Mastering the Art of Crafting a Professional Digital Forensics Report at the Masters Level (Part 1)
In this article, we not only provide a template but also present a real-world scenario example crafted with expert precision to demonstrate the meticulous process of creating a digital forensics report at the master’s degree level. Drawing from a collection of other forensic reports, this exemplar showcases consistent methodologies and best practices essential for effective report writing in digital forensics.
In this article, you’ll find a template that includes real-life examples written by none other than yours truly! I’m excited to share my expertise and experience in crafting digital forensics reports with you. Let’s dive in and explore how to make your reports arise from Zero to Hero!
Template for Digital Forensics Report:
Report of ID_Number
Specialist field Digital Forensics
On behalf of the Claimant, West Midshires Police
Title of the action: Reex v Criminal
Court reference number: 50034
_________________________________________________________________________________
Final report of [ID_Number] for the Court of Solihul
_________________________________________________________________________________
Dated
11/09/2023.
Specialist field:
Digital Forensics
On behalf of the Claimant/
West Midshires Police
Defendant (or both if single
joint expert):
On the instructions of:
West Midshires Police
Subject matter:
Investigating an incident involving the recovery of two devices that may be linked to an assault on a victim.
Institute Address:
Institute Phone Number:
Institute Email Address:
{{
Table of Contents
1 Introduction
1 1 Preservation
1 2 Antivirus Scan
1 1 The writer
1 2 Summary background of the case
1 3 Summary of my conclusions
1 4 Those involved
1 4 1 Description of Suspects:
1 5 Technical terms and explanations
2 The issues to be addressed and a statement of instructions; Purpose
2 1 Tools Utilised:
3 My investigation of the facts
3 2 Enquiries/investigation into facts by the expert
3 2 1 Timeline:
Assumed facts
Registry Examination:
3 2 2 Operating System
3 2 3 Names and Accounts
Dashcam Make/Model:
18A
18B
18C
Emails:
Markings:
GPXsee:
3 3 Documents
3 4 Interview and examination
3 5 Research
4 My opinion
Statement of conflicts
Statement of compliance
Declaration of Truth
Signature………………………………………………… Date…………………………………….………………….
}}
{{
List of Figures
Figure 1 Forensically Sound
Figure 2 Hash Verification
Figure 3 Criminal PC Hash verification process
Figure 4 Criminal PC Hash Verified
Figure 5 Partition scanned for malware, Windows Defender
Figure 6 Represents Anti-virus scan complete with 0 indicators of malware detected
Figure 7 Identified Suspects
Figure 8 Operating System, build, user — representing PDJ having accessibility to his supposed account
Figure 9 Epoch Converted — OS Installation Time
Figure 10 Account Ownership
Figure 11 User Accounts — Registry
Figure 12 Registry Last login time
Figure 13 Registry Time zone on represented on the analysed machine
Figure 14 Registry view of all USBs accessed on system
Figure 15 Wi-Fi networks accessed via computer system
Figure 16 Programs installed on the system
Figure 17 Recent documents and activities
Figure 18 Last log on information, available to view in “SAM/Domains/Account/Users/Names”
Figure 19 Dinny queries
Figure 20 Alternative procurement of interaction, instead of emails
Figure 21 Victim direct communications with Suspect
Figure 22 Further Victim-Suspect Interaction
Figure 23 Further Victim — Suspect communication
Figure 24
Figure 25 Proof of communication between both parties
Figure 26 Account details, communication regarding illegal contraband, pick up detail
Figure 27 Inquiring about a specific occupation while discussing student status
Figure 28 Suspicious supplier details
Figure 29 Specific drop information
Figure 30 The suspect represents methods of self-identification
Figure 31
Figure 32 Suspect Response
Figure 33 Victim scared response
Figure 34
Figure 35 Suspect mentions Petrov/ski
Figure 36 Drop times specified
Figure 37 Drop recommendation
Figure 38 Drop time, suspect warning of individual
Figure 39 Metadata of above
Figure 40 Victim prefers confidentiality
Figure 41 The figure above represents drop locations for the suspects team selling contraband
Figure 42 Further suspicious markings
Figure 43 Suspicious markings, metadata confirmed relating to 3 drops of ‘jelly beans’ — ‘3Drops16–2–23.PNG’
Figure 44 Numbered google map suspicious markings
Figure 45 Metadata verification substantiates the presence of dubious numerical markings as a designated drop location
Figure 46 Metadata verification establishes the association of similar numerical markings with specific points of interest
Figure 47
Figure 48
Figure 49
Figure 50
Figure 51 Entire path
}}
Report
1 Introduction
As a certified Digital Forensic Analyst, I have been requested to assist in capturing crucial evidence by employing open-source industry-standard forensic software and a custom-created digital forensic methodology. The objective is to retrieve and extract vital information that may contribute to the forensic case.
