 Welcome back everyone. Today, we're going to be talking about potentially one of the most important topics when we're dealing with digital forensics and that is documentation and reporting. If you have good documentation and reporting, then you still have to do good investigation, but if you can communicate, it will really help to express exactly what you were doing in your investigation, how you were doing your investigation. You'll convince everyone or convince the courts especially that what you're doing is correct. Now, if you don't have good documentation, you don't have good reporting and you can't communicate, then even if you have a perfect investigation, if you can't communicate your perfect investigation, no one will believe you or no one will trust what you say. Documentation and reporting is potentially one of the best or most important skills that you can have as an investigator aside from investigation itself. Documentation allows you or someone else to understand and verify your findings. Whenever you're doing an investigation, you want to be able to let everyone or whoever is helping you with the case or verifying your results, you want to let them be able to follow exactly what you were doing in your investigation so that way they can understand what you were trying to do and to verify that everything you were doing is correct. The court systems work in a way where everything you do should be able to be verified by a third party. So, for example, if I'm a police officer and I do an investigation and I have my documentation, if the defense wants to check my documentation to make sure that I did the investigation properly, they can call in an external expert who can then take the data, the suspect data, and my report and be able to verify that everything I did is correct. That's the right in most countries of the defense to be able to do that. So, in that case, people or third parties should be able to verify what you're doing. Now, documentation is also for your colleagues. So, people that you're working with, if, for example, you're sick and you can't come to work that day, your colleagues should be able to pick up your investigation where you left off. Documentation should be clear, concise, and detailed. You don't want a lot of extra words. You don't necessarily need to be writing a book about this, but you do want to make sure that everyone can understand exactly what you were trying to do whenever you were doing your investigation. You want to keep it as clear and concise as possible because you have to understand it quickly, other people have to understand it quickly, and if you write long paragraphs about what you're doing, it takes more time out of your investigation. So, make sure everything is very clear, concise, use as few words as possible where you still understand the meetings, and everyone else can understand the meeting as well. Clear indication of what you did, what you found, and how you interpreted your findings. So, in your documentation, what did you do? What did you find? How do you interpret what this means? So, if you see a Windows registry key that's set to a certain value, how do you interpret that registry key being set? How would your colleagues interpret that? Documentation should be accessible very far into the future. So, some investigations might last years, or some cases, I should say, might last years. So, after you finish your investigation, then it will go to court, and this court battle could take a very long time. So, you might be asked questions four, five, six, maybe ten years later about this case. Now, the only way you're going to remember about this case is if you have good documentation whenever you first create it. So, think very long term. Should be able to access electronic documentation in the future. Keep the documentation in common, ubiquitous formats. So, for example, TXT. If you write all of your documentation as a text file, programs in the future will definitely be able to open up a text file. If you write, you know, your documentation in, let's say, WordPerfect, which is a very old word processor, you're going to have a very difficult time trying to open up those file formats in the future. Hangul word processor. It's only used in Korea, and if Hancom, or at least the Hangul word processor branch of Hancom, either shuts down, goes out of business, whatever, if they stop, then HWP will be almost impossible to open. That means that instead of doing your documentation in maybe HWP format, choose something like text or even doc. Doc readers exist, and they will exist for a very, very long time. Even DocX, there's a lot of open source readers for DocX. So, you never have to worry about, can I access this information in the future? Okay, use a word processor that can embed links and images. So, you know, just notepad probably isn't good enough because it can't embed things. Probably Microsoft Office, Libra Office, maybe Hancom word processor. Just switch it to open document format or something like that. Use the same word processor for both documentation and reporting, and this is a formatting issue. You want your documentation and your reports to look as professional as possible. And if you use different programs for each, whenever you copy things back and forth, you might get different formats and it might mess things up. So, you want it to look as professional as possible. In your documentation, you want to log the time for every action that you take. You want to document every action and make sure you log the time. Time is extremely important for establishing when everything happened. So, when did you collect a suspect hard drive? When did you go into the suspect's house? When did you make a disk image of the suspect's hard drive? When did you start analyzing the suspect's hard drive? You need times for all of those things. So, time is extremely important. You need a list of exhibits. So, all of the devices that you're going to be dealing with in this case, you need to list them and give things like serial numbers, make, model, any identification that you can find. For example, stickers. If somebody put a sticker on something, what is the sticker? What question is being asked and by whom? So, an investigator is asking some sort of question. You're doing the investigation for some reason. Why are you doing the investigation? Who asked you to conduct this investigation? What question do they want answered? You should have that in your documentation. This investigator asked me to look into this computer's hard drive to see if I can find illegal videos or something like that. Make sure that's stated in your documentation so you know why you're doing this investigation. And then any derived hypotheses to explain the question and why? So, we'll talk more about the question being asked and hypotheses in week seven. Yeah, so just what hypotheses? What do you think could have happened? How can you possibly explain this case