Digital Evidence and Computer Crime, Second Edition

15.8 Reporting Results

Although the involvement of networks in a digital evidence examination does not necessarily change the structure of a final report, conveying results clearly becomes more complicated when networks are involved because more computers are involved, there are complex interactions, and all of the complexities must be simplified for decision makers. Diagrams can provide an overview of events and presenting digital evidence through the visualization tools used to perform the examination and analysis can help convey more technical aspects of a case in easy to understand terms.

When dealing with large cases involving hundreds of computers, it is useful to create a main report describing the overall examination and several more focused reports dealing with logical groupings of machines. For instance, if computers from three organizations were examined, it can be helpful to write separate reports relating to each organization. Alternatively, if a group of computer intruders gained unauthorized access to several hundred machines, it can be helpful to write separate reports relating to each type of machine (e.g. Solaris, Linux, Windows) to explain fully the different actions taken on each type of system.

Категории