SANS Digital Forensics and Incident Response Blog

Digital Forensics Reporting: CaseNotes Walkthrough/Review

One important aspect of Digital Forensics is reporting. There are many reasons for this. One is to keep track of work that you have done during analysis. Another is if you are working on a case and it ends up getting reassigned to another examiner, they can look over your notes and will know what you've done, how you've done it, when you've done it and what the results were up to that point of transfer. The most important reason though, is for your appearance in court to testify on a case. Now as most of us know, there are many cases that never make it to trial or end up getting settled out of court. That is no excuse to be lax in your reporting. Each case should be treated like it will go the distance.

With that said, I, like most, have taken my notes by hand. I find that handwritten notes tend to become sloppy in the long run. While taking notes, if you run out of room and don't have another clean sheet of paper handy to continue you may end up writing in margins. Plus, I don't know about the rest of you, but my handwriting tends to get progressively worse as the day wears on. If you weren't sure, sloppy handwriting ends up looking very unprofessional. Not to mention, opposing counsel may try to challenge your note's integrity by questioning when those notes were actually recorded. You may say, "why not switch to typing your notes into a text document or even a Word .doc file?". Well, although it will look cleaner than writing your notes by hand, it can still fall victim to the same integrity challenge by the opposition.

This is where CaseNotes comes in. I first learned of CaseNotes when I attended the SANS Forensics 408 course a few months ago. I started looking into the program and the more I played around with it the more I came to like it.

CaseNotes by QCC Information Security ( is available for download at It is a program that allows an examiner to securely record their digital notes. It runs on the Windows platform only, from XP through Windows 7.

Some of its notable features are:

- It's free and no dongle is needed to run it

- It allows for a "write once, read many" data capture

- Date and Time stamps for each entry

- Configuration of case meta-data (case number, examiner name, agency address, etc.)

- An audit log of data entry

- It uses AES 512bit encryption as an option to further secure data

- Oh, did I mention it's FREE???

For the purpose of this walkthrough/review, I used CaseNotes version 1.3.2010.6

Now once you've downloaded and installed CaseNotes, you will see the following icon on your desktop:

When you open the program, you will see the following splash screen and welcome screen:

From here, I suggest you configure your preferences before using CaseNotes for the first time by going to Case > Preferences. When you do that the following screen will appear:

It is on this screen where you will be able to choose how many meta-data items to store, the number of Tab windows to display, the default storage location for your notes, whether to automatically backup your file after saving changes and what fonts you would like for your meta-data and notes. You can choose to have a maximum of 10 meta-data items and 4 Tabs displayed. In the above screenshot, you can see that I chose to only have 4 meta-data items and 3 Tabs displayed. I decided to leave the default storage location for my notes. Also, the Case Notes and Audit Log tabs are always constant from case to case and cannot be changed. In the example screenshot above, you can see that I added tabs for a To-Do List, Exhibit Items and Software versions. There are other possibilities that you can choose to go with that will fit your Department/Agency/Office's examination plan.

Now to create a new case go to File > New or click on the "Create a new case" icon on the toolbar and you will be presented with the following screen:

Now you can see that the Case Number and Case Type Fields are blank for me to enter in the values I wish for those fields depending on my shop's naming conventions. For this walkthrough/review, I chose to enter "TEST" into both the Case number & Case type fields. I am also able to change the values for the Analyst Name and Analyst Agency fields if I needed to, but since I am the one working this "case" there is no need to at this time. Once I've entered the appropriate data to those fields and clicked on "Create", I see all of the meta-data that I entered in the Case Notes tab and in the Audit Log tab you will also see which tabs were updated during creation:

Now when you want to enter a new note entry, you can go to Case > Add a New Note or you can use the key combination Ctrl+N or click on the following icon in the toolbar:

It is in the screen that is shown in the above picture that you will enter the note that you wish to be added to this file. When finished, click on the "Commit" button. Note that once you choose the "Commit" button, your entry is final. It cannot be edited afterwards and will be in read only mode in the Case Notes tab.

