Last modified on 2 March 2011, at 16:26


Reporting is a key final phase to any investigation. A skilled investigator aims to balance the technical facts against their own analysis, whilst presenting it in layman terms. Writing a good report is often a skill hard won by forensic analysts because communicating complicated ideas in simple language is not always easy.

Report contentEdit

How your report findings depends a lot of who will be reading it. For the most part it is easiest to assume the person reading any report has no technical knowledge at all, and pitch it to them.

A common forensic report might include:

  • Summary of findings
  • Description of the analysis undertaken
  • Explanation of terms such as "unallocated space" and "peer 2 peer" (an extended glossary)

Producing evidenceEdit

Alongside any report it is often required to produce the original evidence. Within a legal setting there is a pre-requisite called the "Best Evidence" rule, which asks for the original copies of evidence. Obviously, with digital evidence this raises the question of "what is the original copy". Viewing the original disk risks modifying the evidence (as discussed in previous chapters) and often deleted evidence cannot be presented in original form.

For practical purposes courts generally accept a CD/DVD (i.e. write-once media) containing copies of the evidence.

Introduction to Digital Forensics