While most forensic examiners spend the majority of their time analyzing the evidence from their case, one of the most important steps in the investigative process – reporting – is often rushed. Reporting your findings to stakeholders should never be overlooked because finding the “smoking gun” won’t matter if your audience doesn’t understand your results. Whether you’re reporting to a judge, jury, legal team, human resources, or management, your report should be tailored to your audience. Some will better understand a written report whereas others might prefer an oral presentation, or a combination of the two. Providing multiple options for reporting is essential in the digital forensics field since many of your stakeholders will not be very technical or have a forensics background.
Internet Evidence Finder (IEF) has multiple reporting and exporting options to assist an investigator present their findings. By default, IEF will organize all of the artifacts found within the Report Viewer for further analysis by the investigator, but after completing your examination by bookmarking, filtering, and searching any relevant artifacts, you are also provided with several options to provide your stakeholders.
Create A Report
IEF creates an easy-to-read and navigate HTML report from any artifacts selected within the Report Viewer. It will include your organization’s logo in the top left corner and list all the artifacts along the left side, similar to how the Report Viewer is displayed.
Image may be NSFW.
Clik here to view.
To create a report in IEF, from the Report Viewer, select File then Create Report. You will be provided with options to choose what artifacts to include in your report and whether you want IEF to automatically thread all the chat messages together for each conversation.
Image may be NSFW.
Clik here to view.
Once your report is completed, you may share these findings with any stakeholders or colleagues. If the investigator wishes to report on just the artifacts that he or she has bookmarked, after making their selection, they can open the Bookmarks Report which will open a new Report Viewer window populated with just those items that were bookmarked. They can then choose to create a report or export the evidence into a different format.
Exporting
If you would prefer exporting your data in another format so that it can be used in a custom pre-built report used by your organization, or you wish to further examine the data outside of IEF with another application or tool, you are provided with several options. IEF supports the export of all or partial artifacts in a CSV, tab-separated, Excel, HTML, PDF, or XML formats. New in version 6.3, IEF also supports the exporting of all pictures in a case while maintaining the original filename so that they can be analyzed with additional forensic tools.
Image may be NSFW.
Clik here to view.
Exporting data in the Report Viewer is very similar to creating a report but you have the choice of exporting all artifacts, some artifacts that have been bookmarked or filtered, or a single artifact if it is of evidentiary value.
Merging Cases
Sometimes an investigator might have run a search in IEF on two separate pieces of evidence from the same case and now have two IEF reports they wish to merge into one. The Report Viewer allows investigators to merge cases by going to “Import IEF Case” under the File options in the Report Viewer. You can then select which case you wish to merge with the one that is already open. IEF will merge the databases of the two cases into a new case file which can then be examined, exported, or reported as previously discussed.
Image may be NSFW.
Clik here to view.
Portable Cases
Another exporting option for investigators is to create a portable IEF case. These are extremely useful if you want to share your findings with another investigator, lawyer, or HR, and they wish to make their own bookmarks or edits but don’t have a licensed version of IEF. Another useful scenario is if you are lucky enough to have an analyst assisting with your investigation, they can use IEF to run the initial search on the image, or other type of digital evidence, and then pass the portable case to one or more investigators who can then examine the results with Report Viewer without needing an additional IEF license.
IEF provides several options for investigators to export or report their findings. Whether you create your own custom reports within your organization or use the predefined HTML report with Report Viewer, IEF provides enough options and customizations to work with most scenarios. Portable cases allow the investigator to collaborate when necessary without the challenge managing licenses or separate IEF installations. Reporting your findings is a crucial step in the investigative process and it is essential for your stakeholders to understand the evidence presented to them so that they can make informed decisions based on your findings.
As always, please let me know if you have any questions, suggestions or requests. I can be reached by email at jamie.mcquaid(at)magnetforensics(dot)com.
Jamie McQuaid
Forensics Consultant, Magnet Forensics
Image may be NSFW.
Clik here to view.
