-Santosh Khadsare

“Accuracy, Credibility and Legal Scrutiny are the key features of Digital Forensics Report” (Khadsare 2020)

Introduction

Digital Forensics (DF) is a niche field and in today’s scenario every criminal case involves digital evidences which need to be analysed. The Principle of Exchange (Dr. Edmond Locard’s Principle) states that whenever two items come in contact there will always be exchange (Sammons, 2014). This principle is also true in case of digital forensics. When you create a document on a digital device, the imprint is made and remains there in number of places. In layman terms, digital forensics is to prepare digital evidence to be produced in the court of law. The scientific definition is, “The use of scientifically derived and proven methods toward the identification, preservation, collection, validation, analysis, interpretation, documentation and presentation of digital evidence derived from digital sources for the purpose of facilitating or furthering the reconstruction of events found to be criminal, or helping to anticipate unauthorized actions shown to be disruptive to planned operations.” (Carrier, 2002)

The terms Cyber Forensics and Digital Forensics are being used interchangeably and hence use of any of these terms means one and the same. I would prefer using digital forensics as it includes everything digital in nature also in the cyber domain. Digital Forensics should be considered as a techno-legal field because it involves both involvement of both technology and law for resolution of incidents in the digital/cyber domain. All the digital evidences seized by the law-enforcement agencies are submitted to the cyber/digital forensics laboratory for further analysis.

Digital Forensic Report

Outcome of any digital forensic laboratory is its analysis report which is presented in the court of law and is justified by the expert witness (the analyst) who is also the author of this report. The ultimate audience of the report is the judiciary and hence the report should be such that the author should be able to put forth his findings and recommendations in a systematic and clear manner. The digital forensic report prepared by a forensic laboratory can be the most effective if not the only way to answer many questions about the incident.

Digital forensic report is a statement of fact and not the conclusion of the case being investigated. During analysis the digital forensic analyst can only find out the modus operandi or recreate the sequence of events but cannot put the man behind the machine. The onus of putting man behind the machine is of the investigating officer of the case. Your report assists the investigating officer to come to conclusions and may not always be the only source of information to him.

Key Features of a Digital Forensic Report

Accuracy. Fact is a fact and nothing else. If doubtful evidence should not be part of report. The same evidence should be derived by different tools and different analysts if required.

Clarity. The report should be clear leaving no ambiguity in the minds on the reader.

Credibility. Credibility comes if the laboratory from notified (In India Section 79A for IT Act 2000 for notification as Examiner of Electronic Evidence (EEE)). Credibility also comes with licensed approved tools (NIST framework an example).

Accountability. The digital forensic analyst endorsing the report is accountable and answerable for all that has been mentioned in the report, hence the digital forensic analyst needs to be careful while preparing the same.

Legal Scrutiny. Should be as per the laws of the land. Example Information Technology Act 2000 for India. It should be produced to the court by relevant Law Enforcement Agency (LEA) who is doing the investigation.

Simplicity. Easy to understand. Even a lay man should understand. Less of technical jargon. Use question and answers, flow charts, label diagrams, notes where required.

Different Sections of a Digital Forensics Report

The digital forensic report can be divided into following sections:-

The Brief of the Case. This is the first section of the report that is prepared by the digital forensic laboratory. It contains the inputs provided by the investigating officer regarding the brief details about the case also to include name of the police station where the case has been registered, First Information Report (FIR) number and other documents related to the case. It also mentions about some details from the Chain of Custody (CoC) form such as the person who has deposited the digital assets, number of packages deposited by him and the analyst of the lab who has accepted the case after crosschecking all the documents. This part of the report gives a summary of the case so that other documents need not be referred to.

Details of the Digital Assets (devices) Received for Analysis. Packets are received in sealed condition.Once the seal on packets received is cross checked with the specimen seal provided by the sender agency, the packets are opened and the devices are removed. The make, model, serial number and number of the devices are matched with those mentioned in the details provided by the investigating officer. During this entire process photography and videography is carried out to maintain transparency of the case. All the devices are labelled for further reference and the same is mentioned in the report.

Digital Analysis. The digital forensic analysis is carried out as per the questionnaire provided by the investigating office. In some cases, the investigating officer just requires extracted data in digital form while keeping integrity intact. While in some cases the investigating officer requires some analysis to be carried out. Hashing is carried out to maintain integrity of the digital evidence. It is recommended that two hashing algorithm be used to carry out the hashing and results of both be mentioned in the report. Generally forensic tools provide MD5 and SHA hash. The modus operandi if any should be mentioned in this part of the report. It would be great if the analysis is presented in figures, graphical or tabular form which will make it easier for the court to understand the technical part of the report. Flowchart is also a great visualisation and using it is a great idea.

To make the digital forensic report more acceptable in the court of law it would be a great idea to give examiner steps wherever necessary in the report. There can also be a special appendix of frequently asked questions (FAQs) which can assist the reader with the jargons of digital forensics.

Few forensic terminologies such as ‘sound forensic methods’, ‘global standards’, ‘law of the land’, etc should be mentioned in this part of the report. It also has to be mentioned clearly that the analysis has been carried out on the image and not on the original device. The original device after imaging has been preserved in flameproof antistatic lockers and are in safe condition.

