Welcome back to Digital Forensic Concepts. In this course, we're talking about report writing and peer review. In Module 2, we're going to cover tool-generated reports, reports generated by our forensic software. Each forensic tool reports slightly different. There's going to be slightly different options, slightly different ways in which it displays our findings. Most of these tool-generated reports are very technical, so know your audience if you're going to use one of these reports. Most of these reports do contain a lot of unneeded and unwanted information, as we'll see when we do our walk through. I want to talk about two software suites that do reporting. Almost any of your software suites we'll do reporting. That includes FTK, EnCase, Axiom. But the two we're going to look at are X-Ways, which is a commercial suite, it does cost money, and Autopsy, which is a free and open source tool. When we take a look at the Report Wizard in X-Ways, as we see here up on our screen, we have the options to put in a logo. We can put in a report header. We can even put in a preface like a paragraph, prefacing our report. We can include our search hits. We can choose selected evidence objects that we want to report from. We could convert our report to a PDF. Now up top here it says Include report tables. Now X-Ways calls report tables bookmarks, they're the same thing. Most tools call these bookmarks, but in X-ways they call them report tables. You can see we have some different ones here, we have Jump lists, Link files, Event logs, Prefetch files. You can choose to include all of these or some of them. You can sort them by the evidence ID number, which is an eternal number given by the software. We can have them in the order they are currently in the case. You can decide how many lines you want per row in your output file. We can also copy a link to each one of these. This is an HTML type report we're generating here. We would have a link to each of these items, which we could click on and see the actual evidence item. You can create thumbnails. You could have them positioned above the row or below the row that displays your artifact. Further down here, at the bottom, on the right-hand side, we see a whole bunch of Name, Type, Description, Report, Table path, Full path. You can choose to include any of these type of metadata information. This also includes your dates and times you can see here. You can't see them in this particular photograph, but they are listed as one of the options. You have a whole bunch of ways that you can customize your report here with the X-Ways forensic tool. Now, Autopsy, the first screen you're going to come to in your Report Wizard, you're going to choose what type of output you're doing, your reporting. You can do it HTML, Excel, a regular text file, you can even do a Google Earth KML if that's the type of case you have. You can do a portable case to an Autopsy and allows you to do a portable case that you could turn over to another examiner, possible peer review. You can create a header, in this type I've written case report, and a footer, now I just put end of report. But you can type anything you want in these boxes. Now as you go through the Report Wizard, you're going to have the example to include All Results, All Tagged Results or Specific Tag Results. You can see down here in the white box on the screen, I can choose to include my bookmarks, my notable items or my Prefetch. There are different types of bookmarks I've created here. If I chose All Results, I'd be presented with a Window where I'd be able to include or exclude certain types of results. I can have Web Bookmarks, Web Cache, Web Cookies, downloads, but I could also deselect these if they weren't relevant to my case. Now we're going to do a demo with Autopsy and X-Ways. I'm going to take a look at the reports that they generate and how they look and the types of information that they will contain. Welcome to our tool-generated report demonstration. We're going to start with X-Ways, which is a paid commercial tool. I have a case created and opened here. I'm going to go to File, Create Report. We see that report generator, like we saw a screenshot of in our PowerPoint presentation. I do have an option to put in a logo. This is the optional report header, and it's just simply case report X-Ways. I could change that, and I have. I can put it on the left, the center or the right. I can output an activity log. I can do it in selected evidence items, which I could put it in a single partition or something outside my partition boundaries. I'm not going to do that. Up here we see all the report tables. Report tables are what X-Ways calls bookmarks. Most tools call them bookmarks or tags. In X-Ways they call them report tables. I have the Firefox browser, Jump list, Link files, Event logs, Prefetch, Chrome. That seems to be all I have here. I can include these simply by highlighting, holding down my control key. I could pick as many as I want. I'm just going to go ahead and pick them all. I also have the options of choosing how the output looks. I can do three lines per file, I can do page breaks, list each evidence file only once, and I can make copies of the files so they can be included in the report. This is an HTML output. I do have the option of converting it to a PDF output if I want to. I can create thumbnails for each of the files. Now, what metadata information do I want? Well, I definitely want name, type, report table, path, extension, and you can see this list is fairly extensive. We have it created, modified, record change, and accessed. I could see if it's deleted. I can include the hash values. There's all types of information, I can pick or choose down here. I can generate a file signature. There's all different types of things I can do. We're just going to keep it fairly simple so it doesn't look overwhelming when it comes out. But if some of these specific characteristics were important to you, you'd want to make sure you included them. I also have the option of outputting my metadata like it shows in details mode. I'm not going to do that because that would take up a lot of space. When I'm done, I