WEBVTT

00:01.040 --> 00:04.000
In this rerecorded video, we're going to talk about reports.

00:04.200 --> 00:07.160
Report writing and why it's important.

00:08.240 --> 00:15.840
So if you're doing a Osint investigation for someone organization, someone hires you.

00:16.600 --> 00:23.920
It's important to get together a basic contract, something before you start your investigation.

00:24.200 --> 00:28.440
It's good to have something written out, outlined, and signed beforehand.

00:28.920 --> 00:31.080
It helps keep things clear for everyone.

00:32.000 --> 00:33.240
Things like names.

00:33.240 --> 00:34.600
Who's going to be involved?

00:35.160 --> 00:36.240
Who's, uh.

00:36.240 --> 00:36.600
Who are you?

00:36.600 --> 00:37.200
Investigator.

00:37.200 --> 00:38.200
What are you investigating?

00:38.200 --> 00:38.880
Dates.

00:38.880 --> 00:40.000
Scope of work.

00:40.040 --> 00:45.000
Where the deliverables, dates, milestones, expectations, etc..

00:45.320 --> 00:46.880
What's going to be out of scope?

00:47.320 --> 00:49.200
Who are your point of contacts?

00:49.520 --> 00:57.160
Who's going to be working on what emergency contacts within whatever hours they can be contacted and

00:57.160 --> 00:58.280
date and sign it.

01:01.120 --> 01:09.520
Also giving a projected timeline Line is going to help to, uh, things like outlining.

01:09.520 --> 01:13.280
Well, we're going to have a scope meeting and duration is going to be about 30 minutes.

01:13.280 --> 01:18.280
We're going to start on this date and this date, uh, we're doing a social media search.

01:18.280 --> 01:20.000
Who's doing that social media search.

01:20.000 --> 01:21.000
How many days it took.

01:21.000 --> 01:21.800
When did they start?

01:21.800 --> 01:22.800
When did they end?

01:23.680 --> 01:25.520
Evidence analyzed and sorted.

01:25.600 --> 01:26.640
Well, that took a day.

01:26.680 --> 01:30.240
It started on this day, end to this day, so on and so forth.

01:30.280 --> 01:39.320
This helps account for who was working on what, when that happened and what the steps that you took.

01:39.360 --> 01:47.760
And it not only helps you keep things organized, but it also helps your client understand what the

01:47.760 --> 01:57.320
process was, how long it took, who was working on what, and also it helps them to understand how

01:57.320 --> 02:02.720
long did it take and having a data collection.

02:02.720 --> 02:06.520
Note uh, some people call this a matrix is useful.

02:06.520 --> 02:08.040
Things like date, time.

02:08.360 --> 02:11.000
If it's applicable evidence type it.

02:11.000 --> 02:17.120
Was there a URL link where where were the files that you grabbed and what are they?

02:17.480 --> 02:19.080
How reliable is that information.

02:19.080 --> 02:22.600
And then have a key a highly reliable vetted information.

02:22.640 --> 02:27.480
Be a highly reliable but still needs to be vetted.

02:27.480 --> 02:30.320
Not 100%, maybe 9,095%.

02:30.720 --> 02:34.520
See unsure about what the reliability is.

02:34.560 --> 02:36.560
The very low reliability.

02:37.280 --> 02:40.960
Uh, f pure junk rumor junk post kind of information.

02:41.240 --> 02:47.800
And the reason why you want to include that is because when you're going through evidence and someone

02:47.840 --> 02:50.360
says, hey, how come you didn't include this?

02:50.560 --> 02:53.680
You know, this person said this, this evidence was here.

02:53.840 --> 03:00.520
You could point to that and go, well, we did find that information, but it we labeled it as junk

03:00.520 --> 03:02.280
or rumor because of this.

03:02.320 --> 03:07.280
When we investigate that and did a deep dive into the information, it turned out to be false.

03:07.280 --> 03:11.120
The the, uh, the fact check failed.

03:11.120 --> 03:14.680
The person that presented it is not a reliable.

03:14.680 --> 03:21.600
They have been known to lie, they've gotten information wrong, etc. you have that proof to that.

03:21.600 --> 03:26.400
You did find it that you didn't ignore that you didn't wasn't that you didn't find it.

03:28.840 --> 03:31.800
So recommendations consider making two reports.

03:31.800 --> 03:37.040
And this is typical not just for open source intelligence reports, but also technical reports like

03:37.080 --> 03:41.040
a a pen test, a security audit report, things like that.

03:41.040 --> 03:41.600
Nature.

03:42.440 --> 03:48.880
You you want a technical report now tech technical report is a highly detailed report designed for senior

03:49.240 --> 03:51.960
investigators IT administrators, etc..

