Intelligence or Investigations reports are important for the success of an investigation. But how do you make sure that they are written in a way that makes sense for anyone who needs to read it, regardless of technical background?
We have spoken to Dario Beniamini, CEO and owner of Intellexia, about best practices for writing digital forensics reports.
Information in an investigation can be extremely technical and difficult to validate. In the report the information should be explained in a way which is accessible for everyone.
– In my opinion, the goal of the report is to tell a story, says Dario.
Telling a story in a report is like writing an article or a book. You need to make sense of the story, connect all the pieces together and write it in a way that everyone can understand and follow.
– If you have a nice idea about a book, but your story doesn´t make sense when written down, the reader will just close the book. The same applies for a report. If we just provide what we collected without analysing and making sense of the story, we are not investigators, we are only collectors of evidence, says Dario.
A report could be used in different ways by people with different kinds of backgrounds. It might for example be escalated to the CEO of an insurance company. And if they don’t have a technical background, which they usually don’t , they might not understand a far too technical report.
In other words, simplification is the key to a good report.
Of course you should. Telling a story that anyone can understand is really important. But it is also important to include things like hash values, time stamps, assets, OSINT data, ip addresses and more.
You need all this information to make the evidence legal from a forensics point of view. But all this is something which could be included in the appendix since it is not important for the actual story.
– A CEO for example doesn’t want to read all that. They expect that if you present them with evidence, you have already done everything needed to make it legally valid, says Dario.
This is not a simple question. What should be included in the report depends on what kind of investigation you are working on.
– The purpose of the report can vary. Myself for example work in different fields, like open source intelligence, brand protection investigation and digital forensics investigations. Every type of activity has different report structures and types of information that should be included in the report, says Dario.
So, it is not possible to give a one-solutions-fits-all structure.
But here is an example of a structure which Dario follows when working with OSINT investigations.
The first four steps are where you are telling the story. These should be written on a maximum of 2 pages and easy for the reader to understand.
Here is an example on how this first part could be written. This is of course a fake investigation since we can´t share a real one.
The investigation is focused on asset tracing, with a particular attention to real estate properties about the following two Italian citizens:
The scope of the investigation was to identify real estate properties connected to the above- listed subjects of investigation. Mr. Mario ROSSI is the only subject who has several properties near Rome (RM).
All subjects are linked through Facebook friendships, and they all belong to the committee “Pizza Forever”. Mr. ROSSI has political experience as councilman of the Municipality of Rome (RM) with the party MOVIMENTO PIZZA 4ALL (MP4A) and a respectable curriculum vitae as a “pizzaiolo” in Italy, USA, and Japan.
All subjects seem to have sympathy for the slow food cause and to the pizza party. They also joined other committees against the Chicago Pizza and new fast foods franchise in Rome. Ms VERDI and Mr. ROSSI seems to have brought a civil action against MacPizza for damaging the image of the Roman Pizza in Chicago.
It is suggested to have a local P.I. to conduct a HUMINT investigation to better understand the connections between the Subjects of the investigation, the party MOVIMENTO PIZZA 4ALL (MP4A), the Italian food association named “Pizza Forever”, and other committees such as “No MAC Pizza”, “No Burger Pizza”, “No Pizza No Party”, etc.
The data collected during the investigation was identified on Italian Public Registries (such as the Cadastral Registry or the Civil Registry), private Italian databases, with primary research completed by a local P.I. over the phone and secondary research using OSINT techniques on open (such as Search Engines and online Newspaper) and deep web (such as Social Networks) resources.
The next 9 parts are a bit more technical. These parts are also important to validate your story written on the first two pages.
A summary table which includes data used to identify the person or the company. The information to include here are:
Data identified on private registries if available. Bank Account(s) Registered, Bankruptcy / Seizure(s) / Legal Action(s)
Data identified on private registries if available. Real Estate properties, vehicles, boats, etc.
Data identified on private registries if available and/or Social Networks (LinkedIn, Xing, Facebook, etc.)
Every piece of validated intelligence identified via OSINT techniques on open/deep, such as Social Networks or proprietary databases, etc.
Every piece of validated intelligence identified via OSINT techniques and georeferenced
Data identified on local newspaper or databases which aggregate local newspapers that do not have an electronic version
Data identified via Human Intelligence such as results of an investigation from a private investigator, surveillance, a source of confidential information, etc.
The analysis of all evidence reported in step 1-8
And then for the last part of the report Darios adds:
One thing that should be avoided is including too much information not related to the investigation. If the report is too long with irrelevant facts, no one will read it. The same applies if the report is too technical.
– We need to understand the final recipient of the report. I am not a writer myself. I have a structure which helps me to focus on important information. So when I write a report, I already know what is important to include, and what’s not, says Dario.
When writing a report it is important to do it in an objective way.
– At the end of the day, you are not a judge and a report is not a place for opinions, especially when related to digital forensics investigation or data collected on the open web. Your report should be based on experience, access, legal activities and stated facts, says Dario.
When it comes to legal activities it can vary depending on which organisations you work for or what country you are in.
In some jurisdictions it is a crime to do pretexting or to create a sockpuppet to interact with someone on the Social Network. Only a law enforcement agency should create sockpuppet when authorized by a public prosecutor
One thing is to observe, another thing is to interact and that is something you should always have in mind when collecting evidence.
– You need to do everything in a legal way. If your report is to be used in court, and you have collected it in an illegal way, you could jeopardize the entire investigation and potentially go to jail, says Dario.
This even applies to law enforcement.
– Not even law enforcement is above the law. If they contact someone in an illegal way, they could for example be accused of being provocators. And if something bad happens because of their actions, they can be prosecuted and evidence can be removed because they were acquired illegally, even if they are the law enforcement themselves, says Dario.
So in order to not make any mistakes, make sure you know what’s legal and what’s not in the country you are operating in.
We hope that you found this article useful.
This form is displayed on Contact Us Page
"*" indicates required fields
To wrap this up we asked Dario to give us his three best tips to make reports more efficient.
This is what he told us.
No need to worry about evidence documentation and report formatting. Paliscope Build automates all that - keeping your cases structured, secure and easy to hand over.
Find what you are looking for with Paliscope Explore - enabling analysts and investigators to triage large amounts of data and deep dive into the findings.
Process all your data in one place, collaborate across teams, search for anything, and more.