After the new note is added, you will see a new entry in the audit log along with an MD5 hash value. Each note entry gets it's own hash, as well as a Date and Time stamp. RECOMMENDATION- If you make an incorrect entry or notice an error with a tool (or in my example case, incorrect time settings), make a new note entry with the proper information and give a reason for the prior incorrect entry. Observe the hash value for the new entry:

A good feature that is included in CaseNotes is the ability to search your notes. You may have been working a case for days and might need a little reminding as to what you have done so far. You can go to Case > Find or use keyboard combination Ctrl+F or find the binoculars icon in the toolbar. A search dialog will appear and you can just enter the term you are looking for. In my particular Test case, I wanted to check to see if I had already run RegRipper:

Remember I mentioned encryption earlier in this post. According to the CaseNotes Start Guide, QCCIS is using "AES 512bit algorithm which ships as part of the .NET framework" and "By using the version built in to .NET, I've used a standard, peer-reviewed and respected algorithm which is carefully implemented in accordance with Microsoft guidelines". Let's say that you didn't need to have your notes encrypted previously and now that has changed. You can add encryption by editing the Case Metadata by going to Case > Case Metadata or by using keyboard combination Ctrl+M or by clicking on the icon that looks like a pen/pencil over a piece of paper. When you do, the Edit Case Metadata screen will popup and it is here where you can click in the checkbox next to Encrypt Data option. Doing this will now make the Password and Confirm boxes available to type in. Enter you password/phrase here:

Now once you close out of the current note and attempt to reopen it, you will get the following dialog box:

Enter the passphrase that you chose for this case note and click OK. If correct, your file will open. If not, the following dialog window will pop up:

When you are ready to print your case notes, go to File > Print and the following window will pop up:

As you can see, you have the option to print only certain tabs or all of them. When printed, each page has a spot for a signature with the date & time the document was printed and the amount of pages that each tab included.

One other thing to point out about CaseNotes, is you can run multiple instances of the program if you are working on a bunch of cases at the same time. If you try to open the same case file though, you will get the following warning:

CaseNotes is an excellent free program that is feature rich for note taking, without compromising integrity. One thing I would like to see is support for adding graphics and/or tables in a future version of the program. As with any form of note taking, it is up to you to create a good investigative plan to follow.

Joe Garcia is a Law Enforcement Officer with over 16 years of experience, the last 4 of which he has been assigned to conduct computer crime investigations and digital forensics. He holds the GIAC GSEC Gold, GCIH Silver and AccessData ACE certifications. You can follow Joe on Twitter at @jgarcia62. Joe is also the host of the Cyber Crime 101 podcast, which can be found at and @cybercrime101 on Twitter.


Posted August 19, 2010 at 4:27 PM | Permalink | Reply

John Douglas

Joe ''" thank you for the write up and I'm happy to hear that you're enjoying using the program. Your request regarding graphics has alreay been delivered! You can simply copy-paste in any screen capture, picture or other graphical element into your notes. I find this really helpful to capture dialog boxes thrown up by EnCase giving search results, etc.
You can also paste tables in, but until I add a ruler option to sort out the tabs, the formatting will be a screwy. :-(
I've got lots of additional features in the pipeline, so keep an eye on the website for updates.
Kind regards,

Posted August 19, 2010 at 6:26 PM | Permalink | Reply

sha1 hash

Now that is a handy tool. Nice touch adding an MD5 signature for each note.

Posted August 19, 2010 at 6:35 PM | Permalink | Reply

Joe Garcia

I've tried a variety of graphics and none of them work. I am using the latest version. For instance, I copied a .jpg that I wanted to paste into a note and all that I get is the words "JPG Image". I have even tried dragging a graphic in, to no avail. Maybe I'm doing something wrong. Is there a specific way to add a graphic? Maybe it's just PEBKAC on my part :-)?

Posted August 20, 2010 at 7:16 AM | Permalink | Reply

John Douglas

Hmm, that's odd. The paste option (ctrl-v) will simply paste in whatever is in the paste buffer, and given that its RTF, should maintain formatting. If you Alt-PrtScrn a dialog box or other open window, does this show up okay?
CaseNotes doesn't support drag and drop, and right-click copying a file from Explorer and pasting it in would result in the outcome you describe. Essentially, any graphical element you can paste happily into WordPad will also be possible in CaseNotes.
I am still ironing out a couple of small formatting bugs when moving the RTF text from the new note window to the main CaseNotes window, where the typeface and colours will not always be accurate. I've almost got this sorted and should have an update for that fairly soon.
Kind regards,

Posted August 20, 2010 at 8:27 AM | Permalink | Reply


adding graphics works fine for me

Posted August 20, 2010 at 4:47 PM | Permalink | Reply

Joe Garcia

If I Alt+PrtScrn it does work, but it captures the whole window and not just the image. So if I opened the image MS Fax & Picture Viewer, the screenshot captures the icon toolbar & Menu Bar. Not optimal, but it gets the job done. Thanks for the heads up!
Again, a great program and Thank You for sharing it with the DF Community!!!

