I have been discussing “Effective Reporting” recently with some people. The point that came out of it is that “Effective” is “relative”. Knowing your target audience is essential. Since the goal of a report is to convert raw data into actionable intelligence(whether targeting, an intrusion report, divorce case, counter-terrorism, etc), the final report is the fruit of the labor. It is what the customer is paying for.
If you can not convey your findings into a coherent and useful report, then what exactly were you hired to do?
Is there a set standard for reporting in forensics? Should there be? My rule of thumb is to follow what we did with the FBI.
Table of Contents — In case it gets long…
Executive Summary — This covers who, what, when, where, why, and how.
Computer Evidence Analyzed — “1 laptop, Dell Latitude x800, S/N 1234566, 160GB HD, S/N 234234234″
Details — This covers what you did…regardless of what you found. Most likely WON’T get read…until the invoice is received. This is where you can and should list what you did and how you did it.
Recommendations — This is where we put recommendations such as “Install Antivirus Software on all machines” or something like that.
Conclusion — You can restate your findings in a more succinct manner as it will probably make more detailed sense if the reader has actually read the preceding pages
I am a BIG proponent of screen captures with circles and arrows to guide the impatient reader through the DETAILS section. By adding a caption and anchoring the reference a reader can basically look at the pictures and read the one-lined captions and get a sense of the report.
This is an interesting topic which we are trying to get a group of Northern Virginians(West of the beltway locale) together for dinner and active discussion to begin topics like this.