I always dread the report-writing part of the forensic process. By that stage in a job I’ve usually done all the interesting stuff and I’m often pretty bored of the job and want to pick up the next one (even though it’s often pretty identical to the last).
OK, I suppose I could write the report as I go along. This would make sense in some ways, as I wouldn’t end up staring at an empty report template at the end of a job , but it’s never really suited my way of working. As I’m sure most people do, I tend to follow a set of processes as a rough guide, but soon deviate from them depending on where they lead – if keyword searches throw up fragments from a significant MSN chat session, I’ll set off more searches to recover related material and see where that takes me, and so on.
The downside of this is that I tend to get over-excited and just follow the breadcrumbs, with the result that I don’t feel like stopping to write my report. I’ll take notes and grab stuff to Encase bookmarks and OneNote but the formal, continuously-written method reporting is not, for me at least, conducive to a personally satisfying working process. And the queen’s criminal justice system exists solely, of course, to give me a satisfying working experience devoid of boring bits.
Writing the reports is a funny business. Often a lot of the evidence recovered is standard stuff, and can be covered by pasting in excerpts from my ‘snippets’ archive – explanations of a Limewire fileurns.cache or file slack, for example. These are pretty much boilerplate and once the explanations are in its often just a matter of plopping out the specifics from Encase or wherever and then the bulk of the work is done.
There are two factors that I think make the report-writing arduous. The first is that everything has to be unambiguous and completely, provably correct. If there’s any opinion in there, it has to be opinion that you can back up to the hilt with cold, steely-eyed evidence and it needs to have a damn good reason for being there in the first place. The second factor is that the report has a number of potential audiences.
The first audience is going to be the officer in charge of the case (OIC). She might be a sworn technophobe, or she might be a regular customer who’s been dealing with computer-based jobs for years. Where a case involves computer evidence it often seems to rely heavily on it, and it’s certainly true that in our bread and butter paedo work, our evidence is usually 90% of the case. As the report is our evidence, it’s important that it can be understoood by the OIC so that she can interview and charge accordingly.
The next customer is CPS, then the defence analyst if one has been instructed (I get a bit pissed off by the way that the courts seem to refer to the ‘police analyst’ and ‘defence expert’, so take this as my pedantic little contribution to levelling the playing field). Most defence analysts are great people doing a good job, but that job involves picking holes in your report and highlighting anything that gives them pause.
If the case goes to trial – and most suspects plead guilty at the first opportunity -next come the barristers. Criminal barristers, in my experience, are people with two main talents. They can absorb and process large quantities of information, and they are immense show-offs. Remember that kid at school who would stab his way to the front of the auditions for the school play? He wears a wig and a flappy cloak for a living now. The prosecution barrister needs to be able to understand your report, and hopefully you’ll have at least one conference with him before the trial where you can discuss your report, answer any questions (and be instructed to prepare supplementary reports if necessary) and get an idea of how he’ll want you to present your evidence.
Then there’s the defence barrister. To check whether the report will pass this test, you need to read it out to yourself in the most mocking, incredulous way you can manage, substituting first person for third and mucking about with the empahsis. Take a paragraph at random and try it: “You imaged the drive after attaching it to a write-blocker, officer?” (new hidden meaning: “You ate a baby and broadcast it on the Internet, officer?”) You need to do some crazy eyebrow antics while you’re doing this, and try turning away from the mirror to address the question to your cat, as if asking whether he can believe this tissue of lies that’s polluting the courtroom.
Finally, there’s the judge and the jury. Judges are barristers and, in my experience, have an even better ability to absorb information. The jury, not so much. They’ll often be bored to tears by the time the proceedings reach your report, and often the defence will deliberately string out the technical details in an attempt to blind them with science and confuse them away from the facts of the case.
For this reason, I find it helps to have the the meat of the report – the bits that contain the smoking guns and the conclusions – in bite-sized chunks that are completely unambiguous – these are the punchlines, the arias. The rest is scaffolding, but this is the very beating apex of the tortured metaphor. Lay the evidence down in all its detail, then sum it up with a neat para explaining that ‘in summary, a user of the computer was emailing the suspect’s mother about intricate details of their family tree one minute before Googling ‘how to chop the heads off people who look at me funny on the bus’ and was scanning images of distinctive birthmarks belonging to the suspect one minute later.’
Well, that wasn’t really the post I’d intended to write. It was supposed to be a bit about reports, then a funny bit. I’m not holding myself up as a great report writer by any means, and I haven’t got very much court experience – as I said, the vast majority of suspects in computer cases plead guilty before it gets to a trial. I’m still getting the hang of this blogging lark though, so I thought I’d just let my mind run away with me. It’s not as if anyone’s reading it, anyway. If you thought it was interesting, useful, awful, tedious, whatever, please comment in the comments (where else?).