1.1 Preservation
To enhance forensic integrity, I conducted an additional backup using an SDXC card, thereby augmenting the portability of data. So according to ‘ACPO Principle 1’, I have ensured that no action shall be taken to manipulate or modify digital evidence stored on a digital device. As if the case was to be replicated by another examiner the metadata should not change, it would allow space for ‘repeatability’ of the investigation. This is to prevent breaching ‘Principle 2’.
Hash Verification Dashcam:
Figure 2 Hash Verification
DJK PC:
Figure 3 DJK PC Hash verification process
Figure 4 DJK PC Hash Verified
A bit-by-bit confirmation and copy in backup and hash verification.
1.2 Antivirus Scan
Figure 6 Represents Anti-virus scan complete with 0 indicators of malware detected
When Malwarebytes is utilised to scan the partition, 5 malware files are detected on the DJK PC E01.
1.1 The writer
I am ID_Number, specialising in… (Write your bio)…
1.2 Summary background of the case
The case involves an assault on a victim by a suspect, as documented in a concise chronology of key events provided in ‘Appendix 2’. The investigation task team has been assigned the opportunity, responsibility and mission to uncover and recover a drastic amount of information.
We have been tasked with examining a case that involves compiling facts derived from statements conducted at an interview by the West Midshires Police Force for the primary suspect, PD. An assault had taken place at 10:57am on the 7th of March 2023 at the side of the ‘Degree Institute Centre (DI)’ Several points were conveyed by the investigations team: The suspect does not know the victim (1). Secondly, the suspect never crossed paths or spoke with the victim (2); Thirdly, the suspect was in Leicester on the day of the assault (3). Additionally, my senior officer has asked me to collect two new artefacts given, to connect the dots and effectively investigate the profile that connects PDJ with the victim of the assault (4): named ST. Moreover, it is imperative that I should collect factual-based evidence to determine if the suspect was in close proximity to the crime scene (5). Additionally, procure information to support and verify the statements made by the suspect during the interview (6). Furthermore, it is vital to inspect the DFI to determine if other suspects were involved. Finally, I need to report back to my senior officer and collect other relevant issues (7).
1.3 Summary of my conclusions
Through meticulous tracking and comparison of specific files, metadata, and GPX map data, it is evident that the suspect maintained complete control over their account, as evidenced by scrutiny of the hives and registry. There is no indication of unauthorised access to the computer, as the relevant evidence has been closely monitored and reviewed.
1.4 Those involved
Note: Names, have slightly been altered to prevent future plagiarism from online publishing:
1.4.1 Description of Suspects:
A list below should help the Judge identify the difference between suspects mentioned in court.
PDJ— Prime suspect accused of assault.
DJ— Partner in crime. As Dinny refers to PDJ as ‘darling’.
Rben Beeth — Reuben, a proficient individual well-versed in technology, is consulted by Dinny to address inquiries regarding the encryption of various devices and communications in the context of digital forensics and hardware.
Pedro — In communications, to Birmingham drops via suspicious emails between Dinny or a suspected friend.
Perth— Petrov/ski is a common associate known to PDJ and is mentioned with a negative connotation as ‘Perth ski/Petrov’.
Bill — A dealer, in connection as a supplier for illegal drugs.
1.5 Technical terms and explanations
I have indicated any technical terms in bold type. I have defined these terms when first used and included them in a glossary in the appendix. I have also included in appendix 2 extracts of published works I refer to in my report, and in appendix 1, 2 there are diagrams and photographs to assist in the understanding of the case.
2 The issues to be addressed and a statement of instructions; Purpose
The West Midshires Police force has been assigned the responsibility to uncover and recover as much information as feasibly possible.
The goal is to implement a tailored methodology to conduct a thorough investigation of two imaged devices: the ‘PDJ’ PC and the dashcam with a damaged lens. The approach involves initiating the task by employing tools such as Registry Explorer, GPXsee, Google Maps Satellite, Exiftool for coordinate extraction, etc., to uncover hidden paths, explore registry hives, and extract relevant data.
2.1 Tools Utilised:
- Gpxsee (trusted by court).
- SQLite Viewer.
- Google Maps.
- Exiftool — Command: exiftool -p “E:\NewVideos\gpx.fmt.txt” -ee “E:\NewVideos\*.MOV” > output.gpx
- NextBase.
- Excel.
