SOP 3 about Reporting of Digital Forensic Analysis Results

SOP 3 about Reporting of Digital Forensic Analysis Results

This SOP comprises 7 parts, namely:
1. Introduction
2. Purpose
3. Scope
4. Reference
5. Materials and Device
6. Implementation
7. Related Documents


1. Introduction

Once electronic evidence such as a Personal Computer (PC), laptops / notebooks, netbooks, tablet PCs, mobile phones, flash disk, memory cards and and so on are examined and analyzed through the procedures as described in SOP 8 to 15, the next stage is to write down examination and analysis procedures used and the results for each of the evidence in a technical report. The form of the report is the Official Report of Forensic Laboratory that is pro justicia so it can be used as legal evidence in a court of law. Due to the official nature, the report can be issued if there is a written official request and investigative administration files from the police office unit who submit electronic evidence to be examined, in which the letter is addressed to the Chief of Forensic Laboratory Centre.

Because the report will be finally brought to the court, the language style used in the report must be as simple as possible without removing its essential meaning. It is aimed that the jury/judges, prosecutors and/or lawyers can properly understand the process and results of digital forensic examination and analysis. They are not a digital forensic analyst who can understand about digital forensic thoroughly.

2. Purpose

For the orderly administration and technical in making the official report of forensic laboratory that is comprehensive, including mention of the procedures used and the results of digital forensic examination and analysis for each electronic evidence.

3. Scope

The scope of this SOP are as follows:
3.1. Introduction
3.2. Chapter I: Evidence Received
3.3. Chapter II: Purpose of Examination and Analysis
3.4. Chapter III: Procedures of Examination and Analysis
3.5. Chapter IV: Results of Examination and Analysis
3.6. Chapter V: Conclusion
3.7. Chapter VI: Packaging and Labeling Evidence
3.8. Chapter VII: Closing

4. Reference

4.1. ACPO, 7Safe (2008). Good Practice Guide for Computer-Based Electronic Evidence. UK ACPO and 7Safe.
4.2. National Institute of Justice (2004). Forensic Examination of Digital Evidence: A Guide for Law Enforcement. US National Institute of Justice.
4.3. Al-Azhar, M.N. (2012). "Digital Forensic: Practical Guidleines for Computer Investigation". Salemba Infotek, Jakarta.

5. Materials and Device

5.1. Analysis workstation
5.2. Form 1: Receiving Electronic Evidence
5.3. Form 2: Submitting Electronic Evidence
5.4. Technical data yielded from forensic examination and analysis
5.5. Investigative administration files

6. Implementation

6.1. Introduction

It contains the date of examination and analysis is accomplished, the names of the examiners completed with rank and position, warrant for examination and analysis and others.

6.2. Chapter I: Evidence Received

It contains all electronic evidence received completed with technical specifications of each item of evidence as described in SOP 4.

6.3. Chapter II: Purpose of Examination/Analysis

It contains a description of the purpose of examination and analysis which is based on the official request letters or memos that provides information on the type of investigation cases completed with police report.

6.4. Chapter III: Procedures of Examination and Analysis

It contains SOPs which are used, such as SOP 8 and 9 for the Acquisition and Analysis of hard drive, flash and Memory Card. In addition, it also lists the MD5 hash value of the image / backup files generated from forensic imaging or acquisition process as described in SOP 8 and 10.

6.5. Chapter IV: Results of Examination and Analysis

It contains whole data of electronic evidence found as described in SOP 6 to 15, including investigative data related to the case which has been clarified by investigators, and the results of further analysis of the data. If there is an evidence in which the investigative data is not found, so it is stated that on the evidence, the investigative data related to the case is not found.

6.6. Chapter V: Conclusion

It contains the conclusion yielded from the digital forensic examination and analysis which is based on the investigative data found.

6.7. Chapter VI: Packaging and Labeling Evidence

It contains a description of the process of packaging and sealing evidence as well as labeling which contains numbers of evidence, its types, and the police office unit as the origin of electronic evidence, as described in SOP 5.

6.8. Chapter VII: Closing

It contains a closing sentence which is followed with the signature of the examiners and known by Chief of Forensic Laboratory or his representative.

7. Related Documents

It is the same as Reference at point 4, and added with:
7. 1. Carrier, B. (2007). File System Forensic Analysis. Addison-Wesley.
7. 2. Casey, E. (2004). Digital Evidence and Computer Crime: Forensic Science, Computers and the Internet. Elsevier Academic Press.
7. 3. Johnson, T. A. (2005). Forensic Computer Crime Investigation. Taylor & Francis.
7. 4. Marcella, A.J. and Greenfield, R. S. (2002). Cyber Forensics : A Field Manual for Collecting, Examining, and Preserving Evidence of Computer Crimes. CRC Press.
7. 5. Middleton, B. (2002). Cyber Crime Field Handbook. CRC Press.
7. 6. Sammes, T. and Jenkinson, B. (2007). Forensic Computing: A Practitioners Guide. Springer.
7. 7. Indonesian Act No. 11 year 2008 about Electronic Information and Transaction.


Written by:
Chief of Computer Forensic Sub-Department
Indonesian Police Forensic Laboratory Center

Muhammad Nuh Al-Azhar, MSc., CHFI, CEI
Superintendent Police


Agreed by:
Chief of Physics and Computer Forensic Department
Indonesian Police Forensic Laboratory Center

Drs. Andi Firdaus
Senior Superintendent Police

Note:

To download the SOP 3 in Indonesian version, please click the link below:

https://dl.dropboxusercontent.com/u/4868186/DFAT_SOP_2013/SOP3_PelaporanHasilPemeriksaanDigitalForensik.pdf