Health Belief Model
Digital Forensic Examination Summary Report
(For all lab assignments except Lab 0; remove red writing before submitting assignments.)
Examiner: Your name and forensics company (simulated).
Case Background: Give an adequate description of the scenario as if the reader knows nothing about this case. why are you conducting this examination? who requested it? This should be more than 2-3 sentences. Use what’s given to you in the lab scenario assignment to establish a quality case background.
Legal Authority: (To conduct exam i.e. search warrant, consent, government / organizational property. This must be always stated in a report).
(It’s a good idea to divide into subsections.)
(Lab machine – your laptop or desktop).
Simulate using a hardware write-blocker if the scenario doesn’t specify how the data is write protected. A write-blocker prevents any writes to the media being examined so the examiner can acquire it safely without altering original evidence.)
(Include full software versions, simulate when necessary).
Initial Processing (Show both acquisition and verification hash sums; list the media examined with description and serial number / see Addendum A)
Example verbiage: “The processing included inspection, photography, and anti-virus scans of the examined media. The imaging of the media created forensic evidence files for use in the subsequent forensic examination. Methods were forensically sound and verifiable based on matching hash sum values.”
Preliminary Findings: (Out of analyzing X number of files, X were of forensic value; briefly describe the partition and file structure of the media examined; this is a synopsis of what you found of forensic value.)
Detailed Findings: (This is where most or all of the case questions can be answered along with whatever else is required in the grading deliverables. This will always be the longest part of your report. If you feel that some detailed findings would be better placed in an Addendum, that’s a good place too).
Discussion Questions: The lab instructions will have discussion questions related to the specific lab. For instance, the discussion questions for Lab1 can be found on page 5 of the “CMIT 424 Lab 1 Lecture SPR16” document.
- Which items were properly sanitized? (What evidence indicates this?)
One or two sentence answer.
- Which items were not sanitized? (What evidence indicates this?)
One or two sentence answer.
- For storage media containing recoverable artifacts, which artifacts on that storage media require further investigation? Grounds for further investigation include:
- Privacy issues (i.e. contents included names, addresses, and other personally identifiable information)
- Customer information
- Company owned intellectual property
- Pornography, gambling, or other banned activities (unacceptable use of company resources)
- Criminal activity
- Password Protected files (including recoverable passwords)
- Any other activities contrary to the company’s policies or best interests
In cases where you are given such as that in question 3, you are not required to answer every question if they do not apply. For instance, if you find no issues related to privacy, you do not need to answer question 3.a. Use your best judgement.
Conclusions / Further Actions Required: (Just state the facts; recommend what other devices could be examined to further the case; recommend interviews of subjects if applicable; are there protected files that need decryption?
Do not make judgment calls or suggest punitive actions i.e. John Smith should be removed from his position; give the client the facts and let them make the decisions on what to do with the information.)
Each Addendum should start on a separate page.
Addendum A: Photos
(Simulate with pics of similar devices you find on the Internet. It is always a good idea to include a picture of the evidence you examined.)
The following is a photograph of XXXX
PICTURE(s) SHOWN HERE
The following details the forensic image processing.
Seagate Hard Drive, 250GB, Serial #12345:
Digital Forensics Examiner (DFE) created forensic evidence files of XXXX drive #XXXX.
The pre-processing hash results are presented below:
MD5 checksum: XXXX
SHA1 checksum: XXXX
The forensic processing subsequently created XXXX (X) files (simulated).
Forensic Evidence Files Created: XXX.E01 – XXXX.E04 (example with four files)
The forensic imaging process involved a post processing hash verification of the contents of the evidence file compared with the pre-processing hash. The hash analysis is presented below.
MD5 checksum: XXXX: verified
SHA1 checksum: XXXX: verified
The forensic imaging process successfully created a forensically sound and verifiable bit stream copy of the hard drive in the form of forensic evidence files.
Addendum B: Steps Taken
These are your notes on the steps you took while conducting the examination. Often, the examiner must submit their notes along with the forensic report if a case goes to court.
I recommend just numbering your steps i.e. 1, 2, 3 in chronological order.
Start with how you received the media and describe how you sterilized. For example:
1. Original USB drives and CD-Rs received from R. Jones. Items labeled and chain of custody (COC) documentation initiated.
2. Forensically sterilized target media prepared using Paladin vX.XX.XXX. After launching the Paladin tool, the target media was physically connected to the workstation running Paladin. Target media was wiped and verified using command “sudo dcfldd pattern=00 vf=/dev/sdc.” Results were a match, verifying the target media was forensically sterile.
3. describe your analysis steps