Saturday, January 26, 2019

To be or not to be Examiner's Notes

This is in response to Rob Merriott's blog MS Word and OneNote should NEVER be used for Contemporaneous Notes.

I have no where near the experience that Rob has or anyone else he is quotes in the article. I am going to take this from an of young/in-experience investigators. This page consist of my own interpretation and opinion and not of my work or anyone else in the community.

Contemproaneous Notes? What?

As defined by Merrian-Webster's dictionary: contemproaneous means existing, occuring, or originating during the same time. In short, examiners create contemporaneous notes during an investigation. The second problem with the phrase "contemporaneous notes" is notes. Everyone has taken notes at some point in their life; however, note taking during an investigation is changes to something else.

Investigators need to take notes of any relative information or thoughts related to cross-referencing information or similar. I would keep the notes highly objective and fact related.

Note-taking Applications

As noted in Rob's article, most note-taking applications do not allow immutable, unchangeable, notes after written. MS Word, LibreOffice's Writer, MS One Note, Notepad, Evernote, and plenty of others provide a wide range of features such as online/offline support, spell-checking, Cloud saving, collaboration, and some permission and restriction tables.

I agree with the article that none of these are infallible either by accident or maliciously. Someone could break into your computer or online account to delete/change your documentation without your knowledge. Normal notebooks have similar problems if someone was to steal, modify, or remove pages which you did not know till days or months later.

In either case, protecting investigation notes should be on the top of the list. As stated in the article, an investigator not having the notes might only minor problems for case; however, longer termed credibility problems could happen.

Note protection

How does one protect their digital or physical notes? Investigators might want to place physical notes secure in a fire-proof box or off-site in a protected location (bank, archival company, etc). Digital notes should be similar. If using a word processor or local not taking application, encryption is mandatory with backups. Also, I would consider using some offline log book to record changes to the notes (listing note title, date, time, and reason of change) or some other record keeping method.

Also, I have not used Rob's Forensic Notes but I find using this or a similar tool would simplify the process. I find typing much easier then trying to write a ton of documentation out and then trying to decipher it like the lost language of Atlantis makes for poor notes for most people today. 

I do not think digital notes need to be fully immutable; I do think proper auditing and change management should be a the center of whatever digital application an investigator employs. This would provide both the initial script and allow addition details as the investigator continues the investigation.

No comments:

Post a Comment