Reporting

Evidence Collection

Proper evidence collection ensures findings are reproducible, defensible, and provide clear proof of vulnerabilities. Document everything as you go.

Warning

Collect evidence during testing, not after. Missing screenshots or logs can make findings unprovable and may require retesting.

Documentation Strategy

flowchart TD A[Start Testing] --> B[Enable Logging] B --> C[Document Each Step] C --> D[Screenshot Results] D --> E[Timestamp Everything] E --> F[Organize Files] C --> C1[Commands Used] C --> C2[Output Captured] C --> C3[Credentials Found] style A fill:#00ff00,stroke:#000,color:#000 style F fill:#a855f7,stroke:#000,color:#000

Folder Structure

text 
# Recommended folder structure
pentest-clientname-YYYY-MM-DD/
├── 01-reconnaissance/
│   ├── nmap_scans/
│   ├── screenshots/
│   └── notes.md
├── 02-enumeration/
│   ├── ad_dump/
│   ├── bloodhound/
│   └── shares/
├── 03-exploitation/
│   ├── screenshots/
│   ├── credentials/
│   └── payloads/
├── 04-post-exploitation/
│   ├── dumps/
│   ├── persistence/
│   └── screenshots/
├── 05-evidence/
│   ├── findings/
│   └── proof/
├── logs/
│   ├── terminal_logs/
│   └── tool_logs/
└── report/
    ├── drafts/
    └── final/

Terminal Logging

Script Command (Linux)

bash 
# Start logging entire terminal session
script -t 2>timing.txt session.log

# With timestamp in filename
script -t 2>timing_$(date +%Y%m%d_%H%M%S).txt session_$(date +%Y%m%d_%H%M%S).log

# Exit to stop logging
exit

# Replay session
scriptreplay timing.txt session.log

# Alternative: Tmux logging
# In tmux, press Ctrl+b then : and type:
capture-pane -S - ; save-buffer /tmp/tmux.log

PowerShell Logging

powershell 
# Start transcript
Start-Transcript -Path "C:\pentest\logs\session_$(Get-Date -Format 'yyyyMMdd_HHmmss').txt"

# Stop transcript
Stop-Transcript

# Auto-start in profile
# Add to $PROFILE:
$transcriptPath = "C:\pentest\logs\PS_$(Get-Date -Format 'yyyyMMdd_HHmmss').txt"
Start-Transcript -Path $transcriptPath -Append

Tool-Specific Logging

bash 
# Nmap - Save all formats
nmap -sV -sC -oA nmap_scan target

# Metasploit logging
spool /path/to/msf_session.log

# CrackMapExec - Auto-logs to ~/.cme/logs
crackmapexec smb targets.txt -u user -p pass

# Responder - Logs to /usr/share/responder/logs
# Impacket - Use tee
secretsdump.py domain/user@target 2>&1 | tee secretsdump.log

# Burp Suite - Project saves automatically
# Enable logging in Project Options > Misc > Logging

Screenshot Best Practices

Tip

Screenshots should be clear, timestamped, and include context. Annotate to highlight the important information.

What to Screenshot

Finding Type Required Screenshots
Credential Compromise Tool output, successful login, whoami/hostname
Remote Code Execution Exploit running, shell access, whoami output
Sensitive Data File listing, content (redacted if needed), location
Misconfiguration Configuration panel, vulnerable setting highlighted
Network Access Connection proof, accessible resources, ipconfig/ifconfig

Screenshot Tools

bash 
# Linux - Flameshot (recommended)
flameshot gui  # Interactive selection
flameshot full -p /path/to/save/  # Full screen

# Linux - scrot
scrot -s screenshot_$(date +%Y%m%d_%H%M%S).png  # Selection
scrot screenshot_$(date +%Y%m%d_%H%M%S).png     # Full screen

# Linux - import (ImageMagick)
import -window root screenshot.png

# Windows - Snipping Tool
snippingtool  # Or Win+Shift+S

# Windows - PowerShell screenshot
Add-Type -AssemblyName System.Windows.Forms
[System.Windows.Forms.Screen]::PrimaryScreen | ForEach-Object {
    $bitmap = New-Object System.Drawing.Bitmap($_.Bounds.Width, $_.Bounds.Height)
    $graphics = [System.Drawing.Graphics]::FromImage($bitmap)
    $graphics.CopyFromScreen($_.Bounds.Location, [System.Drawing.Point]::Empty, $_.Bounds.Size)
    $bitmap.Save("screenshot_$(Get-Date -Format 'yyyyMMdd_HHmmss').png")
}

Credential Documentation

text 
# credentials.txt format
# Keep encrypted or in secure location!

