Home page / Computer Forensics / Analysis Documenting
 

Analysis documenting is a process that takes place simultaneously with the very analysis and it is necessary to document each step precisely and in details.

In order to be consistent with procedures of proper analysis documentation, investigators should:

- Take notes when consulting with the case investigator and/or prosecutor
- Maintain the initial request for assistance with the case file.
- Maintain a copy of chain of custody documentation.
- Take notes detailed enough to allow complete duplication of actions.
- Include in the notes dates, times, and descriptions and results of actions taken.
- Document irregularities encountered
- Include additional, original information related to the system under investigation (list of users, network topology, hardware type…)
- Document changes made to the device or system
- Document the operating system and versions of installed applications
- Document additional information obtained at the scene and remote back-up locations.

After completed analysis, it is necessary to create a report which is to be submitted in a proper form to the relevant authorities. It is very important to use a universal form of document and thus facilitate the report reading.

The report should contain:

- Identity of the reporting agency - Case identifier or submission number
- Case investigator
- Identity of the submitter
- Date of receipt
- Date of report
- Descriptive list of items submitted for examination, including serial number, make, and model
- Identity and signature of the examiner
- Brief description of steps taken during examination,
- Results/conclusions.

It has proved useful to attach to such form of the report a more detailed report on findings that contains:

- Specific files related to the investigation
- deleted files recovered during investigation
- keyword searches
- internet-related evidence (logs, e-mail…)
- image analysis
- description of techniques used to hide potential evidence (hidden partitions, steganography, encryption, even file name anomalies)

This report should be supported by a digital copy of evidence, its chain of custody, and prints of particular evidence found.