The below posting is in hopes of helping others who may be looking to better organize their hardware's firmware and software update logs or start keeping track of such updates.
In the lab there are multiple pieces of hardware, the typical stuff, such as write blockers, imaging and wiping devices, etc. Each piece of hardware with updatable firmware needs to be kept up to date, but hand-written logs take up physical space, can be modified, and be a pain to organize and keep track of. However, updating the firmware and providing a log of when the hardware was updated and validated is helpful when testifying to the verification of the tool. Rather than using pen and paper to keep track of these updates, we've turned to secure software.
With a goal of being organized and up to date, the lab has started using the free program Forensic CaseNotes, provided by QCC Information Security. CaseNotes is a lightweight program that runs on Microsoft operating systems with a purpose "to allow forensic analysts and examiners of any discipline to securely record their contemporaneous notes electronically" [
[*]Secure "write-once, read-many" style of case note data capture
[*]Full audit trail of case note data entry and meta data edits in a self contained log
[*]Tamper evident storage of data using internal MD5 hashes for all data entered
[*]No use of heavy database technologies – all you need is the program and your case file
[*]Use of AES 512bit encryption (optional) to further secure data in sensitive cases
Using CaseNotes allows for updates to be secure and confident that our logs have not been altered, while allowing us to keep clean, easy to read logs, that can even include pictures of these devices. Since incorporating CaseNotes into our procedures, we have been able to include more information in our logs (because we don't have to write information by hand and it allows us to add pictures to the log), and have regained space by not having to keep a paper trail for each piece of hardware.
Organizing and Using CaseNotes
Originally, before having any experience with CaseNotes, the thought process was to have one giant log that would keep track of everything, but CaseNotes does not operate like a spreadsheet, instead it's similar to a word document or sheet of paper. This caused a problem when trying to organize the different pieces of hardware and would be as difficult to organize as hand written notes. As a result of this, it was decided that each individual piece of hardware would be given its own log; this helps prevent contamination of other devices getting mixed in the log. The reason behind this is that rather than having a massive list with all of the hardware, now there is a specific log that can be shown in a court of law this piece of hardware was used on this case, here is the log of the updates and verifications performed on this device.
We name our CaseNote logs with the manufacturer's name, the model, and a simplified version of the serial number. For example, with a Tableau Forensic Duplicator TD1 with serial number 12345678 1234, the title would be Tableau TD1 12345678 and inside the log has more specifics pertaining to the device, such as the full form of the serial number, the in house property number, etc. The abbreviated title helps us locate the log quickly, and the serial number is an easy way to uniquely identify the device, while not creating a title cluttered with unhelpful information.
The log includes steps taken to update the device, as well as pictures of the device. We don't only use CaseNotes for when we have updated the hardware, but we also include the validation information when and how we tested the device's functions to ensure that the tasks were performed correctly. The great part is upon saving the log, it is locked from editing and cannot be modified; the next time the log is edited, the updates will be posted below the previous entry.
How are you organizing your validation and update logs? Are you using CaseNotes or some other program, is it free? Do you even bother keeping logs?
(The original post is from my website, the article can be found here http//
We just started doing something similar with CaseNotes. We maintain a log for drive wiping. As you, we include the model, size, serial number etc, also pictures of the drive. When we use this drive for imaging we can reference the wipe log to show date drive arrived that it was wiped etc.
We also use CN to log our imaging tests for our NoWrite FPU. Once a month we take our baseline HD and image it and hash it to show FPU imaging properly. We have pictures of our imaging station and setup, as well as component and software with ekys/serials. This is updated whenever we make changes or update software.
CaseNotes is also good as a Evidence Safe log.