M812A: DIGITAL

FORENSICS - A
Session 4: Forensic reports and contemporaneous
notes
LEARNING OUTCOMES
 After studying this week, you will be able to:
 describe the purpose of various types of report, in particular forensic reports
 explain the purpose of the key sections of a report
 explain the purpose and role of contemporaneous notes in a forensic
investigation
 write an investigative report supported by contemporaneous notes.
1 REPORT WRITING

 Is there a statement of the general aims of the investigation?

 Is there a statement of the broader context that prompts the investigation?
 Who is formally commissioning the investigation? Is this the same person or
entity to whom reports will be made?
 What sort of outcomes can one reasonably expect?
 Are there specific elements or features which the investigation must cover
and which any report must contain?
 What sort of audience will be reading the final report and what can we
anticipate about their expectations and levels of knowledge?
 At the close of an investigation, the answers to these questions have to be
reflected in a report. Some organizations prefer very formal standard formats,
others allow report writers to tailor the shape to particular requirements.
1.2 CONTENTS OF AN EXPERT REPORT

 Here we will look at one type of report, which is written for lawyers or the
courts. In a legal proceeding, either side may employ experts to investigate
and analyze evidence,
 1.2 CONTENTS OF AN EXPERT REPORT
Expert legal reports generally must:
1. give details of the expert’s qualifications
2. give details of any literature or other material that the expert has relied on in making the
report
3. contain a statement setting out the substance of all facts and instructions which are
material to the opinions expressed in the report or on which those opinions are based
4. make clear which of the facts stated in the report are within the expert’s own knowledge
5. say who carried out any examination, measurement, test or experiment which the expert
has used for the report, give the qualifications of that person, and say whether or not the
test or experiment has been carried out under the expert’s supervision
6. where there is a range of opinion on the matters dealt with in the report:
summarise the range of opinions
give reasons for the expert’s own opinion
 1.2 CONTENTS OF AN EXPERT REPORT
Expert legal reports generally must:
7. contain a summary of the conclusions reached
8. if the expert is not able to give an opinion without qualification, state the qualification
9. contain a statement that the expert:
understands his/her duty to the court, and has complied with that duty
is aware of the requirements of Part 35, this practice direction and the Protocol for
Instruction of Experts to give Evidence in Civil Claims.

 Let’s now consider some typical examples of remit and intended outcomes where the initial
report is intended for internal use.
 1.2 CONTENTS OF AN EXPERT REPORT
 Example one:
An untoward event has occurred with a computer system leading to downtime and loss of
confidence in its reliability and resilience. There may have been some loss of confidential
information. News of the event may have become public. There are no suspects or
indications that there are identifiable individuals who might be responsible.

 The investigator should find out what happened; identify areas of failure; produce
recommendations for remedy
 1.2 CONTENTS OF AN EXPERT REPORT
 Example two:
An untoward event has occurred and there are suspects who might be identified and who
might be employees or associates.

 The investigator should find out what happened; identify areas of failure; produce
recommendations for remedy on technical and procedural matters; see how far the
perpetrators can be identified; collect reliable evidence; provide provisional assessment
of how far the evidence might assist disciplinary proceedings and/or reporting to the
police.
 1.2 CONTENTS OF AN EXPERT REPORT
 Example three:
An untoward event has occurred and there are suspects who might be identified but who
are not employees or associates.

 The investigator should find out what happened; identify areas of failure; produce
recommendations for remedy on technical and procedural matters; see how far
perpetrators can be identified; collect reliable evidence; provide provisional assessment
of how far the evidence might point to possible successful prosecution; assess the
arguments for reporting to the police or other authorities.
 1.2 CONTENTS OF AN EXPERT REPORT
 Example four:
There are suspicions against certain individuals who are thought to be in breach of their
employment obligations and/or perhaps breaking the criminal law.

 The investigator should design a means of testing suspicions; assess these means against
the criteria of necessity and proportionality and seek approval to go ahead with selected
courses; conduct investigation; collect reliable evidence; analyse and assess acquired
evidence; provide provisional recommendations based on findings.
 THE AUDIENCE
Internal reports frequently have multiple audiences, for example:

1. the board – which will simply want to know that the report that was commissioned
actually exists, and has produced some outcomes
2. the CEO – who may want to know no more than the board but may want to be involved in
discussions about future policy and the work of individuals
3. the line manager – who will want some amount of detail so that he/she can produce
specific remedies and take specific actions
4. security staff – who will be expected to implement detailed remedies
5. human resources – which, in the case of disciplinary proceedings, will want to know
precisely what happened and be given access to strong supporting evidence
 THE AUDIENCE
Internal reports frequently have multiple audiences, for example:

6. legal advisers – who, in the case of civil legal proceedings and possible criminal
proceedings, will want to know precisely what happened and be given access to strong
supporting evidence
7. insurers – who will want to know precisely what happened, be given access to supporting
evidence and be told about proposed internal remedies to prevent recurrenc
8. law enforcement and regulatory agencies – which will want to know precisely what
happened and be given access to strong supporting evidence
9. public relations advisers – who will want some detail and to be assured that it is accurate,
so that they can devise a media strategy.
 CONTENTS OF AN INVESTIGATOR’S REPORT

Executive summary This is intended for board members, CEOs, etc.

