Contemporaneous Notes – NEVER Use MS Word or OneNote

Should MS Word or OneNote be used for creating Contemporaneous Notes?

  • Yes - I will have no issues in court

    Votes: 1 20.0%
  • No - I won't be able to use my notes in court

    Votes: 3 60.0%
  • Maybe - I'm not sure

    Votes: 1 20.0%

  • Total voters
    5

twicesafe

Administrator
Staff member
Sep 4, 2018
92
Ratings
22
8
Vancouver, Canada
www.computerforensicsworld.com
Twitter
Forensic_Notes
#1

Attachments

Last edited:

azuleonyx

Member
Experienced Member
Oct 20, 2018
58
Ratings
46
18
Charlotte, North Carolina Area
cyberfenixtech.blogspot.com
Twitter
https://twitter.com/AzuleOnyx
#2

Lids

Member
Experienced Member
Oct 23, 2018
30
Ratings
31
18
#3
I have worked for forensic investigators in the past who have told me to limit how contemporaneous my notes are, because if I am too honest it could be questioned in court -- for example, when imaging a machine it may have taken a few reboots prior to accessing the boot menu to boot from a Palandin imaging stick. For my own integrity, I have no problem writing down what happened and am happy to defend it - if I made a mistake, I'll own it but not everyone is willing to stick their neck out accordingly.

This article has been written as a sales pitch for the Forensic Notes software so naturally, it's designed to expose the flaws of other tools for note taking and has a bias towards showing why their tool is better equipped. I agree, an audit log of changes is important; personally the majority of my collections and investigations are hand-written notes / documentation with an electronic File Note every now and then for major investigation steps.

Lastly, not to advocate a specific tool, but on the audit log front I believe FTK has an audit log of what an investigator performed within its tool should details of an investigation ever need to be handed over in court.

Best,
-Sean
 

RobertM

New Member
TRUSTED Contributor
Sep 30, 2018
23
Ratings
14
3
#4
I have worked for forensic investigators in the past who have told me to limit how contemporaneous my notes are, because if I am too honest it could be questioned in court
I too have heard this recommendation many times which goes against the training I was lucky to have. If you have nothing to hide and it happened, write it down!

Easy to explain and keeps you honest and able to answer more questions if needed which increases your credibility in court and with clients.

I think that some people forget that as ‘experts’ in court, we are impartial to either side and simply provide the facts of the case and the steps we took. The more in-depth we can go with our answers, the more it shows that we are being straightforward and honest. It is best to answer “I do not know” when that is the case because when you answer with a strong opinion that one side is trying to deny, it has a lot more weight in the eyes of the judge or jury.


it's designed to expose the flaws of other tools for note taking and has a bias towards showing why their tool is better equipped.
I am sorry you see it this way. The last paragraph does talk about Forensic Notes, but the first 95% is just facts as I see them with the challenges and reasons why current ways of taking notes can and will have issues in court.

The Hamdan case (as discussed in article) is a perfect example of how things can change almost instantly overnight due to a decision in court and the caselaw that results.

I don’t really talk about other ‘tools’, but I do discuss MS Word and OneNote in detail and the issues I see with both applications for Contemporaneous Notes.

Perhaps you can go into more detail on the issues/problems you found in the article so that I can specifically address those or potentially correct them if there is a real bias.


with an electronic File Note every now and then for major investigation steps.
Can you go into further detail on why you use ‘electronic file note’ for your major investigative steps?

I believe FTK has an audit log of what an investigator performed within its tool should details of an investigation ever need to be handed over in court.
I believe you are correct. X-Ways also has a log which an examiner can refer to. But is this an immutable record? In other words, if an examiner realized after the fact that they were clearly searching outside the bounds of the warrant and/or took steps they initially denied making in court, ‘could’ this log be easily modified?

Remember, I am not saying that the examiner would make that change, but ‘could’ they? If they could make a change, then it is easy for defense to suggest that a change was made and therefore cause confusion in the courts. And sometimes confusion is all that is needed in court to cause doubt or put less weight on a piece of evidence.

As mentioned Sean, great feedback, but if you can, please go into a bit more depth on the issues you saw with the article so that I can specifically address those.



Thanks,
 

bshavers

New Member
TRUSTED Contributor
Dec 2, 2008
29
Ratings
20
3
Seattle, WA
www.dfir.training
Facebook
https://www.facebook.com/dfirtools/
Twitter
https://twitter.com/DFIRTraining
#5
I'm in the middle of writing up a comparison of report writing apps, tools, and methods. I have my own opinions, and some opinions and methods have changed over the years. ForensicNotes, MS Office/Open Office, and some FOSS apps are included in the comparison review.
 

About us

  • Our community began in 2004. Since this time, we have grown to have over 29,000+ members within the DFIR & Cyber Security community.

    We are happy to announce that this forum is now under new ownership with the goal to once again become the main Digital Forensics Forum on the internet for DFIR, OSINT and Cyber Security.

    If you can think of ways to help us improve, please let us know.

    We pride ourselves on offering unbiased, critical discussion among people of all different backgrounds.

    We are working every day to make sure our community is one of the best.

Quick Navigation

User Menu