3 My investigation of the facts
In appendix 1, a paragraph describing the investigation systematic methodology.
3.2 Enquiries/investigation into facts by the expert
3.2.1 Timeline:
The information below represents a fact-driven timeline that covers individual points: (1, 3, 7 etc.)
On the 14th of February, metadata proves that S.T (victim) reached out to the identified suspect, PDJ. This is according to evidence in Appendix 1, noted as ‘figure 40’. They were to do business together by dropping illegal contraband at specified locations; ironically, they never met. Victim replies regarding the drops job, saying he is available, even though the suspect apologizes for the short notice. This is heavily contradictory, bypassing the personal statement PDJ makes during the interview with the West Midshires Investigation team. This breaks statement (1).
Furthermore, there was a continued email where the suspect mentioned he does not interfere with students nor does he negotiate with them in business, supposedly as it is risky. This is shown to us when the victim rejects giving his personal phone number, in ‘figure 40’– Item 1B’ With the emails presented, it seems highly likely that S.T has experience in dealing or selling items around Cyber Institute, as mentioned under ‘figure 22’.
On the 15th of February, the suspect emailed a request regarding the next drops. This is when the Victim replied asking certain information such as: ‘Price, location, time’. It is represented under evidence item: ‘figure 21’. On this day, the suspect mentions the ‘classification’ for the drugs come under the categorisation of ‘Blue beans’. When this information is disclosed, the tone of the victim changes in messages. This could indicate greed for a bigger cut.
On the 16th of February, an anonymous partner confirms that the Birmingham job has come to an end. Next, a suspect or mutual is noted down and referred to as a ‘time waster’ indirectly.
On the 17th of February, a new name is called with rage by the suspect ‘Perth ski’, later identified as ‘Petrov’ by an anonymous user: “I think you mean Petrov-ski?” which comes under ‘PDJ-D’ Gmail sent messages regarding the conversation that “red beans are extremely difficult to get a hold of”. On the 7th of March, according to the dashcam (07:42am) the vehicle begins its journey from Birmingham and merges onto ‘Pereira Road’ towards ‘Park Hill Road’. Next, comes North Road that soon merges with ‘High Street’. At 07:44, the suspect turns onto ‘Metch Lane’, passing the ‘University of Birmingham Medical Practice’ at 07:46. A roundabout is navigated around a school at 07:48. Subsequently, dashcam footage shows the driver heading towards the roundabout connecting to ‘Welling Road’ from ‘Sir Harry’s Road’ at 07:54. The speed increases from 38 to 59.5 km/h on the (A38) motorway, reaching 62.5 km/h at ‘Lancaster Circus Flyover’ by 08:01. Connecting to the M6 at 08:11, the suspect concludes the journey on ‘Fletchamstead Highway’ a few minutes before arriving at the ‘Apprenticeship Centre’ at 8:36am. It is evident (5), ‘figure 50’ that the Suspect was in the specific vicinity just a few hours before the interview, (7).
‘Appendix 2, item 2A’: shows a breakdown of concise events occurred.
Assumed facts
· I posit that WeTransfer was employed as a secure communication service, given the reference to its use in transferring suspicious attachments interchangeably.
· The suspect: PDJ, may have been carrying other people part of his group whilst he drove his vehicle.
· The victim was knowledgeable about the locations within the Cyber Institute.
· It is my belief that the terms “Blue beans” and “Red beans” are indicative of illicit contraband.
· There is a possibility that the suspect was operating the vehicle.
· The email accounts associated with particular users were indeed owned by them.
· Perhaps the victim did not return a batch of the money, made within a drop.
· The victim never got his deserved cut.
· Exaggeration used by Victim to gain more from each drop. ‘Image 33’ suggests emotion has been used by using terms such as ‘bloody!’ and ‘two-year sentence’.
· Guilt-tripping methods used to persuade the suspect to give more profit per job.
Registry Examination:
3.2.2 Operating System
According to the ‘figure 8’ it entails that ‘DJK’ installed the entire OS, that it runs on ‘Windows 8.1 — Inc build’; easily found in “SOFTWARE/Microsoft/WindowsNT/CurrentVersion”. Next, the installation time needs to be decoded from ‘1676135760’ to Epoch, which is presented below.
Figure 9 Epoch Converted — OS Installation Time.
3.2.3 Names and Accounts
‘Figure 10’ shows us the name of the computer: ‘DJK124’. Further, information in fig 11 shows us that the administrator, Guest, HomeGroupUser and DJK are the account holders, and sysusers within the system. Available to view in “SYSTEM”.
The last login times consist of the following:
· PDJ ‘Suspect’ main email account — 17th February
· P ‘Suspect’ — 17th February.