If the digital forensic laboratory has been notified or follow some international standards the same should be mentioned in the report. In Indian context, the report prepared by Laboratory notified as Examiner of Electronic Evidence (EEE) under 79A of Information Technology Act 2000 is tenable in the Indian court of law. The preservation of the report in digital form also should be mentioned in the report. It should be noted that at all times confidentiality and integrity of the analysis being carried out at the laboratory should be maintained.

Forensic Tools. It is mandatory to mention the forensic tools use during the process of digital forensic analysis. In addition to the tools it is strongly recommended that the version number of the tool be mentioned so that if in case the digital devices are examined by another expert or analyst he gets the same results. The tools mentioned also should be segregated depending upon the tasks they are performing. If storage media analysis is carried out then the tools use should be mention under the same subheading. Similar is the case with the tools being used for mobile forensics or any other discipline of digital forensics.

Recommendations/ Conclusion. In this section, as a digital forensic analyst you can have recommendations/ conclusions regarding the analysis carried out. However, you cannot conclude if a person is guilty or not as this is the job of the investigating officer but you only can put forward the statement of facts which can be proved scientifically by anyone who uses the same procedures to do the analysis.

Miscellaneous Points

There should be a distribution list which should be mention at the end of the report.
Disclaimer points should clearly mention that the report cannot be reproduced by anyone other than the lab.
Digital forensic report should be Page numbered and signed on every page.
Digital forensic report should have a classification so that only people concerned have access to the same.

There should be a distribution list which should be mention at the end of the report.
Disclaimer points should clearly mention that the report cannot be reproduced by anyone other than the lab.
Digital forensic report should be Page numbered and signed on every page.
Digital forensic report should have a classification so that only people concerned have access to the same.

Preservation of Digital Copy of the Report

The digital copy of the report needs to be stored for future reference. The labs do have a printed (hard) copy, but it is recommended that a soft (digital) copy of the same be preserved in the laboratory. Important points to be kept in mind while preparing a soft (digital) copy of the report. There are occasions when digital reports generated by forensic tools are also attached to the main report. Following necessary precautions should be taken:-

The report should be uneditable (preferable in pdf).
It should be password protected.
Should be watermarked (with copy number and laboratory name).
Should be hashed to maintain integrity.

Basic Professional Rules for Report Preparation

· Font Size and Colour. It is recommended that standard font size and colour used. Fonts that can be used or aerial newtons Roman or Calibri. Headings and subheadings should have a font size of 12 while the other text font size should be 11 or 12 with single spacing. And of course the colour has to be black and margins can be standard margins.

Justify your Text. Your paragraphs should be justified and tables are recommended to be left aligned while figures should be centre aligned.

Images. Images should be clearly visible and uniformly placed. Text and arrows in the images should be clear without ambiguity. Images should be numbered or named for easier identification.

Header and Footer. The digital forensic report should have a header and footer you should mention the classification of the report. In addition the footer should have page numbering either in the centre or in the right corner. The name of the laboratory also can be mentioned either in the header or in the footer section.

Abbreviations. Abbreviations should be avoided in a digital forensic report as far as possible. If used then they need to be mention in the first few paragraphs along with the expanded text.

Expert Witness

An expert is a skillful professional in a particular field capable of possessing specialized knowledge concerning the matter in issue, which a common man cannot possess. Opinion of an expert is defined as, “When the Court has to form an opinion upon a point of foreign law, or of science, or art, or as to identity of hand writing or finger-impressions, the opinions upon that point of persons specially skilled in such foreign law, science or art, or in questions as to identity of handwriting or finger impressions, are relevant facts. Such person called experts. (Anon., n.d.)

Not everyone in the digital forensic laboratory can sign the report of analysis carried out by the laboratory. The person who endorses his signature has to depose as an expert witness in the court of law. Expert’s qualification and experience matters a lot before the court permitting the analyst to depose as an expert witness.

Frequently Asked Questions (By the Court to the Expert Witness)

Is this report prepared by you?
What are your qualifications as a digital forensic expert?
What is your experience in analysing the cases which come to your laboratory?
Is there anyone else who was assisting you in Analysis of this case?
What is this report prepared under the influence and pressure of an external person?
Have you maintained the confidentiality of the report?
How many copies of the report have you prepared?
Is your digital forensic laboratory notified by the government?
Are these your signatures on the report?
Do you stand by your report?
What is the difference between digital forensics and cyber forensics?
What is the difference between imaging and cloning?
What is Hashing?
Can they be two documents which seem similar Hashes?
Difference between artefact and digital evidence?
Difference between a clone an image?
What is difference between imaging and extraction?
How have you maintain the integrity of the evidence?
What do you mean by ‘sound forensic manner, as mentioned in your report?
Are the tools used for analysis licensed and what is the expiry date of licensing?
Are other digital forensic laboratory’s better than you?

Summary

Digital Forensic Report is an important part of the overall criminal investigation and sometimes proves as the most crucial evidence to nail the accused. However, it is not the only evidence that the court relies on. The report may or may not be taken cognizance of depending on the way analysis is carried out and put across in the report. While preparing the report, the communication skillset of the digital forensic analyst comes in play. In short the report should not only be accurate and credible but also should stand legal scrutiny.