Posted August 21, 2010 at 5:34 AM | Permalink | Reply

Ken Pryor

Great write-up Joe! I've been using CaseNotes for awhile now and love the program. Thanks to John for it.

Posted August 22, 2010 at 8:08 AM | Permalink | Reply

John Douglas

No probs. Might I suggest a screen area capture program like Snagit? This allows you to select an area of the screen you wish to capture and nothing else. Very handy for those times you want two small bits of informatiion from two seperate windows without grabbing everything.
Also useful for snagging bits of the EnCase display. Capture to clipboard and you can paste straight into CaseNotes!
Kind regards,

Posted August 25, 2010 at 4:34 PM | Permalink | Reply

Phil Rodokanakis

Maybe I'm missing something, but the fact that the notes cannot be edited, makes the program rather cumbersome and limits its use. Also, the 64-bit version won't run on Windows 7 64-bit and there are some other liitle issues I noticed when I used it a while ago. Frankly, taking notes using a word-processor makes a lot more sense as it provides more flexibility.

Posted August 25, 2010 at 6:01 PM | Permalink | Reply

Joe Garcia

The whole point of CaseNotes not being editable is for integrity purposes. Remember, as forensic examiners we want to remain as neutral as possible and report the findings as we see them. Don't we hash drives to show evidence integrity? Aren't reports part of evidence? Having a program like this helps to maintain that integrity.
I understand some will be frustrated about the lack of being able to fix mistakes in an unrestricted fashion. I would suggest an examiner getting their writing skills in order first before using this program on a regular basis. That way they won't have too many correction entries.
As far as issues go, contact John or leave a comment here. He has been following the comments. He seems like concerned developer who would listen to suggestions.

Posted August 25, 2010 at 8:03 PM | Permalink | Reply

John Douglas

It's true that the 64 bit version suffers some rather odd behaviour. This was due to me developing it on a 32 bit platform! I've got a 64 bit machine now and am working through fixing the issues I'm aware of ''" especially regarding printing. I'm hoping to have a new release with a few major bug fixes available shortly. I've been a bit busy writing a parser for GigaTribe chat logs in support of casework we're currently engaged in, along with a Windows7 thumbcache viewer which should be released very soon.
If you have found bugs with CaseNotes (and the major ones all got quashed a long time ago) then do please let me know. All the analysts in my lab use it and soon shout if they have issues, so I'm quite happy there's nothing too serious going on. I wish I had more hours in a day to devote to this stuff, but work keeps getting in the way!
Joe, your answer regarding integrity is spot on and is exactly why I wrote CaseNotes in the first place. You might be pleased to know that I've located an open-source spell checker, so I'm looking to get that implemented as soon as I can. That should at least help reduce the number of silly typos that end up in peoples notes. Keep in mind too, that if you need to go back and change entries (not really a good idea) then you can always use one of the user tabs to record this data.
Kind regards,

Posted September 1, 2010 at 12:54 AM | Permalink | Reply

Chris B

Me and my colleagues at university use CaseNotes for our forensics project work. It's a superb little program and it's great to be able to send copies of each other's observations via email if we're working a group investigation ''" Courier New is a hell of a lot more legible than most of our handwriting!
Much kudos to John for developing such a useful tool! Thank you!

Posted September 3, 2010 at 4:07 PM | Permalink | Reply

Frank Shells

I like the layout and function of CaseNotes, but the inability to edit notes makes it a tool I prefer not to use. No matter the person or experience level, errors in typing occur, even after first written in a word processor, checked, then pasted into CaseNotes. I don't believe, nor would ever like to see, that an examiner's notes be hashed valued to be considered evidence in trial. Written notes, even on a scrap piece of paper is just as valid for evidence as a hashed electronic note. Also, by having your notes (ie..your thought processes) available, even when you were wrong, may not be the best thing for presenting as evidence. Investigators constantly follow leads that are dead-ends, have chains of thought that don't bear fruit, and to have a litany of this trail just doesn't seem right when you can present the facts of the case. I use currently for my notes, which can be edited, but also files can be attached to the case report. Its also cross platform (Win, Linux). Another like software is Both are free, and for my preference, better because they are editable. You can probably ask any law enforcement officer or agent in the world if they have the ability of editing their reports before submitting them, and you'll find that they nearly all do. There is nothing wrong with editing your mistakes. I find it odd to be forced to produce a common spelling error in a court presented document as a professional.