03:52.720 --> 03:54.280
Then the elevator pitch.

03:54.320 --> 03:56.880
This is a short report.

03:57.360 --> 03:59.960
It doesn't have to be have a lot of technical jargon in there.

04:00.000 --> 04:00.960
Unnecessary information.

04:00.960 --> 04:02.680
You want to keep it short and to the point.

04:03.320 --> 04:08.160
Uh, you're you want to consider that your audience is not a very technical person.

04:08.160 --> 04:14.750
This could be upper management people that may run the company, but they don't know the kind of the

04:14.790 --> 04:15.750
ins and outs of that.

04:15.790 --> 04:22.150
On the technical level, you don't want to make it make your report too dumbed down either.

04:22.270 --> 04:24.430
You still want to be professional looking.

04:24.430 --> 04:30.110
You still want it to be, uh, not insulting to whoever's reading it, but also you don't want to confuse

04:30.110 --> 04:30.230
them.

04:30.230 --> 04:36.030
You want to make sure that you can present this to a very non-technical person, and they will understand

04:36.030 --> 04:36.990
what you're saying.

04:40.150 --> 04:41.030
Status summary.

04:41.030 --> 04:46.070
So you want to kind of outline the status summary of what happened.

04:46.070 --> 04:48.030
So we did a social media scan.

04:48.390 --> 04:50.030
This is the social media that we scanned.

04:50.030 --> 04:51.150
This is what we were looking for.

04:51.190 --> 04:52.310
This is what we found.

04:52.630 --> 04:56.430
Then we went into let's start looking at data breaches and dark web.

04:56.430 --> 04:57.590
And this is what we found.

04:57.630 --> 04:59.030
This is what we were searching for.

04:59.630 --> 05:01.870
And we also check for known associates.

05:01.990 --> 05:04.270
These are known associates that we are looking for.

05:04.310 --> 05:05.550
And this is what we found.

05:06.070 --> 05:10.230
And then you can put down additional work done things like we did reverse image searches.

05:10.270 --> 05:12.430
We we made sure to verify all the results.

05:12.430 --> 05:14.190
This was a revolt results.

05:14.630 --> 05:16.630
And then you want to generate your report.

05:18.590 --> 05:24.230
Now certain areas you want to pay very close attention to possible areas of concern.

05:24.270 --> 05:28.270
Questionable social media posts please see attached screenshots.

05:29.150 --> 05:32.270
Uh, disturbing media posted under these accounts.

05:32.310 --> 05:34.110
Please see these attachments.

05:34.350 --> 05:40.110
Make sure that you understand the evidence is scored according to importance, and you want to outline

05:40.110 --> 05:41.390
what that scoring system is.

05:41.390 --> 05:44.790
It could be A through F, it could be uh, zero through ten.

05:44.830 --> 05:48.190
Whatever you want to rate it can be color coded.

05:48.670 --> 05:52.990
Just make sure that it's consistent and that you have a key for it.

05:52.990 --> 05:56.710
So if someone picks it up they can understand what they're reading.

05:59.830 --> 06:02.030
And you also want to give recommendations.

06:02.030 --> 06:06.110
So things like uh, company violations a possible legal violations.

06:06.110 --> 06:07.870
Documents noted notes.

06:07.910 --> 06:13.350
Please see attachment outline various violations by the employee in additional addition to several possible

06:13.350 --> 06:14.470
legal violations.

06:14.470 --> 06:19.150
And this would be something like if you're doing a investigation on an employee.

06:19.870 --> 06:22.390
Uh, well, it is ultimately the client's decision.

06:22.390 --> 06:26.430
We recommend consulting your HR team and your legal team with the findings.

06:26.430 --> 06:37.190
So maybe this employee, uh, did some activities under their company, uh, account, uh, as representing

06:37.190 --> 06:37.750
the company.

06:37.750 --> 06:40.390
And they did some things that were very questionable.

06:41.390 --> 06:46.670
Um, we recommend suspending any and all email login and other network access.

06:47.310 --> 06:51.910
So again, this could be some like employee was silly information.

06:51.950 --> 06:57.190
We caught the person selling the information to rival companies rival countries whatnot.

06:57.230 --> 07:03.550
And that's when you would want to say things like, hey, uh, we have very good evidence that this

07:03.550 --> 07:08.510
person has been selling government secrets to a foreign actor.

07:08.510 --> 07:10.270
China, Russia, whatnot.

07:10.670 --> 07:19.390
Uh, we recommend that you suspend their, uh, email logins so they do not do further damage things

07:19.390 --> 07:20.110
of that nature.

07:20.110 --> 07:22.310
So this was about report writing.

07:22.510 --> 07:23.350
Thank you so much.

07:23.350 --> 07:24.830
And I'll see you in next video.