or this question? And what evidence can you find to support that? We'll talk more about that later. Documentation. So, notes of all actions taken. What actions did you take? What time did you take those actions? Any programs that you ran? Any forensic software or any tools that you ran? And the version of the tools that you ran? The version is very important because different versions of a tool can give different results. So, the version is very important. Data types extracted? Like, what files did you recover and where did you save them? It's important to know where you saved the files because maybe you get multiple cases mixed up and you save files in the same folder. Now, which one is for case A and then which one is for case B? So, knowing where files are located is very, very important. Any devices that you've examined and also storage sizes. So, the size of a hard drive, the size of RAM, just any disks that you have, phones, things like that. And then your examination results. So, after you actually examine all of the devices, any conclusions that you've made? What did you actually find? So, you're trying to answer some question. Did you find evidence supporting it or evidence denying the question? Yeah, just what conclusions can you make from what you've seen on these digital systems? You should also give documentation supporting your reasoning. So, you make some conclusion. Well, why do you make that conclusion? You can't just say, because I'm an expert, no. You have to actually provide evidence that supports what you're trying to say. So, you can use things like research papers. So, say these researchers found this particular information and I'm using that in my case. So, that means that you're basically borrowing other experts to say, listen, these experts have already found this is true. So, this is what I'm saying in my investigation. Case law. So, if you're doing an investigation, especially a criminal investigation, cite case law as much as possible to say other cases were like this. So, they came to this conclusion and it was found correct. I'm coming to the same conclusion. So, use research a lot. Use case law a lot. And also document the hours that you've worked. So, how many hours did you actually spend on an investigation? This is more for consulting companies than maybe government workers. But, you should be aware of about how long it takes to do a certain type of case, more or less. How much time you spend doing certain tasks in that case and that will make you more efficient in the long run. Knowing the goal of the investigation will dictate the scope of the documentation. So, you need to know what the point of this investigation is. Again, ask the investigator what question am I answering and then clearly define the goals before beginning. What question am I answering? How am I going to answer that question? Again, we'll talk more about how to proceed through an investigation later. So, that was documentation. Documentation is basically for you, for your colleagues and also for maybe a third party that's trying to verify your findings. But, documentation should be very technical because you are probably very technical, your colleagues are very technical. Documentation is not for court. It's not the type of thing that you will give to your boss. What you'll be giving to your boss and what you'll be giving to the prosecutor in court is reports. So, the overall report is for a very different audience. So, reporting is for a very different audience than documentation. Reporting is where you demonstrate your findings, arguments and evidence. So, once you've documented all of the steps you took, now we need to take that information and condense it into a final report that says, what did we find? Why do we think that we're right? And what evidence do we have that shows that our reasoning is correct? Describe the analysis and conclusions. So, what analysis did you do and what conclusions did you come to? And it should be very understandable even for people who have no technical background. So, if you say, you know, I examine the Windows registry key to find timestamps that were modified in, you know, UTC-8, something like that, most people won't understand it partially because it didn't make any sense and also because it's just too technical, right? So, describe it in a way that anyone could understand. The report is basically for everyone, especially for judges, and judges may have no technical background. They might be very technical. They may have no technical background. So, we're writing for a very different non-technical audience. So, it should be understandable. It should be easily referenced. So, every part of your report should be easy to reference, like, individual paragraphs. So, if you look at case law, for example, each paragraph in case law has usually a number and a letter. So, write your reports like that so that way they can say, in paragraph 1A, I found this statement to be true. Use unambiguous, it should be unambiguous in logic and conclusions. Now, this is very cultural. What unambiguous means? If you read, for example, Korean newspapers, especially the opinion articles, the logic in newspaper's opinion articles, there's basically no logic there and the conclusions are very, very ambiguous. So, people will say, you know, Korea has a lot of problems. Let's fix Korea's problems. Well, what exactly is the problem here? What evidence do you have that Korea has lots of problems? What is the conclusion? How do we fix these problems, right? But most opinion articles I see are very vague like that. They kind of give a very general problem that's not really well supported or well defined and then they give a conclusion that's so general that it makes no sense. Let's fix problems. Well, which problems do we want to fix, right? Potholes in the road or, you know, government's issues or, you know, what are we fixing? Well, if you look at reports in your investigation, you can't be like that. You have to be extremely specific. I found this piece of evidence and this piece of evidence, that means that the suspect used Internet Explorer to download a virus, okay? I can tell you exactly what the suspect did and here's my evidence. Now, what does that mean in terms of our investigation? Well, it means the suspect got a virus, so maybe the virus was, you know, all related to the case. My point is be very specific. Do not be general and make sure everything is supported. Contain all necessary information to explain the conclusions. A lot of people really neglect evidence, actually. Sometimes even in investigations they just say, well, it's very obvious that this must be the case. No, it's not obvious. You have to provide evidence for everything you say. Yeah, so make sure you give all of the information you can to support whatever you're trying to say. Don't contain irrelevant or too much information. If your report is 100 pages, it's probably too long unless it was a