Packt+ | Advance your knowledge in tech

You're reading from Big Data Forensics: Learning Hadoop Investigations

Product type Book

Published in Aug 2015

Publisher

ISBN-13 9781785288104

Pages 264 pages

Edition 1st Edition

Languages

SQL

Concepts

Big Data

Table of Contents (15) Chapters

Big Data Forensics – Learning Hadoop Investigations

Credits

About the Author

About the Reviewers

www.PacktPub.com

Preface

Starting Out with Forensic Investigations and Big Data

Understanding Hadoop Internals and Architecture

Identifying Big Data Evidence

Collecting Hadoop Distributed File System Data

Collecting Hadoop Application Data

Performing Hadoop Distributed File System Analysis

Analyzing Hadoop Application Data

Presenting Forensic Findings

Index

Chapter 8. Presenting Forensic Findings

The final phase of an investigation is to present the findings to those who will evaluate and rule on the outcome of the investigation. This process is crucial to the success of the investigation because any actions taken regarding the issue depend on the clarity, completeness, and accuracy of the findings. The investigator will most likely present the findings to a non-technical audience, but that audience may also seek input from other forensic experts. This means the findings should be presented in a clear and understandable manner that is accessible to a non-technical audience, and technical details should be provided with the findings for a technical expert who may evaluate the findings.

A report is the most common method for presenting the findings of an investigation. It is the account of the investigation that will be read by the audience. Almost no one else will access the data, except for an opposing forensic expert and attorneys, so the report...

Types of reports

Findings are typically presented in writing, but they can also be accompanied by various types of in-person presentations. There are several types of reports, depending on the nature of the investigation. The first is an internal report. These reports are formal but do not require specific legal formatting or standard language. The second is an affidavit, which is a sworn statement that can be admitted as evidence in court. The third is a declaration. Declarations are intended as statements of facts that are submitted to a court. The fourth is an expert report, and this is evidence that can be submitted by a subject matter expert about a particular set of facts and findings in a case. The forensic investigator can also be called to provide an in-person presentation based on the report, which can be in the form of a deposition, testimony, or a non-legal, question-and-answer meeting.

The following table summarizes the types of reports an investigator may be asked to write:

Developing the report

All types of reports serve the same goal: explaining the findings and the steps that were applied to arrive at the findings. Forensic investigations are complex, and the results of an investigation are typically reported to a non-technical audience, whether it is an internal investigation or an investigation involving the legal system. A report is a tool that summarizes the salient points of the entire forensic investigation in a logical and accessible way. While Big Data investigations are complex, the report should be simple and understandable by any audience, so they understand the steps performed from identification through collection and analysis and the findings are supported by the investigator's interpretation of the results. The report should be developed with the audience in mind and an awareness of how to explain the technical concepts to a non-technical audience.

Reports can be made more accessible and understandable for a general audience by including certain...

Testimony and other presentations

The investigation can also be presented orally. The investigation may need to be presented in an interactive manner with one or more parties being present and asking questions. For internal investigations, the investigator may be called to present his findings to explain what he did and answer any questions that the client may have. For legal proceedings, this can take the form of depositions or testimony. Both of these types of oral presentations involve one or both sides of the investigation having a chance to ask the investigator about his report and ask further questions about his findings and interpretations.

Internal investigations take place outside of the legal system, so there are no fixed rules for how those are conducted. The investigator may be called to answer questions and explain the report in a way that can be understood by the organization. In this setting, the investigator may wish to present the findings using a presentation software or...

Summary

The final step of the investigation is to present the findings. The investigator should already have all of his findings and documentation when beginning this process. Depending on the nature of the investigation, the investigator may need to write a number of different reports and present the findings in person—or he may only need to draft a single document. The goal for any investigation is not only to perform a sound data collection and complete analysis, but also to present the findings in an intelligible and accurate way. By knowing the requirements of the investigation and the forms of presentation required, the investigator can successfully present the findings.

Big Data forensics is a new and rapidly evolving field. Many of the technologies presented in this book will continue to evolve and possibly disappear. The concepts and best practices in this book, however, will remain and can be applied to investigations in the future. Data storage will continue to expand, which means...