As of yet, no formal reporting guidelines for computer forensics cases (specifically, criminal) have been developed. Every time I receive a discovery packet from a jurisdiction with which I’ve not previously worked, it’s a whole new carnival of fun and frustration.

The quality of forensic reports varies by order of magnitude between agencies and locations. More frequently (for some reason, which steadfastly defies explanation) I’m confronted with reports, on matters involving CP possession/distribution, which list only the filenames of the illicit material. The actual location of the files in the computer’s filesystem is neither explicitly nor implicitly discernable.

Odd thing, as the location of the file provides extremely important contextual information. Full file paths used to be included in most every report and now they’re disappearing? This means that either the defense expert has to submit a request to the prosecutor’s expert for clarification (and govt. forensic examiners are more than a little busy these days) or I have to spend my client’s time and money digging for this stuff.

Now for those technical people who might say “just search the index” or “search a recursive file listing of the entire hard drive”, keep in mind that we’re often working with 3-5 hard drive images and misc. removable media. If I’m lucky, the report at least tells me which piece of evidence the item is located on but sometimes luck takes a vacation. There’s often no time to create an index and basic filename searching (even with tools like fls) don’t necessarily come up with deleted items when operating recursively.

It’s high time for development of a standardized reporting format for criminal forensic endeavors. This wouldensure accuracy, allow attorneys to better understand the evidence against their client (as they accustom to reading them) and help to level the playing field for defense experts who are already forced to operate in suboptimal conditions.