Contents list The purpose is to enable readers to locate material specific to their interests quickly.

Identification of report This will need to include qualifications and indications of relevant experience, but can be in outline. A
detailed CV can go into an appendix.
writer

These can be two separate items but in some circumstances it may work better to combine them.
Where instructions have been formally set out, the document(s) should be provided or summarised.
Instructions/backgroun The instructions should anticipate what outcomes the commissioner hopes for. If restrictions have been
d information placed on the investigator’s activities – in terms of access, time to completion, budget – this is a good
place to mention them.
 CONTENTS OF AN INVESTIGATOR’S REPORT

Where an investigation is prolonged or changes tack during its course, a narrative section and
Progress of
investigations chronology may be helpful.

This may include:

• any briefings about the problems received
• general information about the ‘victim’ organisation
• internal documents governing procedures, policies, descriptions of relevant systems
• specific computers
Material considered • specific log files
• external reference material.
It is usually prudent for an investigator to say that he/she has been reliant on those instructing and the
powers they have given him/her in gathering material for consideration; that there may be other
factors of which he/she is not aware but which may have a bearing.
 CONTENTS OF AN INVESTIGATOR’S REPORT

Where a computer is examined: the basis for showing that an offence under Section 1 of the Computer
Misuse Act 1990 is unlikely and that decisions about the regular user’s rights have been made on the
Authority to examine basis of necessity and proportionality. Where network traffic is examined: that surveillance has been
within the scope of the Telecommunications (Lawful Business Practice) (Interception of
computers/networks
Communications) Regulations 2000. Situations where material has been supplied under court order,
disclosure, or other legal means.

This section is purely factual; the level of detail and explanation provided is a matter of judging the
Investigations, tests audience, the use to which the report will be put and the extent to which it is reasonable to anticipate
that there may be a challenge. Where the tests are entirely standard in nature, it is sometimes sensible
to put details of procedures into an appendix as opposed to the main text.
 CONTENTS OF AN INVESTIGATOR’S REPORT
Initial findings based This section should be purely factual. Analysis should be left to another section, where it can be
on tests clearly labelled.

Commentary and
Any range of opinion should be indicated, together with reasons for the conclusions actually reached.
analysis, including Where appropriate, probabilities rather than definite conclusions should be provided.
opinions

Where a report is likely to require further action, the exhibits are the evidence that the report writer
will need to sustain his/her own conclusions but, depending on circumstances, may be required by
others to pursue disciplinary and/or legal proceedings. Exhibits need to be clearly and uniquely
Exhibits produced identified. The source and provenance of exhibits also need to be clearly stated; for example, in
computer files: which computer and the full path name of the file (or its absolute sector location if it
is a fragment of a file). This precision saves readers a great deal of time and also removes any
potential for ambiguity as to what is being shown.
 CONTENTS OF AN INVESTIGATOR’S REPORT

This is a summary of factual findings plus the analysis.

Findings

Where requested: suggestions about future action to those who commissioned the report.
Recommendations

These will include details which if included in the main body of a report would inhibit the main
narrative. Examples include the full CV of the investigator and anyone else employed; details of
Appendices technical procedures; extended explanations of certain concepts, for example: how email works, the
internet cache, etc.

Glossary of terms A list of technical terms that may assist readers.

2 CONTEMPORANEOUS NOTES

 Notes taken at the time of an event, as opposed to recollection written

afterwards ( witness statement).
 May be informal, but must be accurate.
 Must be detailed enough to allow another person to reproduce what was
done ( in case of collection or analysis of event).
 One key fact for contemporaneous note-taking is that you write down what
you have just done (or observed) not what you are planning to do.
 it is almost inevitable that someone with an interest in the investigation will
want to criticize it, for example saying it’s too long, too expensive, not
thorough enough, it’s over-detailed because the investigator wants to justify
his/her fee, the investigation didn’t take the right course, important areas
were omitted, other areas were tackled far too late in the course of the
investigation, original evidence was contaminated, etc.
2 CONTEMPORANEOUS NOTES

 The role of the investigator’s record is to show what was done, when and why.
It should start with the remit and cover every activity within the investigation,
including phone calls and informal discussions.
 the record needs to be complete and must be in a format incapable of post-
event editing. Police officers are allowed to alter what they have written in
their notebooks but only by adding a note of correction; the original record
must still be visible.
 It is possible to have an electronic version of the police officer’s notebook and
to design it in such a way that alterations always remain visible. Regular word-
processing package would be inadequate as it can be edited without leaving a
trace. There are several packages that can record notes in such a way that
they cannot be altered. This is usually done by recording a hash of each entry
with a time stamp so if the entry is edited the hash becomes invalid.
2 CONTEMPORANEOUS NOTES

In a digital forensic investigation, the notes must have enough detail to allow
another person to reproduce completely whatever has been done.

