A forensic report is the deliverable that connects digital evidence to legal proceedings. It is the document that judges read, that attorneys cross-examine and that juries evaluate. A report that lacks essential elements will be challenged. A report that contains the right elements in the right format becomes the foundation for case outcomes.
Court-ready does not mean technically impressive. It means legally defensible. The report must satisfy the evidentiary standards of the jurisdiction where it will be presented. It must be understandable to non-technical audiences. It must be independently verifiable. And it must document the examiner's methodology with enough detail that another qualified examiner could reproduce the results.
Most forensic examiners spend hours manually compiling reports. They copy hash values from one tool, paste findings into a word processor, format tables by hand and hope they did not miss anything. This manual process is slow, error-prone and produces inconsistent output. Sherlock forensic tools eliminate this burden by generating court-ready reports automatically from the examination data.
Elements of a Proper Forensic Report
The following elements are required in a forensic report that will withstand judicial scrutiny. Sherlock tools include all of these elements in their automated reports.
Statement of Soundness
The report must open with a statement confirming that the evidence was handled in a forensically sound manner. This statement affirms that the evidence was accessed in read-only mode, that no modifications were made to the source data and that all analytical steps are documented and reproducible. The statement of soundness is the first thing opposing counsel will look for. If it is missing or vague, the entire report is vulnerable to challenge.
Sherlock reports include a statement of soundness automatically. The statement references the read-only access mode, the source file SHA-256 hash and the post-analysis verification confirming the evidence was not modified.
Artifact Inventory with Hash Verification
Every artifact referenced in the report must be individually identified with a SHA-256 hash. For email reports, this means a unique hash for every message. For mobile acquisition reports, this means a unique hash for every extracted file. The hash serves as a cryptographic fingerprint that allows independent verification. If opposing counsel obtains the original evidence, they can compute the same hashes and confirm that the artifacts in the report match the artifacts in the source evidence.
Per-artifact hashing is what separates a forensic report from a summary. A summary describes what was found. A forensic report proves what was found with mathematical verification that cannot be fabricated or disputed.
Examiner Credentials
The report must identify the examiner by name and list their relevant credentials. Courts evaluate the weight of expert evidence based on the qualifications of the person who produced it. Sherlock reports document the examiner name from the license registration and the tool is built by CISSP, ISSAP and ISSMP certified practitioners. These credentials are recognized internationally as the gold standard for information security and forensic examination qualifications.
Methodology Description
The report must describe the methodology used to collect, preserve and analyze the evidence. This includes the tools used (with version numbers), the acquisition method, the search and filtering criteria applied and the export parameters. The methodology must be described in enough detail that another qualified examiner could follow the same steps and arrive at the same results.
Sherlock reports document the methodology automatically. Tool name, version number, session ID, search queries, filters applied and export parameters are all recorded from the tool's internal audit log.
Chain of Custody Documentation
The report must include or reference the chain of custody log documenting every person who handled the evidence and every action performed on it. This connects the report findings to a verifiable handling history. See our dedicated chain of custody page for detailed guidance on maintaining proper custody documentation.
Plain-English Findings
Technical accuracy is necessary but not sufficient. The report must present findings in language that a non-technical judge or jury can understand. Hash values and technical metadata belong in the appendix. The main findings section must explain what was found, what it means and why it matters in plain English. A report that only a forensic examiner can understand fails its purpose.
How PST Viewer Generates Email Forensic Reports
Sherlock PST Viewer Forensic Edition generates multi-page PDF forensic reports from email archives. The workflow is designed for speed without sacrificing forensic rigor.
Mark and Report Workflow
The examiner opens the PST or OST file in read-only mode. They browse folders or use full-text search to locate relevant messages. Each relevant email is marked using a per-message checkbox. When all relevant messages are identified, the examiner clicks Generate Report. The tool produces the complete forensic PDF automatically.
What the Email Report Contains
- Title page
- Documents the tool name and version, license holder name, unique session ID, report generation timestamp and source file SHA-256 hash. This establishes the provenance of the report and links it to a specific examination session.
- Per-email evidence cards
- Each marked email receives a full evidence card documenting the sender (name, email address, source IP and hostname extracted from RFC-822 Received headers), Authentication-Results (SPF/DKIM/DMARC pass/fail per message), Message-ID and the per-message SHA-256 hash for independent verification.
- Recipients table
- Each evidence card includes a table documenting To, Cc and Bcc recipients with display names resolved where available.
- Body content
- Email body content is included with HTML converted to readable plain text. Formatting artifacts are stripped while preserving the substantive content of the message.
