A Dossier, Not a Deck: What Defensible Artefact Reporting Looks Like

A breach counsel partner once described the difference between a forensic report and a slide deck in one sentence: “I can take a dossier into a deposition. I can’t take a deck.”

That distinction is not aesthetic. It is structural. A defensible artefact report holds up under three different rooms — engineering, legal, and regulator — without rewriting. A deck holds up in none of them.

Here is the structure we ship under engagement reference, unchanged across malware, firmware, exploitability, and incident work.

1. The cover is where the report becomes citeable

A Binautopsy report opens with:

Engagement reference (e.g. BA-DOSS-2026/0017 · rev r2 · final)
Artefact identifiers — SHA-256, file size, first/last observed timestamps, source-of-record
Authorisation scope — exactly what we were permitted to do, and by whom
Executive verdict — one paragraph, plain language, no hedging-by-acronym

If a journalist, regulator, or counsel reads only the cover, they should be able to cite the report correctly. That is the bar.

2. Method is where opinion is fenced off

Before any finding, the report states:

The tools used and their versions
The analysis environment, isolated and reproducible
Time-on-target, in operator-hours
What was not attempted, and why

The last item is the load-bearing one. A method section that admits its own boundary is harder to dismiss than one that pretends to omniscience.

3. Findings separate evidence, inference, and speculation

Each finding carries three labels, in order:

Observed evidence. (what was directly read from the artefact, with citation)

Technical inference. (what reasonably follows from the evidence, with reasoning)

Speculation. (what would be plausible, but is not yet supported)

Speculation is allowed. Naming it as speculation is mandatory. The report you can defend is the one in which a hostile reader cannot collapse the three categories into each other.

Each finding also carries an explicit confidence level — high, medium, low — defined in the appendix against the criteria used to assign it. “We are confident” is not a confidence level. medium · methodology-bound by sandbox-only behaviour is.

4. Every finding maps to a decision

A finding without a recommended action is metadata. The decision-support column for each finding contains exactly one of:

Patch — apply a specific advisory or build
Mitigate — apply a compensating control, named
Isolate — remove from production path
Escalate — bring in a specific stakeholder
No action required — with the reason

If counsel asks “what does this finding mean we have to do,” the answer is in the row, not in the email thread.

5. The appendix carries the artefact

Hash inventories. IOCs. YARA, Sigma, Suricata where applicable. Raw extracts. Command transcripts in the order they were run. The appendix is what lets another lab, another counsel, or a future audit reproduce the work without us.

A report whose appendix is a screenshot folder is not a dossier. It is a demonstration.

What this is not

It is not a faster way to deliver bad news. It is not a substitute for a competent analyst. It will not survive a finding that should not have been asserted in the first place. The structure is necessary, not sufficient.

What it does is remove the most common failure mode of forensic reporting: a finding that is correct in the analyst’s head, plausible in the engineering room, persuasive on a slide, and indefensible in front of a regulator who reads it cold three months later.

If your current artefact reporting cannot survive that last room, it is a deck. The fix is structural, and it is the same fix in every domain we work.

Engagements run from artefact in to dossier out. If you need a defensible report against a specific deadline, request scoping with the artefact identifiers in your reply.