 For any software tools being used, it is crucial that details of the operating
system and software version numbers are recorded as both of these change
frequently.
 If someone needs to reproduce a test they need to be able to reproduce the
environment the test was carried out in. This may involve rolling back
operating system updates and finding older versions of tools if there has been
a large gap between the original notes being taken and the attempt to
reproduce the test.
 2 CONTEMPORANEOUS NOTES

Who?

 Who were victims, witnesses, and suspects.

 Provide full description of suspect and vehicles.

 Age, height, weight, skin color, hair color/style, voice, tattoos, and clothing

 Obtain as much information as possible for victims/suspects including place of

employment

 Make, model, style, and color of vehicle if possible

 2 CONTEMPORANEOUS NOTES

What?

 What type of crime occurred

 What damage or injury was caused

 What happened

 What was said

 What evidence was found

 2 CONTEMPORANEOUS NOTES

Where?

 Where did crime occur

 Where was evidence found

 Where do victims, witnesses, and suspects live

 2 CONTEMPORANEOUS NOTES

When?

 When did crime occur

 If exact date/time not know develop time range

 When were the Police called

 When did the Police arrive

 When were suspects arrested

 2 CONTEMPORANEOUS NOTES

Why?

 Why was crime committed at this location

 Why was crime committed at this time

 Was there motive or intent

 Was a specific person or piece of property targeted?

 2 CONTEMPORANEOUS NOTES

How?

 How was crime discovered

 How did the crime occur

 How was evidence found

WHERE TO RECORD NOTES
 Opinions vary about whether it is better to use a loose-leaf notebook or
separate spiral-bound notebooks for each case
 If you use a loose-leaf notebook, you can easily add paper for each case you
are working on as the need arises, and you can keep it well organized
 Most investigators favor the loose-leaf notebook because of its flexibility in
arranging notes for reports and for testifying in court
 However, use of a loose-leaf notebook opens the opportunity of challenge
from the defense attorney that the officer has fabricated the notes, adding or
deleting relevant pages
WHERE TO RECORD NOTES
 This can be countered by numbering each page, followed by the date and case
number, or by using a separate spiral notebook for each case
 Disadvantages of the latter approach are that the spiral notebook is often only
partially used and therefore expensive and may be bulky for storage
 If other notes are kept in the same notebook, they also will be subject to the
scrutiny of the defense
 A final disadvantage is that if you need a blank sheet of paper for some
reason, you should not take it from a spiral notebook because most of these
notebooks indicate on the cover how many pages they contain
HOW TO TAKE NOTES
 Note taking is an acquired skill. Time does not permit a verbatim transcript
 Learn to select key facts and record them in abbreviated form
 Do not include words such as a, and and the in your notes. Omit all other
unnecessary words
 If you make an error, cross it out, make the correction and initial it. Do not
erase. Whether intentional or accidental, erasures raise credibility questions
 Whenever possible, use standard abbreviations such as mph, DWI, Ave
 Do not, however, devise your own shorthand
HOW TO TAKE NOTES
 Using a digital recorder
a. Advantage of recording exactly what was stated with no danger of
misinterpreting, slanting or misquoting
b. Disadvantages of digital recording:
(1) The most serious is that they can malfunction and fail to record valuable
information
(2) Weak batteries or background noise can also distort the information
recorded
(3) In addition, transcribing recordings is time consuming, expensive and
subject to error
(4) The recordings themselves, not the transcription, are the original
CHARACTERISTICS OF EFFECTIVE NOTES

 Effective notes describe the scene and the events well enough to enable a

prosecutor, judge or jury to visualize them

 Effective notes are complete, accurate, specific, factual, clear, arranged in

chronological order and well organized

 The basic purpose of notes is to record the facts of a case, accurately and

objectively
FILING NOTES

 If department policy is to keep the notes, place them in a location and under a

filing system that makes them available months or even years later

 As long as the system is logical, the notes will be retrievable

 If they are retrievable, in any way, they are “discoverable”

