Hello,
I am making the transition from academia to real world and I need some advice from those who have been doing forensics day in and day out on proper note taking while conducting an investigation. I guess I am just looking for tips and pitfalls.
Does anyone have a standard form they use at least for the basics, (hardware info, hash values etc) then move into the more free flowing areas of who, what, when, where, etc. I know its all personal preference but what are the thoughts on using spreadsheets verse word or notepad? Do you have a check list of things you always do first, such as
1. hash files, 2. index, 3. Keyword search, 4. signature analysis, 5. prefetch, 6. registry anslysis, 7. restore points etc. I know it all depends on the type of case you are working.
Thanks for any help and I understand that all or most of the answers will be different and personal preference.
Thanks again.
I work UK LE. I have seen various digital and paper audit trails during my time in our unit, all of which have had good points. I would suggest that you create or use something that is specific to your organisation. Our audit trails are mainly paper driven as in a specific document for Audits at scene, at station, at our office through to a combination of paper and digital presentation of the end result.
In the UK we are driven by national and local prosecution policies so have to include them in our logs so you may be influenced by your organisation's policies and procedures.
I would suggest a template whether digital or paper based on your own methodology but definitely incorporate everything you do chronologically from start to finish. I personally prefer digital presentation & have seen some good HTML reports\logs and some reasonable purpose built audit software. You can easily create a professional Log yourself with your company\Law Enforcement logo as a header but in UK LE we cannot get away from paper trails for continuity & mainly signatures for same.
Cheers Dave
Cheers Dave
Thanks dksniper.
notes are a very personal record and vary greatly in form from one person to another. the main point to remember is that your notes should be a complete record of your actions and should enable anyone who repeats them to have the same results. sometimes people use their statements as an addition to their notes and state actions performed that are not recorded in their notes. A checklist for commonly performed tasks is a good basis for ensuring a consistent approach to evey examination but does not excuse one from not thinking 'outside the box'.
I tend to use Casenotes. This is a free software package. I think you should try it out.
Link
http//
Thank's for the tip on Casenotes….looks interesting.
CaseNotes is OK but it records in a very linear fashion which can be a disadvantage sometimes.
We tend to use CaseNotes where stuff needs to be recorded contemporaneously (like up to, and including aquisition). Thereafter I personally use OneNote from Microsoft.
The reason is that once you have the image it won't change, so there is no imperative to record every single nuance of the analysis. In the UK all I have to do is be able to substantiate my conclusions in any subsequent case. For this I need notes but only the relevant ones.
In small cases it makes no difference but in larger ones it can be a real problem finding how you came to a particular conclusion. I am dealing with a case now that has taken me many months. The suspect has 15 items connected in an internal network. He has used TrueCrypt and the tor network to hide his activity and to top it all, the evidence comes from previous operating system installations. Throughout this case I have been down many blind alleys and done a number of fruitless enquiries. Had I been using CaseNotes or another linear recorder then it would take me ages to back-track and find previous information. With OneNote I can create a new folder or sub-folder depending on the way my investigation is headed and the way my mind is working. I can cut, paste and take screen clippings at will and all this information is in it's own container.
Usually I am no great advocate for Microsoft products but credit where it is due, I find OneNote to be brilliant for recording investigations.