Chapter 4: Report the Investigation

Published: January 11, 2007

This chapter discusses how to organize the information that you gather and the documentation that you create throughout a computer investigation, as well as how to write a final report. Use the two-step process shown in the following figure.

 

Reporting phase of the computer investigation

Figure 4.1. Reporting phase of the computer investigation model

 

Gather and Organize Information

During the initial phases of a computer investigation you create documentation about the specific activities in each phase. From within this documentation you need to identify the specific information that is relevant to your investigation and organize it into appropriate categories. Use the following procedure to gather and organize the required documentation for the final report.

  1. Gather all documentation and notes from the Assess, Acquire, and Analyze phases. Include any appropriate background information.
  2. Identify parts of the documentation that are relevant to the investigation.
  3. Identify facts to support the conclusions you will make in the report.
  4. Create a list of all evidence to be submitted with the report.
  5. List any conclusions you wish to make in your report.
  6. Organize and classify the information you gather to ensure that a clear and concise report is the result. Reference the following "Write the Report" section and Sample - Internal Investigation Report.doc (in Appendix: Resources in this guide) to help organize the information.

Write the Report

After you organize the information into appropriate categories, you can use it to write the final report. It is critical to the outcome of the investigation that the report is clear, concise, and written for the appropriate audience.

The following list identifies recommended report sections and information that should be included in these sections.

  • Purpose of Report. Clearly explain the objective of the report, the target audience, and why the report was prepared.
  • Author of Report. List all authors and co-authors of the report, including their positions, responsibilities during the investigation, and contact details.
  • Incident Summary. Introduce the incident and explain its impact. The summary should be written so that a non-technical person such as a judge or jury would be able to understand what occurred and how it occurred.
  • Evidence. Provide descriptions of the evidence that was acquired during the investigation. When describing evidence state how it was acquired, when, and who acquired it.
  • Details. Provide a detailed description of what evidence was analyzed and the analysis methods that were used. Explain the findings of the analysis. List the procedures that were followed during the investigation and any analysis techniques that were used. Include proof of your findings, such as utility reports and log entries. Justify each conclusion that is drawn from the analysis. Label supporting documents, number each page, and refer to them by label name when they are discussed in the analysis. For example, "Firewall log from server, supporting document D." Also, provide information about those individuals who conducted or were involved with the investigation. If applicable, provide a list of witnesses.
  • Conclusion. Summarize the outcome of the investigation. The conclusion should be specific to the outcome of the investigation. Cite specific evidence to prove the conclusion, but do not provide excessive detail about how the evidence was obtained (such information should be in the "Details" section). Include justification for your conclusion, along with supporting evidence and documentation. The conclusion should be as clear and unambiguous as possible. In many cases, it will be stated near the beginning of the report, because it represents the actionable information.
  • Supporting documents. Include any background information referred to throughout the report, such as network diagrams, documents that describe the computer investigation procedures used, and overviews of technologies that are involved in the investigation. It is important that supporting documents provide enough information for the report reader to understand the incident as completely as possible. As mentioned earlier, label each supporting document with letters and number each page of the document. Provide a complete list of supporting documents.
    • If it is likely that the report will be presented to a varied audience, consider creating a glossary of terms used in the report. A glossary is especially valuable if the law enforcement agency is not knowledgeable about technical issues or when a judge or jury needs to review the documents.

 Note    During an investigation you will likely collect valuable information about the use of computer investigation processes. You might also gain experience and a better understanding of operational and security-related procedures. You should review your existing operational and incident response documentation and incorporate the knowledge you gain during an investigation. If you do not have such documentation or wish to adopt an industry standard format, you can use the Microsoft® Operations Framework (MOF) documentation templates and guidance. For more information about MOF visit the Microsoft Operations Framework home page.

This accelerator is part of a larger series of tools and guidance from Solution Accelerators.

Download

Get the Fundamental Computer Investigation Guide For Windows

Update Notifications

Sign up to learn about updates and new releases

Feedback

Send us your comments or suggestions

Windows Sysinternals

Learn about Windows Sysinternals tools used in this guide.