=== CREDENTIALS LOG ===
Date: 2024-11-15 14:32:00
Engagement: ACME Corp Internal Pentest

--- Discovered Credentials ---

[1] Source: LLMNR Poisoning
    Timestamp: 2024-11-15 10:15:22
    Username: CORP\jsmith
    Type: NetNTLMv2 Hash
    Hash: jsmith::CORP:1122334455667788:ABC123...
    Cracked: Yes
    Password: Summer2024!
    Evidence: responder_log_20241115.txt, screenshot_01.png

[2] Source: Kerberoasting
    Timestamp: 2024-11-15 11:30:45
    Username: svc_backup
    Type: TGS Hash (RC4)
    Hash: $krb5tgs$23$*svc_backup$CORP.LOCAL...
    Cracked: Yes
    Password: Backup123!
    Evidence: getuserspns_output.txt, hashcat_cracked.txt

[3] Source: LSASS Dump (DC01)
    Timestamp: 2024-11-15 14:32:00
    Username: Administrator
    Type: NTLM Hash
    Hash: aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0
    Cracked: No
    Evidence: mimikatz_dc01.txt, screenshot_12.png

Finding Documentation

markdown 
# finding_template.md

## Finding: [Title]

### Metadata
- **ID:** VULN-001
- **Date Discovered:** 2024-11-15 14:32:00
- **Severity:** Critical/High/Medium/Low
- **CVSS:** 9.8 (Vector)
- **Status:** Confirmed/Exploited

### Affected Systems
- 10.0.0.10 (DC01.corp.local)
- 10.0.0.11 (DC02.corp.local)

### Description
[Clear description of the vulnerability]

### Steps to Reproduce
1. Step one with exact command
2. Step two
3. Step three

### Evidence
- Screenshot: evidence/finding001_screenshot1.png
- Log file: evidence/finding001_output.txt
- Video (if applicable): evidence/finding001_demo.mp4

### Commands Used
```bash
# Exact commands used
command --option value
```

### Impact
[Business impact description]

### Remediation
[How to fix]

### References
- CVE-XXXX-XXXXX
- https://relevant-link.com

Video Recording

bash 
# Linux - OBS Studio (best quality)
obs  # Configure and record

# Linux - Simple screen recorder
simplescreenrecorder

# Linux - ffmpeg (command line)
ffmpeg -f x11grab -r 30 -s 1920x1080 -i :0.0 -c:v libx264 -preset ultrafast output.mp4

# Windows - OBS Studio
# Or built-in Game Bar: Win+G

# When to record video:
# - Complex multi-step attacks
# - Timing-sensitive exploits
# - Demo for executive presentation
# - Proof of full attack chain

Data Handling

Danger

Handle sensitive data according to engagement rules. Encrypt storage, secure transfer, and delete after retention period.
bash 
# Encrypt evidence folder
# Using 7-Zip with AES-256
7z a -p -mhe=on evidence_encrypted.7z evidence/

# Using GPG
tar -czf evidence.tar.gz evidence/
gpg -c --cipher-algo AES256 evidence.tar.gz

# Secure file transfer
# SCP
scp -r evidence.tar.gz.gpg user@secure-server:/path/

# rsync with SSH
rsync -avz -e ssh evidence/ user@secure-server:/path/

# Secure deletion after engagement
# Linux
shred -vfz -n 5 sensitive_file.txt
srm -r evidence/  # Secure rm

# Windows
cipher /w:C:\pentest\evidence\

Quick Checklist

Before Each Test

  • ☐ Create folder structure
  • ☐ Start terminal logging
  • ☐ Set up screenshot tool
  • ☐ Configure tool logging
  • ☐ Note start time

For Each Finding

  • ☐ Screenshot showing vulnerability
  • ☐ Screenshot showing impact/access
  • ☐ Command/request that triggered it
  • ☐ Timestamp documented
  • ☐ Affected system noted

End of Day

  • ☐ Stop logging
  • ☐ Organize evidence
  • ☐ Backup to secure location
  • ☐ Update findings notes

Related Topics

Finding Templates

CVSS scoring and templates

Executive Reports

Executive summary writing

Technical Reports

Technical documentation