SANS Digital Forensics and Incident Response Blog

NCS vs DRN - Taking Notes

Intro to Notes

If computer forensics is to be taken as a science, a key requirement is that results be repeatable. A key part of repetition is the quality of your notes.

Notes are an important aspect of an investigation. No matter how good of a memory you have, something is bound to slip through the cracks at some point. Take the size of some investigations, the length of time it may take before anyone takes action on your report, and the size of many case loads and a lack of notes can be a recipe for disaster. On the other hand, note taking style is a big matter of personal preference with no industry standard way of approaching the situation. I thought we might talk a bit about different options and problems that come from note taking, and hope that some others will chime in with how they approach the problem.

Format

First question that comes up with note taking, is where do you want to do it? Low tech has some advantages, and many opt for a simple pad of paper and a pen. In this situation, you don't have to worry about system crashes at all, and your alt-tab keys won't get worn out. Plus, some times it can be nice to just turn away from the computer for a bit and brainstorm without any electronic distractions. On the other hand, how good is your handwriting? Speaking for myself, I know I type a lot faster than I write by hand, and typed notes are easier to read.

When it comes to using the computer, there are simple options such as a basic text editor. That could be anything from Windows Notepad to Vi. Nice aspect of this is you don't have to worry about special formatting, and you know you can always open up the files regardless of where you are. Disadvantage is that the lack of enforced structure can at times make these notes hard to find anything in. Those looking for more structure might like Casenotes. Casenotes is a popular free Windows based application created specifically for taking notes in a forensic investigation. Containing many features that might be of interest to forensic investigators such as MD5 hashing and encryption, it is worth a look.

Leo
I personally like to use Leo. Leo is an XML editor written in Python that I was introduced to while taking the Offensive Security 101 course, and I have taken to using it for many tasks. I am a non-linear thinker, and the hierarchical style format of the program helps me separate various topics while making everything easy to find. It is cross platform, and uses XML for the file format, so even if you don't have access to the program you can still parse the content of the notes easily. Some advocate not taking written notes, but rather using a portable audio recorder. Advantage here is less time is taken for the actual note taking, preventing a break in the flow of work. Disadvantage would be it is harder to look something up afterward, unless you get some decent text to speech technology working.

Content

What about the contents of the notes? Will the notes be discoverable? Could anything you put down possibly come back and be used against the conclusions that you came to in your report? The advice here is to not put conclusions or opinions into the notes, but rather keep them as a running log of the facts you discover. Some I have talked to have made it standard operating procedure to take notes, using the notes for the creation of the report, then destroying the notes. Sound a bit extreme? Just make sure you include everything in your report.

Care

What about care of the notes? How do you protect them? Many examiners I know that take paper notes will keep the notes as part of the evidence control system. For electronic notes, keeping them with any image files is not a bad idea. What about MD5 hashes for each session? Ensuring that no changes have occurred between sessions is not a bad idea. Encryption is an option as well. And don't forget to back up!

Show Me Your Notes!

With no standard way to approach notes, there is no wrong way handle the situation. The important part is to make sure you are consistent, both to make sure that you are creating good habits and there can be no claims of you mishandling an examination. That said, I would be interested in hearing how you take notes. What sort of content to you save? How do you save it? How do you care for the notes? Leave a comment and let us know!

Jim O'Gorman, GCFA Silver 1356, works for Continuum Worldwide,lives at Elwood.net, and blogs at Binary Intelligence. You can reach Jim at jameso@elwood.net.

2 Comments

Posted January 2, 2009 at 1:33 PM | Permalink | Reply

harryparsonage

I have introduced the use of OneNote into our office for examination notes. It is really flexible and can create lots of tabbed pages or sections for different exhibits or different aspects to an investigation to help with organisation of your notes in a big case. It is great at handling screen shots so if you make some selections in a dialog box just take a screen shot of the dialog and you have a quick record of your parameters. It OCRs the screen shots so you can search text.
It is very popular with the team.

Posted January 2, 2009 at 3:14 PM | Permalink | Reply

blackfistsecurity

My rule of thumb is that I take notes and keep supporting documentation to the extent that a reasonably experienced external investigator could completely reproduce my process. I tend to err on the side of being overly verbose.
I have no problem keeping my thoughts, opinions, hunches, etc in my notes. If anything it helps to show that I am being thorough. And the fact is, if I was leaning toward theory A at one time, then it was a part of my investigation. I might get attacked on it later, but I should be able to defend my conclusions.