3. What time zone was your computer set to?
The USBs that have had access to the system have been shown below. Available: “SOFTWARE/Microsoft/Windows Portable Devices/Devices” & “/USBSTOR”
This representation aims to demonstrate the absence of external USBs, which could potentially harbour malware. An antivirus scan has been conducted on the partition to affirm the security of the Digital Forensic Investigation (DFI), mitigating the Suspect’s ability to deflect blame. However, another anti-virus platform detects suspicious files it may be hard to argue in court if the suspect was really hacked, and if the malware discovered with Malwarebytes was active. Moreover, I have scrutinized and reviewed bookmarks, establishing and creating key bookmarks, examined cookies, and employed a keyword search for thorough investigation.
‘Figure 15’ represents Wi-Fi networks that have accessed the system.
This image represents findings in registry explorer, that details the IPs that accessed the device.
To view installed, uninstall comes with it in: “SOFTWARE”
- Recent activity
Featured in ‘fig 17’ is recent activity of the suspect that accessed specific files, programmes, downloads and sites.
Recently accessed applications, PDFs, files and sites have been successfully detailed in this part of registry under ‘recent documents’ .
Dashcam Make/Model:
This image represents the model of Nextbase DVR Camera.
Suspect vehicle stationary; suspicious, as could be tampering with the device.
Emails:
Figure represents Dinny-Rben Communications
Figure represents Dinny-Pedrov Communications
Query about time, location, date, price
Victim confirms he is not a student:
Ready to sell more:
Victim asking Suspect: How to get to him, and victim expressed an ongoing interest in continuing their business.
Furthermore, the victim asks the suspect to pay him straight away after the drop, and provides a sort code and account number within the same email.
Account to Account Transfer:
Victim asking for his cut of the job: — Also, asking class of the drug
S.T (Victim) and PDJ (Suspect) E-mail communications:
PDJ, 3 bags; price per bag:
Victims response:
2 year sentence
Markings:
Metadata:
Retrieved from the ‘sent’ folder of emails, the information suggests potential details concerning the locations where illicit contraband is being offered for resale.
Metadata:
GPXsee:
Start of route:
Near end:
Destination:
This is where the suspect allegedly ends up around 08:36am, at the WMG AC
Journey:
3.3 Documents
Accessed:
2023–02–17 14:28:11 GMT
PC.E01/vol_vol3/Users/PDJ/Downloads
This file for encryption was accessed on the 17th to learn how to encrypt drives by DJK a month before the arrest.
Drop Locations:
3.4 Interview and examination
N/A
3.5 Research
I came across a few issues when trying to crack an encrypted file, I did not go in with the mindset that it would crack for sure. Although, I took it as an opportunity to test my knowledge and skills set with tools such as ‘Hashcat’ and ‘JohnTheRipper’ (Deswal, 2023) for pdf cracking referred in ‘Appendix 1’ under ‘1A’.
4 My opinion
At interview we can recall statements made by the suspect. A lot of the statements pursued can be proven as a false statement. There is direct evidence to the victim communicating with the suspect via emails, as per figure it is considered as inculpatory evidence in ‘figure 40’. Furthermore, (2) is proven false as evidence shows the victim asking where he can meet the suspect to get his ‘cut’ in ‘figure 30’. As there is an evidential 2 hour gap we can argue that the suspect may have been in Leicester (3), although, with lies presented in the previous two statements prior it seems unlikely. Therefore, when looking at this evidence we can conclude that (4) there is a connection between both the victim and the suspect.
When analysing the DFI, I noticed there were several e-mail conversations relating to drug-like conversation. However, it falls back on the concept that they were communicating to sell items not disclosed openly. Hence, pinpointing the nature of dealings seems daunting. Whilst, the victim queries the suspect about the ‘class?’suggesting a possible classification for the market value of a drug, this information remains ambiguous. Also, there is further information regarding communications around further drop times and locations given throughout (4) section 3.2 ‘emails’. However, even with this piece of information it is difficult to justify if the conversation are to directly to do with narcotics supply. To avoid dismissing all evidence, from the picture but we can consider the pictures, documents and markings found google map images associated with the user: DJK. So, a majority of the evidences can be circumstantial evidence, however, it can be deemed as inculpatory.
In summary, upon a closer examination, a digital dispute arises between the two parties: victim, suspect. The victim explicitly states his plan of preference for receiving the money ‘his cut’ digitally for each job/drop, and does not want to meet. This aspect is evident in the conversation within ‘Fig 26’. Perhaps, an insight can be taken from analysing this being a financial related issue sparking disinterest in payment methods. Furthermore, according to some evidence ‘global-messages-db-sqlite’ or ‘PaulD/PDJ’ sent emails; the victim seemed to ‘owe’ the suspect money from one drop which could have triggered an assault or argument according to circumstantial evidence in ‘fig 25’.
