One of the more important facets of digital forensics concerns how to document the findings in a formal report. At first glance, this would seem to be rather straightforward: report what you found. Appearances, however, can be deceiving.

Since the “look and feel” of every report needs to be the same for every case, a standardized format is essential. Although not a legal document per se, reports do end up in court. Therefore, they need to be consistent in their format and grammatically correct. A poorly written report can have adverse effects regarding the testimony of the examiner and shed doubt upon the subsequent results of the examinations. After all, the report does reflect back upon the agency, the examiner, the methods of examination, and the results themselves.

To ensure that every examiner within an agency uses the same reporting format, a word processing template needs to be prepared and maintained (usually on a server or on local computers). Conversely, there are a number of in-house developed and commercially available evidence management applications that are programmed to generate reporting templates. If the agency has one of these applications, then that is probably the best method to use to generate templates and subsequent reports. Virtually all of these applications have the ability to insert standard text phrases (automatically and/or manually) into the body of the report, which can then be easily modified by the examiner or support staff.

Templates generally need to include four basic elements: general information relating to the case, a description of the evidence, examination findings, and a comments section. Depending upon the agency requirements, there could be more. Each of these elements will contain specific detailed information relating to the case. Overall, the report needs to contain sufficient information to ensure that: (1) the reported results are clear, accurate, and objective; (2) the report “answers the question” posed by the investigator’s request for analysis; and (3) the investigator and/or prosecutor can interpret the results of the examinations. Specifically, every report must minimally contain or address the following information:

• the laboratory’s name, address, and contact information
• date of issuance
• whether or not the report is a “supplemental report”
• the name and address of the investigator and his/her agency
• the investigating agency’s case number
• the name(s) of the subject(s) and victim(s)
• the laboratory case identifier
• the alleged offense
• the date of receipt of the evidence
• how the evidence was received
• a clear, unambiguous description of the items submitted for examination
• the name and signature of the examiner(s) conducting the analysis
• the methods used during the testing (procedures, products, and/or software)
• deviations or additions to the methods used during testing (as applicable to interpretations)
• results of the examinations
• identification of results obtained from any subcontractor (if applicable)
• a comment stating that the results relate only to the items examined
• conditions affecting the results (if applicable)
• any associations (if made)
• the basis of any opinions and interpretation of results (if appropriate and applicable)
• case-specific information requested or required by the investigator (as applicable to interpretations or opinions)
• a statement of compliance or non-compliance with certain specifications or other requirements (as applicable to interpretations)