simply can click "Okay". Now I have to choose where I want to save it. I'm just going to leave it on the default here and click "Save". Now, it's going to say it's successfully saved, and now I can click "Okay", and I can view the report. This is what the report looks like. The first part is just giving me some geometry of the drive, the total capacity, bytes per sector, the sector count, what the partition style is, master boot record, file-system and DFS. It gives that for all the partitions. It gives you more informations about each partition. Bytes per sector, bytes per cluster, location of free clusters, total free clusters. Just drives geometry information for the partitions. Now, we come to our items. We chose our Firefox bookmarks and just list them out. The name of the file, the type of the file, cookies.sqllite file type. The report table I have an n is called Firefox browsers, that's name of the bookmark. It gives you the path. It is existing, which means it's not deleted. Then my created modified record chains and access times. It just lists all those files out. Jump lists, give me the name of the jump list and the same type of information. Whatever type of information you choose to put in here, make sure you can explain it and you understand it. If you don't, don't put it in the report. This is nothing more embarrassing than somebody asking about something that's in your report and you cannot explain it. That would make you look bad. This is what a report would look like. It's not really pretty, I don't really think it's that user-friendly, but that is what the x-rays tool generator report does look like. Now, let's take a look at autopsy. I've created a case in autopsy, and we're going to go ahead and generate a report. I'm going to go to tools, generate report. With that autopsy, we have a choice of what type of report we want to generate. Do we want to generate an XML, an HTML, a plain text? A TSK body file, a Google Earth KML, if you're doing something that maps, you might want to do that KML or even the portable case. I can put a header in here, and I'm just going to put a header case for class. In the footer, I'm just going to put end. We're an end. We're going to next through the Report Wizard. Now, it's asking me which source I'm reporting on. I only have one evidence item in here, which is the, I have a VMDK. If I hadn't more than one, I could choose which one or both. We have that all results. I could go all tagged results or specific tagged results. Here's where I can pick and choose which items I want to include or not include in the report. I'm going to go to all results. Then I can click down here. If I want to choose result types, I can choose to include all of these or to take some of them out. But I'm just going to leave it the way it is and we're going to click "Finish". It's going to take a minute to generate this report. It's showing you the file path to the report. You might want to make note of that so you know where to find the report once it's generated. It's finished and we can see our report. Now we do have over here on the left-hand side a navigation pane, you can click on "Case Summary" and that's what we're at, the beginning of the report. It's telling us the version of autopsy that we're using, just 4.17.0 and it's giving us our software information. These are all the modules that are installed in this version of autopsy that I have installed. It also gives you a history of what options I ran and whether I let them finish or I canceled them. You have complete documentation of the processes you ran on your data source in your case summary which comes in handy. Take a look at the accounts. These are the accounts that are found on the system. Google Chrome, Microsoft Edge, which is the app name, and then the URL, when they were created, the domain, the username, and where the source file is inside the image itself, how you would navigate to it to look at the file and you can scroll through when you can see account emails. It found all these different email addresses, email messages. To detect some encryption, suspected files that are encrypted. These files may or may not be suspected encryption and it's measuring entropy and we'll talk about that in another path, what that is. It does show us extension mismatch and this is where the file extension does not match the actual file type because it's very easy to change a file extension and a filename. If I had a PDF, I could change it to a.gpg file just simply by renaming it. That would prevent the operating system from accessing the file but I would still know it was there. That is a simple way of trying to hide data but fairly easily overcome as you see, it detects every mismatch and then there's 241 extension mismatches in this image file. Hash hits: This was a notable hash, this is a packers and this is a packing type program and you could scroll through here. It has interesting files, keyword hits. When we did our keyword searching, when we looked at grep and keyword searches in our last course, then we can see all our keyword hits. Recent documents, tagged files. That link is not working. It's showing us all our tag files. I didn't tag any images. I tagged one result, it was a web history. You can just get the idea. You can scroll through here and look at each of these items inside the report and see them. I do like the way and down at the bottom there's a scroll bar and scroll across because it's not going to fit on one screen. Then we have our dates and times. We have a program in our domain. Let's look at tag files from in here. These are files, these are PDFs. These a couple of them are SQL writes and we do have a link file in here, but we'll scroll across. You can see you have your created access modified times, we have the username, and we have our hash value and the file size in bytes. Now this particular program doesn't let me pick and choose what information I want but it does put it out in a very nice, easy navigate through format. That is a look at tool-generated reports just for a couple of tools. Like I said, all of your full forensic suites will generate a report. End of demonstration.