[2885 Words]
Statement of conflicts
I confirm that I have no conflict of interest of any kind, other than any which I have already set out in this report. I do not consider that any interest which I have disclosed affects my suitability to give expert evidence on any issue on which I have given evidence and I will advise the party by whom I am instructed if, between the date of this report and the trial, there is any change in circumstances which affects this statement.
Statement of compliance
I understand my duty as an expert witness to the court to provide independent assistance by way of objective unbiased opinion in relation to matters within my expertise. I have complied with that duty and will continue to comply with it. I will inform all parties and where appropriate the court in the event that my opinion changes on any material issues. I further understand that my duty to the court overrides any obligation to the party from whom I received instructions. Parts 33.2 (1), (2) and (3) and 33.4(j) Criminal Procedure Rules
Declaration of Truth
This statement consisting of 52 pages, is true to the best of my knowledge and belief and I make it knowing that, if it is tendered in evidence, I shall be liable to prosecution if I have willfully stated in it anything which I know to be false or do not believe to be true.
Signature[1]………………………………………………… Date………………………………………..………………….
All reports must be signed and dated, and the Statement/Declaration of Truth must be verified by a signature/date. Therefore, you are advised to include your Statement/Declaration of Truth as your final item in the report, and to follow it with your signature and the date.
[1] Do not provide your real signature or name — in order to remain compliant with the anonymous marking scheme.
Appendix 1
I started my assessment by understanding the details for the case of assault. This included information such as location, date, time and suspects or third parties involved with the case. I identified the different points listed by my senior officer and looked for specific information to retrieve from the two E01 files given to analyse. Furthermore, I took measures to ensure the successful backup and secure storage of the evidence, aiming to prevent any breach of ACPO Principle 4. This responsibility was integral, as I was accountable for ensuring the effective adherence to the entirety of the principles. It is to prevent the E01 from being directly tampered with, it is vital to identify and secure a digital crime scene. Thirdly, I complied with data preservation procedures, emphasizing the necessity of maintaining data on an external storage device, such as a USB or SD Card. Moreover, employing the Exif tool, I extracted files including text messages, images, and location data, acquiring specific coordinates that were then mapped on GPXsee. Intervals were systematically collected and stored to comprehend the temporal and speed aspects of the vehicle. Next, a timeline was reconstructed relating circumstantial events to the crime and statements made by the suspect.
1A
Cracking of files such as: ‘19622-eutlfile.foxitdata1’ and ‘19624-tsfile.foxitdata1’ against 4 different password files found within the DFI Image. The hashes discovered for the two files were:
And:
Appendix 2
Include any relevant appendices here
Who is Dinny?
A keen learner, with an interest to learn encryption. To use it for good or bad purpose.
This was considered as investigating encrypted data, as stated in ‘figure 20’ within ‘emails’ that Dinny was intrigued on keeping communications secure, and perhaps to even encrypt a ‘hard disk’
Concise Timeline:
Glossary: Technical terms
Forensic Image: A digital snapshot or replica of data on a device; vital for digital forensic analysis.
Forensic Hash: A unique alphanumeric code generated from digital data, often used for integrity verification. Consider it a unique fingerprint.
Metadata: Information providing details about other data, such as the creation date and author, embedded within digital files of all computers including mobile devices.
Anti-virus: Software designed to detect, prevent, isolate and remove attempted malicious software penetrating on to computer systems.
Partition: A logically separated section of a computer’s storage space, heavily, used In digital forensics to analyse files closely via FTK imager etc.
Inculpatory: Evidence that suggests or implies guilt in a legal context.
Exculpatory: Evidence that tends to clear, justify, or excuse someone from alleged fault or guilt.
Circumstantial Evidence: Indirect evidence that implies a fact or event but does not directly prove it.
Corroborating/In coordination/ correlation: Terms to show relevance to point.
Suspects Partner D — Rben e-mail suspicious communications :
Malware:
[{000214A0–0000–0000-C000–000000000046
Metadata :
Metadata :
References (Harvard Style)
Deswal, M., 2023. John the Ripper: A Comprehensive Guide to Password Cracking. [Online]
Available at: https://medium.com/@mohitdeswal_35470/john-the-ripper-a-comprehensive-guide-to-password-cracking-9335f44ed3f5
[Accessed 9 May n.d.].