ADMISSIBILITY OF NOTES IN COURT

 The use of notes in court is probably their most important legal application

 They can help discredit a suspect’s or a defense witness’s testimony; support

evidence already given by a prosecution witness, strengthening that testimony;

and defend against false allegations by the suspect or defense witnesses

 They must be legally retrievable and “discoverable” by both the prosecution and

the defense
 IDENTIFYING, FILING AND MAINTAINING
SECURITY OF EVIDENCE

1- Identifying

 In the field notes, the photographs taken should be dated and numbered sequentially

 Include the case number, type of offense and subject of the picture

 Record the photographer’s name, location and direction of the camera, lens type,

approximate distance in feet to the subject, film and shutter speed, lighting, weather
conditions and a brief description of the scene in the picture

 Backing: On the back of the photo, write your initials, the date the photo was taken, what

the photo depicts and the direction of north

 IDENTIFYING, FILING AND MAINTAINING
SECURITY OF EVIDENCE
2- Filing
 File the picture and negatives for easy reference

 Pictures in the case file are available to others

 Use a filing system just for photographs
 Always cross-reference by case number
 File digital images appropriately as evidence or within the department’s internal secured
hard drive
 IDENTIFYING, FILING AND MAINTAINING
SECURITY OF EVIDENCE

3- Maintaining security

 Record the chain of custody of the film and photographs in the field notes or in a special file

 Mark and identify the film as it is removed from the camera

 Each time the film changes possession, record the name of the person accepting it
SUMMARY
 Investigative notes and reports are critical parts of a criminal investigation.
Notes are a permanent written record of the facts of a case to be used in
further investigation, in writing reports and in prosecuting the case. Start
taking notes as soon as possible after receiving a call to respond and continue
recording information as it is received throughout the investigation.
 Record all relevant information concerning the crime, the crime scene and the
investigation, including information that helps answer the questions Who?
What? Where? When? How? and Why? Effective notes are complete, factual,
accurate, specific, legible, clear, arranged in chronological order and well
organized. If notes are retained, file them in a secure location readily
accessible to investigators.
SUMMARY
 Photography, one of the first investigative techniques to be used at a crime
scene, helps establish that a crime was committed and helps trace the
occurrence of the crime. Photographs and video recordings reproduce the
crime scene in detail for presentation to the prosecution, defense, witnesses,
judge and jury in court and are used in investigating, prosecuting and police
training.
 Photography has become increasingly important in criminal investigation
because it can immediately preserve evidence, accurately represent the crime
scene and evidence, create interest and increase attention to testimony.
However, photographs also have disadvantages: they are not selective, do not
show actual distances and may be distorted and damaged by mechanical
errors in shooting or processing.
SUMMARY
 Videos are now well established as an investigative tool. Videos accurately
represent the crime scene and evidence, are able to show distance more
clearly than do photos, and have sound capability to more fully document
what is being seen. The disadvantages of videos, however, center around the
mistaken belief that no training in videotaping is necessary, which leads to
poor video quality and a diminished value in the video’s documentation of the
crime scene. At a minimum, have available and be skilled in operating a
Polaroid-type instant-print camera, a point-and-shoot camera, a digital single-
lens reflex (DSLR) camera, a fingerprint camera and video equipment.
SUMMARY
 Take photographs and video of the entire crime scene before anything is
disturbed, and avoid inaccuracies and distortions. First, photograph the
general area, then specific areas and finally specific objects of evidence. Take
exterior shots first because they are the most subject to alteration by weather
and security violations. Categories of investigative photography include crime
scene, surveillance, aerial, night, laboratory, mug shot and lineup.
 After photographs are taken, they must be properly identified, filed and kept
secure to be admissible as evidence. In addition, rules of evidence dictate that
photographs be material, relevant, competent, accurate, free of distortion.
SUMMARY
 In addition to photographs, crime scene sketches are often used. A crime

scene sketch assists in (1) interviewing and interrogating people, (2) preparing
the investigative report and (3) presenting the case in court.

 Sketch all serious crime and crash scenes after photographs are taken and

before anything is moved.

SUMMARY
 Sketch the entire scene, the objects and the evidence. Materials needed for

making the rough sketch include paper, pencil, long steel measuring tape,
carpenter-type ruler, straightedge, clipboard, compass, protractor and
thumbtacks. The steps involved in sketching include (1) observing and planning,
(2) measuring distances and outlining the general area, (3) plotting objects and
evidence within the outline, (4) taking notes and recording details, (5)
identifying the sketch with a legend and a scale and (6) reassessing the sketch.
SUMMARY
 Plotting methods are used to locate objects and evidence on the sketch. These

methods include the use of rectangular-coordinates, a baseline, triangulation and a

compass-point. A cross-projection sketch shows the floor and walls in the same
plane. An admissible sketch is drawn or personally witnessed by an investigator and
accurately portrays a crime scene. A scale drawing also is admissible if the
investigating officer drew it or approved it after it was drawn and if it accurately
represents the rough sketch. The rough sketch must remain available as evidence.