Mastering Windows Network
Forensics and Investigation
Chapter 16: Presenting the
Results
Chapter Topics:
• Create a readable narrative report
• Organize and assemble reports into a
distributable electronic format
• Create timelines as a presentation
tool
• Explain technical concepts in a simple
way
Report Basics
• The forensic report is the most crucial
element of analysis
• Details procedures followed and
techniques performed to discover
evidence
–
–
–
–
–
–
Who committed the crime?
What did the do?
When was the crime committed?
Where was it committed?
Why did the suspect do it?
How did they do it?
Basic Report Items
•
•
•
•
•
•
•
•
Registry
Event Logs
File system based evidence
IIS Logs
Firewall Logs
User Account Information
Raw Device Information
Results from external applications
Creating a Narrative Report
• Correlate all collected evidence
– Output from all tools used during analysis
• Tell an understandable story that
contains pertinent evidence
– Story will contain multiple levels and
underlying reports that contain evidence
to support high-level facts
• Consider adopting HTML format and
using hyperlinks to connect the levels
and sub reports
Creating a Narrative Report
• Electronic reports give the examiner
flexibility over paper based
documents and greater distribution
options
• Timelines are essential elements that
portray events as they occurred
– Tools:
• SIFT – log2timeline
• CaseMap/TimeMap
• Splunk
Testimony
• Regardless of setting the examiner
will have to effectively tell a technical
story to non-technical people
– Convey technical concepts using analogies that
the layman can understand
– Practice by teaching technical concepts to the
novice
• The most effective examiner can discuss
pertinent findings and communicate with
non-technical people