- Source IP attribution
- The originating IP address and hostname are extracted from the Received header chain per RFC-822. This establishes where each message actually originated, which is critical for sender verification in fraud and impersonation cases.
Marks are stored separately from the evidence file. The source PST is never modified during analysis or report generation. This read-only approach preserves the original evidence and allows any qualified examiner to independently verify the results.
How Android Acquirer Generates Mobile Forensic Reports
Sherlock Android Acquirer Forensic Edition generates a forensic PDF report automatically after each logical acquisition. The report documents the complete acquisition from device connection through data extraction.
What the Mobile Report Contains
- Device identification
- Serial number, manufacturer, model name, Android version, build number and bootloader lock status. This data is read directly from the device hardware and cannot be fabricated after the fact.
- Acquisition metadata
- Examiner name, acquisition timestamp, selected data categories (SMS, contacts, call logs, media, apps, Wi-Fi, browser history, calendar, accounts) and helper APK deployment status.
- File inventory with SHA-256 hashes
- Every extracted file is listed with its file path, file size, extraction timestamp and individual SHA-256 hash. This inventory allows independent verification of every artifact in the acquisition.
- Bootloader status documentation
- The report documents whether the device bootloader is locked or unlocked. An unlocked bootloader indicates the device may have been modified, which is critical context for evaluating the reliability of the extracted data.
- Chain of custody section
- Documents the acquisition chain from device connection through data extraction with timestamps, session identifiers and examiner details.
Sample Report Structure
The following table shows the standard structure of a Sherlock forensic report. Both PST Viewer and Android Acquirer follow this framework.
| Section | Contents | Purpose |
|---|---|---|
| Title page | Tool version, license holder, session ID, timestamp, source SHA-256 | Establishes report provenance |
| Statement of soundness | Confirmation of read-only access, methodology description | Establishes forensic integrity |
| Evidence summary | Plain-English overview of findings | Accessible to non-technical readers |
| Artifact inventory | Per-artifact listing with SHA-256 hashes | Enables independent verification |
| Detailed findings | Evidence cards with metadata and content | Presents the substantive evidence |
| Chain of custody | Handling history, examiner actions, timestamps | Proves proper evidence handling |
| Examiner credentials | Name, certifications, qualifications | Establishes expert authority |
Why Automated Reports Beat Manual Reports
Manual forensic reporting is the weakest link in most examination workflows. The examiner spends more time formatting documents than analyzing evidence. The risk of transcription errors is high. Consistency across cases is low. And every hour spent on report formatting is an hour not spent on analysis.
- Consistency
- Automated reports follow the same structure every time. Every required element is included. No sections are accidentally omitted. This consistency makes reports easier for courts to evaluate and harder for opposing counsel to challenge.
- Speed
- A report that takes an examiner four hours to compile manually is generated in seconds by Sherlock tools. This reduces case turnaround time and allows examiners to handle more cases without sacrificing quality.
- Accuracy
- Hash values, timestamps, file paths and metadata are pulled directly from the examination data. No manual transcription means no transcription errors. Every value in the report is mathematically verifiable against the source evidence.
- Cost
- Manual report generation at typical examiner billing rates ($200-400/hour) adds $800-1,600 to every case in documentation costs alone. Sherlock PST Viewer Forensic Edition costs $67 one-time. Sherlock Android Acquirer Forensic Edition costs $399 one-time. The tools pay for themselves on the first case.
Legal Standards for Forensic Reports
Forensic reports must satisfy the evidentiary requirements of the jurisdiction where they will be presented. The following frameworks define what courts expect.
- Federal Rules of Evidence (US) - Rule 702
- Governs expert witness testimony and requires that the expert's methodology be reliable and relevant. A forensic report that documents its methodology, tools and verification steps satisfies the reliability requirement under Daubert v. Merrell Dow Pharmaceuticals.
- Federal Rules of Evidence (US) - Rule 901(b)(9)
- Requires authentication of evidence produced by a system or process. SHA-256 hashing and chain of custody documentation in the forensic report satisfy this requirement.
- Canada Evidence Act - Section 31.2
- Addresses authentication of electronic documents. Forensic reports generated by Sherlock tools include the hash verification and methodology documentation needed for authentication under Canadian law.
- Sedona Canada Principles
- Provides guidance on proportional preservation and production of electronic evidence. Sherlock reports document the scope of the examination and the criteria used to identify relevant artifacts, supporting proportionality arguments.
External Resources
For additional guidance on forensic reporting standards and best practices: