigation. Regardless of whether findings from digital evidence demonstrate guilt or innocence, as long as reports are an accurate representation of the event(s), they are still considered relevant and credible.

Taxonomy

1 Elevator speech is a short, clear, and brief message used to share information, quickly and simply.

2 Inculpatory evidence demonstrates a subject’s⁴ involvement in an event that establishes guilt.

3 Exculpatory evidence exonerates a subject’s involvement in an event that establishes innocence.

4 Subject is an active element that operates on information or the system state.