Computer Forensics | Beginner Guide To Computer Forensics Reports

Forensic Reports | System and Cyber Security

Mausam Singh

4 min readNov 27, 2020

Forensics reports are only state findings.

If they draw conclusions, than they are expert testimony.

Expert Report

A report that offers as opinion is an expert report.
Writer of the report needs to qualify as an expert.
An expert report used in court has additional requirements.
Expert’s expertise and trustworthiness are on trial, too.

✅ Fundamental Decision: Daubert

Juries decides on “matters of fact”, not on “matters of law”
What is placed before a jury is tightly regulated

👉 Rules of Evidence.

👉 Most testimony is limited to relaying sensory experiences, interpreted by the jury according to common sense.

👉 Experts provide insight that common sense does not offer.

An expert offers an opinion by applying the expert’s specific knowledge to the specific circumstances of the case.
An export can also testify to general scientific or technical principles and leave their application to the jury.
engineers’ opinions on whether a product’s poor design renders it needlessly unsafe;
accountants’ opinions on whether someone has followed prudent accounting practices;
physicians’ opinions on whether some particular bodily insult was the cause of someone’s medical condition;
economists’ opinions on whether a firm possesses monopoly power; statisticians’ opinions on whether a firm’s employment decisions correlate closely with race or gender;
forensic opinions on matches between samples of DNA, blood, hair, etc.;
appraisers’ estimates of the value of specific property.
Expert testimony potentially misleading.

✅ Frye test (1929):

👉 scientific evidence is admissible only if the principles on which it is based have gained “general acceptance” in the scientific community.

✅ Federal Rules of Evidence (1973):

👉 If scientific, technical, or other specialized knowledge will assist the trier of fact to understand the evidence or to determine a fact in issue, a witness qualified as an expert by knowledge, skill, experience, training, or education, may testify thereto in the form of an opinion or otherwise.

👉 Does not mention general acceptance.

✅ Daubert (1993):

👉 Rule 702 does not supplant Frye

👉 No definite checklist or test

👉 Pertinent factors:

➡️ whether the theories and techniques employed by the scientific expert have been tested;
➡️ whether they have been subjected to peer review and publication;
➡️ whether the techniques employed by the expert have a known error rate;
➡️ whether they are subject to standards governing their application;
➡️ whether the theories and techniques employed by the expert enjoy widespread acceptance

Testifying as a Forensic Expert

Title helps.
Experience helps.
Reputation is essential.

🚏 Never get caught lying.
🚏 If you inhale, admit it, or refuse to tell.

Forensic Reports

Used for legal proceedings and for incidence response.
Findings.

➖ Why was the evidence reviewed?
➖ How was the evidence reviewed?
➖ How did the forensic examiner arrive at conclusions?

Conclusions are

✌️ Clearly explained.

✌️ Supported.

✌️ Possibly lead to recommendations.

Accurately describe the details of an incident.
Be understandable to decision makers.
Be able to withstand legal scrutiny.
Be unambiguous and not open to misinterpretation.
Be easily referenced (Bates numbering)
Contains all information required to explain the conclusions
Offer valid conclusions, opinions, or recommendations when needed.
Be created in a timely manner.

Document investigative steps immediately and clearly.

— ▶️ Written notes during an investigation might be discoverable.
— ▶️ Notes need to be clear.
— ▶️ Missteps in the investigation need to be documented.