Posted September 3, 2010 at 10:14 PM | Permalink | Reply

Joe Garcia

My response here is only to make some thought provoking counterpoints, NOT to flame. I am not the developer of this tool. This is a free tool provided to the community and who doesn't like free? I wrote the original article because there are not many like it with regards to reporting. With that said''
I don't know if you have ever had to testify at a trial or how many, but your notes are considered evidence and can be introduced in court. Also, keep in mind that cases can sometimes take years before they go to trial. You may know what that scribble is on your napkin is now because of your current mindset. What about two years from now? Five years from now? Remember, this isn't Law & Order where cases get wrapped up in an hour long show.
As far as running into dead ends and not bearing fruit, so what? Does that mean you as an examiner did something wrong or did you just not discover what it was you were looking for? For example if I am investigating the scene of a homicide where the victim was stabbed to death. I am searching the area where it occurred for the object that caused the wounds and don't find it. Did I do something wrong? No, but I still make note of my search in my reports.
As far as the notes being hashed, again I say so what? You hash evidence from drives, so what is the problem with hashing your notes?
Lastly, of course you can use MS Word, notepad, gedit, TextEdit or whatever your heart desires. There is absolutely nothing wrong with recording your notes in whatever fashion you wish. I never said anything to the contrary. BTW, I am in Law Enforcement. When reports are submitted nowadays, there is a very small window to actually edit a report prior to it being finalized. Once they are signed off on by superior officers, you have to make changes through follow-up reports to amend previous writings. I am sure other Departments are in same situation.
In the end, reporting is all about how comfortable you are with your methodology and making sure your notes are complete and truthful. That is what counts the most.

Posted September 6, 2010 at 2:00 PM | Permalink | Reply

Phil Rodokanakis

When I experimentednwith the 64-bit version of CaseNotes, I couldn't run it. I looked for an email address to report the issues I had run into, but couldn't find one. I finally sent a message to the general contact address that I found on your company's website, but I have no idea whether it ended in a black hole or not.
Anyway, I appreciate the feedback and the fact that you have released this tool as freeware. On the other hand, I remain skeptical about the inability to edit notes. Case notes are not original evidence and need not be treated as such. For example, investigators often take hand-written notes in the field which they then transcribe at a later time using a word processor; depending on the agency's policies, the handwritten notes may then be discarded. So I don't understand the logic in holding digital forensic Examiners to their original notes, no matter how poorly they were initially written.

