Running head: FORENSIC EXAMINATION TEMPLATE

Forensic Examination Template

Marie Whiting
University of Advancing Technology

FORENSIC EXAMINATION TEMPLATE

Forensic Examination Template

Forensic examinations begin with organizational policies and practices (Solomon) that
provide guidelines for the incident response team to follow. It is this established procedure that
will guide the process in a pre-determined and established manner. According to Solomon, the
forensic examination involves certain critical steps that must be followed in pursuing a well-put
together final product for the court. The following heading is presented to the reader by Solomon
in his book, Computer Forensics.

Creating Easy-to-Use Reports

An investigation will yield a vast of amount of data, so organizing it in a fashion where it
is readily accessible is imperative. This will also guide the investigation knowing that there must
be information allotted to each pre-determined area beginning with a summary and background
of the case. In addition, this makes it easy to find information quickly and easily in court.

FORENSIC EXAMINATION TEMPLATE

Computer Forensics Report Template. (2009)

Document Everything, Assume Nothing
According to Solomon, 2009, the steps taken to be included in the report must contain
the following:
[1] A complete statement of all opinions and the basis and reasons for such, [2]
any data or other information relied upon in forming the opinions, [3] any exhibits to be
used in support of or summary for the opinions, [4] the qualifications of the witness,
including a list of all publications authored by the witness within the last ten years, [5]
amount of compensation to be paid for the study and testimony, [and] [6] a list of any
other cases in which the witness has testified as an expert at trial or by deposition within
the last four years.
When beginning an investigation, the scope of what will be discovered is unknown as well as the
significance of pieces of data collected. Therefore, the steps in a forensic examination include
collecting all data found and documenting it in an approved fashion. Obtaining the proper
paperwork and permissions to seize the computer or equipment in question is essential
(Solomon, 2009). In a notebook, write down the who, what, when, where, why, and how of the
case (Solomon, 2009). With a complete log of the data documented, an organized and detailed
report can then be generated. The best way to approach this task is to use a template containing
essential components. Any additional subheadings that pertain to the individual case can also be
added.

Forensic Examination Template

Table of Contents
This provides the investigator, courts, and presenter with a reference where information
can be quickly located and examined. The Table of Contents page should be numbered,
identified, and a page number noted.

FORENSIC EXAMINATION TEMPLATE

Case Summary
Since the report may be quite thick, the case summary will allow the interested parties to
quickly look at the evidence gathered and the conclusions resulting from that data. The
summary is meant to provide the client or court with a snapshot of the facts and evidence
(Solomon, 2009, p 216). This piece would also include a brief background of the case.
Preliminary Examination
Introduce the steps taken to begin the examination of the evidence. Include just the facts
and the procedures undertaken to access any technology. Write clearly and provide any
supporting documentation. Explain the methods used and the results (Solomon, 2009, p 216).
Registry Information
This is information that the operating system logs such as user profiles, software
applications, hardware, files, and other settings.
Image Scans
Any text, object, or image can be scanned and documented in this subcategory.
Results of Virus Scan
Document any executable files or viruses that may affect the data on the computer.
Hash Library
The hash library records numbers that have been generated to represent strings of text. An
examination of these hash values provide evidence that any copies created have not altered the
original data and the integrity of the original can be verified.
Signature Analysis

FORENSIC EXAMINATION TEMPLATE

This is where the comparison of the files, headers, and extensions are examined and
verified with the files on the device to discover any hidden files.
Encrypted or Password Protected Files
List any protected files and the method used to obtain the information.
Alternate Data Streams
These should be completely identified and the path noted
EScripts
Include the scripts run and any details that are known including the script, hash if
available, and where it was found.
Text Searches
What searches were initiated? Also, the number of hits from forensic tools can be
included, i.e., 1-200, 201-55, 501-1000, 100 and more.
Questions and Answers asked by the Client
Document all questions asked by the client and record the responses.
Files
Because there may be a vast number of files, breaking this area down into subcategories
identifying where they are found may be helpful. This would include files that were deleted,
found on the desktop, in my documents, profiles, and recent files which would indicate a
measure of their importance. Also include any relevant screenshots of the text in the files.

FORENSIC EXAMINATION TEMPLATE

Appendix: Computer Forensics Report Template. (2009)

FORENSIC EXAMINATION TEMPLATE

FORENSIC EXAMINATION TEMPLATE

FORENSIC EXAMINATION TEMPLATE

References
Computer Forensics Report Template. (2009). Retrieved December 13, 2015, from
http://computer-forensics.privacyresources.org/forensic-template.htm
Solomon, M.G., Rudolph, K., Tittel, E., Broom, N., & Barrett. D. (2011). Computer Forensics
jumpstart (2nd ed.). Indianapolis, IN.