really complicated case. Only include in your report the things that you absolutely need to describe what you're talking about, okay? Don't add extra text just to sound fancy or just to add extra things to make it look better. That's completely wrong. It wastes everyone's time and no one will read it. And more importantly, people might think that you're trying to lie. And that's definitely something you want to try to avoid. And make sure you satisfy legal requirements in your country. So every country will have different reporting requirements, so you have to satisfy those requirements as well as being logical, show your evidence, make sure your conclusions are sound. The parts of a report should be something like a title page, table of contents, background information, adopted analysis methodology, description of analysis steps and results, conclusions, references and appendices. And I'll talk about those. So in the introduction, you should give the events leading to the analysis. Why are we doing this investigation? Any initially known information? What did you know about the victim? What did you know about the suspect? What did you know about a bank account that was used? Any exhibits, computers, cell phones that were relevant to the case and then questions posed by the investigator? So now we have the question again that's both in our documentation and our report. Next is your methodology, how you're actually doing your investigation. What is your analysis strategy? Did you demonstrate due diligence? Did you search for both conclusions that the suspect is guilty and conclusions that the suspect is innocent? Did you practice due diligence? And did you back up your reasoning? So is your reasoning process actually justified? Is it sound reasoning process? Next is description of steps and results. So collection analysis step by step, how did you collect the data? How did you analyze the data? Results and findings, once you analyze the data, what were the results and what does that mean in terms of the investigation question being asked? Key points in the main text and more detail in the appendix. So your main text should be relatively short and then you might have more than 100 pages of appendices or additions that you add on. But don't put them in the main text, just keep your main report very short. The appendices can be hundreds of pages, no problem. Any conclusions you're making? So answer the investigator's question. Was this computer used to commit a certain type of crime? Yes or no? Here's my evidence to support it or here's my evidence to deny it? And then any recommendations that you might make? Now recommendations really depend on the country again. Next is references. So in your report you should be referencing case law, you should be referencing research, websites that have done different types of investigations, things like that. Use a lot of references. So you need to reference this section. Then the appendices come after that, so any extra things that you want to attach. And then make sure that at the beginning of the document you put an executive summary. An executive summary. And this is a one to two page maximum summary of your entire results in the report. So you have your main report that's probably 10, 20, possibly 30 pages. You have an executive summary that's one to two pages and most people will read the executive summary to get the basic idea like, here's the question, here's the answer, here's my evidence. Then if they're very interested they can go read the rest of the report. So make sure you include an executive summary because that's what most people will read and then the actual judge or prosecutors will read the full report. Yeah, and then while you're reporting beware placing a person at the keyboard. It's very rare that we can actually place a specific person at the keyboard unless we see, unless we have CCTV on their computer or whatever, but unless we have a person that says they were sitting there it's very difficult for an investigator to say that a specific person was there. So for example, an account does not mean a person. So if somebody logs into Gmail account at a certain time well maybe their password was stolen so we don't necessarily know that it was a specific person. So be very careful about putting a person at the keyboard. Additional evidence is normally required like CCTV or these other things. Absence of evidence is not evidence of absence so not finding a trace does not mean it didn't happen. So for example, anti-pharynzics is becoming relatively popular which means that traces that you would find in your investigation might be removed by the suspect so you might not find anything but the crime still happened. So you might need to look for other sources of evidence. Don't just assume because nothing was there nothing happened. Up to a certain point. The ultimate issue, the expert is not usually allowed to make an opinion about the guilt or innocence of the accused. So the investigator themselves cannot normally say this person is definitely guilty or this person is definitely innocent or not guilty I should say. But some countries like Korea kind of thinks what's your opinion about the guilt or not guilt of this suspect. So be very careful about giving your opinion on whether somebody is actually guilty or not. Stick to answering the question that the investigator has posed to you. So kind of a report. Make detailed documentation technically because you might jump between cases and it could be a long time before you get back to the case. Make sure it's very technically detailed and then consider the purpose of the report. Who are you writing for? Make sure that it's not technical usually unless you're writing a technical report for somebody else. Brief report for communicating progress comprehensive technical report for other experts or an expert report for the court for example. Just make sure that you know your audience. Use terminology geared toward whatever audience you're speaking to and define all of your technical terms. Any technical terms you're using either put definitions in footnotes or in the appendix. Reporting. Also in reporting develop conclusions. Have a logical argument for each conclusion. Use clear and consistent visual style so the same font style and line spacing throughout. Don't copy and paste or if you do copy and paste make sure everything has the same look. Number paragraphs for easy reference and read sample reports. The best way to write good reports is to go look at samples. Yeah, so that's it. Like I said, reporting and documentation in digital forensics is probably one of the most important skills you can have and really it's just about communicating your results. Can you communicate your results effectively and convincingly? That's really the major point I want to get across with this. Make sure you're documenting and reporting well. It's one of the most important things you can do. Thank you very much.