Posted September 7, 2010 at 6:03 PM | Permalink | Reply

Frank Shells

I like the organization of CaseNotes, alot actually. So much so that I have tried to use it several times even though I do not like the lack of editing. But each time, I go back to something else, such as Word, Excel, or other note taking options.
For hand written notes, I transcribe them. If the hand written notes are ever entered as evidence, they have been already transcribed, so even if I can't read my handwriting, I can read my typed notes from the handwritten notes. I'm sure that I'm not the only person that has taken notes on my hand because of not having paper to write on. Those get transcribed too.
In government work, not just law enforcement, the small window of submitting finalized reports depends on how they are written and submitted. If you enter your report directly the LE database and press ''enter', it goes to a supervisor to approved or rejected for corrections (ask your supervisor about this, s/he should be able to tell you if your system does this). I know this to be true with local agencies and some federal agencies. However, instead of doing directly submitting case reports, many investigators and even patrol officers, take notes on notepads, transcribe them to a Word document, proofread their notes, spellcheck it, and then copy it to the database system to enter it. With CaseNotes, as you type in CaseNotes and save the notes, it is finalized. Nothing can open it to edits. There is no window for corrections once submitted. No supervisor review, no manner of rejecting or correcting the notes. Yes, you can type your notes first into a text editor, then proofread it, spellcheck it, then copy and save into CaseNotes. But why make the double effort? Why not be able to do all of this with your first drafts where you can revise your notes.
I probably wasn't clear on the dead end leads statements. I only meant that some notes taken end up not being relevant to a case, therefore, why have every note included? Notes that are clearly evidence, should always be included, but what about a note that was meant for another case but inadvertently typed into another, such as mentioning the suspect's name of a different case? I'd had to have an incorrect and mistakenly typed permanent record of that in a report. That type of mistakenly typed note is not evidence to that case.
The date/time insertion for the notes is a feature I can't appreciate as much as others. Had I made all my notes in a text editor and subsequently pasted them into CaseNotes, it would appear that I did days or weeks worth of work on a single date/time stamp. It would obviously show I had another system of keeping notes and they were pasted into CaseNotes, or I had no notes and typed all the work up at once. The question would be, "where are the original notes".
Hashing your notes is a bad idea. It only brings another avenue of cross examination and evidence suppression hassles. If you hash your notes and your partner does not, does that mean your partner's notes are less valid or invalid? If CaseNotes crashes, or your notes file corrupts, then what? Do you rewrite your notes in Word and then hash your Word notes? Or do you rewrite your CaseNotes but you now have a different hash. For that matter, why not hash all your notes, your spreadsheet listings of files, your screenshots, your text editor notes (that you subsequently pasted into CaseNotes), and so forth. Even with hashing, CaseNotes text can be manipulated. Surely, if one wanted to manipulate their notes, changing the system date/time, creating a new notes file, and re-entering different notes is possible. A hash value won't show that the notes were altered if only one CaseNotes file is kept. Why not just keep hashing for the current use of digital evidence obtained from electronically stored media and the media itself?
If CaseNotes ever has an option to edit, I'll be going right back to try it again. It all is personal preference anyway.

Posted October 27, 2010 at 7:43 PM | Permalink | Reply


Frank and Joe,
I'm an absolute beginner regarding forensic evidence and no way claim expertise, but to your point Frank about editing I go back to my high school chem and physics lab classes. I was taught that we use bound notebooks and NEVER erase our notes. Notes are our observations and just because we tried a process in our experiment and did not get results did not mean we don't take notes. We learn from these outcomes as well. Spell check was for reports, not out notes.
Just something I remember from my good ol' public school education.

Posted September 26, 2012 at 11:25 AM | Permalink | Reply


I write this hoping that John Douglas is still following the Post. I have used forensic case notes for a lot of my cases but in some instances when I return to a case after a period of time and try to open the case notes it looks for a password even though I know I have not used the encryption option for the case. To this end I find that whilst I still use case notes, I often copy the notes to a word document for fear that I will run into this encryption problem/password request again. This I feel sort of defeats the purpose of using them in the first place. I am working on a Windows 7 64 bit platform. I like a previous contributor used the email address on the side but received not reply or feedback on the issue.
I will continue to use the product and appreciate that it is free, but I do wonder is this some sort of bug in the program. A colleague of mine had a similar problem on two of her cases, so I know it is not unique to me.

Posted May 11, 2013 at 8:22 PM | Permalink | Reply

Tom G

Maybe someone can help me. I tried this tool but for archiving purposes, I can't find the case files. If I open an existing case the Open-Dialog directs to the folder: C:\\Program Files\\QCC\\CaseNotes
But if I use the file explorer this folder doesn't contain any case files.
Where are they?

Posted May 16, 2014 at 3:11 PM | Permalink | Reply


Hi. I'm a bit new to all this. I am struggling to get the same hash as generated by Case Notes to be generated by a separate MD5 hash generator with apparently the same text. The reason I want to do this is to safeguard against case notes disappearing off the internet and to enable someone who cannot install software on their system (due to corporate restrictions etc) to be able to verify the MD5 hash of anote. Does anyone know what the exact input to the hash function is, i.e. is it the individual note, the note plus the date stamp, all the notes, all the notes plus the log, etc. I wouldn't have thought it's the whole file as the hash value itself is written to the file, which would result in the file not having the same hash value.

Posted July 15, 2014 at 2:13 PM | Permalink | Reply

Tyson Beall

I'm attempting to use the case notes on windows 8.1 with compatibility mode. I was able to install it and it was working great until I minimized the window to continue to work. After the minimization I could not get the window to return. I've tried uninstalling the program and re-installing it but nothing seems to work. Any suggestions would be greatly appreciated.