Brett's opinion on DFIR notes and note-taking

I’ve read some really good material on the importance of taking notes over the years and a recent post written by @mattnotmax is no exception (Contemporaneous Notes: a forensicator's best friend).  There are plenty of really good DFIR related blog posts on note-taking (like here: https://www.forensicnotes.com/digital-forensics-documentation-contemporaneous-notes-required  and here: https://windowsir.blogspot.com/2018/08/notes-etc.html) . This is just my personal take on the matter.

Contemporaneous Notes: a forensicator's best friend #DFIR https://t.co/qdGRs4OzEI

— Matt (@mattnotmax) August 2, 2018

Here comes Brett's opinion...

People don’t take notes because:

*  lazy, or

*  fear, or

*  believing notes are unimportant, or

*  no one makes them

On Laziness

If you have the time, a pen, and paper, there is no excuse for laziness. If you simply don’t want to take notes because of too much hassle, that is your choice. You could work an entire murder investigation without taking a single note if you wanted….however, good luck with that.

On Fear

If you are afraid of being called out on your notes, it is much worse to be called out without notes. The opposing counsel is going to accuse you of not taking notes, taking too many notes, too much detail in notes, not enough details in notes, bad handwriting, transcriptions not being exact to your handwritten notes, and anything else to discredit you.  The worst situation is not having notes.  With notes, you’ll come out of the cross-examination fire less scathed.

On Importance

If you don’t believe notes are important, one day you will find out just how important they are. This could be due to personal embarrassment or a hit on your professional reputation when all you had to do was take a few notes a few months earlier on one of those few cases you were working. Regret sucks, let me tell you…

Because no one requires you 

Some organizations don't care if you take notes or not. Supervisors may not even have a clue as to the importance, or maybe nothing is ever called into question which creates the perception that it is not worth the effort.  In those cases, good luck. Hope it works out that you never needed to take notes. I'd prefer making note taking a habit, required or not.

Brett’s Tips on Note Taking

* If you are a messy writer to the point that you can barely read your own notes five minutes after scratching them down, transcribe them right away via writing neatly or typing them out. Or use technology to take notes, not a pen.

* Keep your notepads. Don’t tear out sheets. Keep all of them. Store them in a box when full..forever.

* Date/time stamp your notes. You’ll appreciate this later.

* Write as much as you need that you know will refresh your memory years later.

* Correct your notes when you realize you made a mistake. It’s better that you catch your mistakes before opposing counsel does, because opposing counsel won’t tell you about your mistakes until the jury is present….their goal is to embarrass you, discredit you, and catch you off guard.

* If time is tight, use a voice recorder as you work. Talk to the recorder as you do each step (“Aug 1, 1455, I removed the hard drive with serial number xxxxx from workstation xxx”).  Transcribe the recordings when you have time.

Taking notes

Try different methods and find one you like. Some like a pen and pad of paper. Others prefer a tablet, typing into an application that encrypts the notes, then hashes the notes, then stores it in the cloud, and you need a fingerprint scan coupled with a DNA sample to open (jk).  Simply pick what you like to do, and keep doing it.

As for me, I use a recorder if I am doing a lot of things at the same time with a short time to get it down. I transcribe the recording into notes/report and keep the recording just in case. On very important jobs, I will audio/video record it even though the physical tasks are simple. But everything I do gets written down.

Relying on memory instead of note taking

Don’t do it. Seriously. Don't do it.

A few of my experiences directly related to note taking/report writing

Felony trial: I was the only one who wrote a report in an arrest, and had notes backing up the report. When all involved got subpoenaed for trial, everyone used my report to refresh their memory in order for each of them to write a report….months after the fact.  win for me, fail for everyone else.

He-said interview: I interviewed an informant with my partner taking notes as we spoke. Informant later testified that he never said certain things. I didn’t have notes (only my report) since I was doing the talking, but my partner did. Win.

Damned if you do: On cross-examination, opposing counsel criticized that I took too much detail in my notes and implied that I must have made some of it up.  Felt like a fail, but ended up a win.

Damned if you don’t: On cross-examination, opposing counsel criticized that my notes didn’t reflect all the important things in the case, and that I was ‘filling in the blanks’ in court. Felt like a fail, took a lot longer to testify, lots of double-bind questioning, but ended up with a sweaty win the hard way.

Brother, can you spare a dime?: While at FLETC forensic training, I typed notes with every lesson.  Literally, I typed notes as the instructors spoke, sometimes transcribing verbatim what was being said, pasting screengrabs during demos, and basically writing a FLETC forensic course book as my notes….  At the end of PCERT, BCERT, and ACERT, I had a word document the size of a novel.  Can you guess what the guy sitting next to me said on the last week? “Hey, can I get a copy of your notes?” He took no notes for months (and didn’t get a copy of mine, seeing that I kept telling him to take his own notes the entire time)...fail.

Time to re-do everything:  I took on a case where the client fired their prior forensic examiner. I received all the prior work, which was simply a hard drive of exported files in folders. No notes. No reports. Nothing. I had to re-do everything as I had no idea what they did to find what they found, or the relevance to anything on the hard drive. Fail for the prior examiner.

Cringing when watching: I watched someone who qualified as “expert” minutes earlier get grilled when he didn’t know the version of a program that he used, nor if he had a license for it. His notes didn’t have anything, nor did his report. He didn’t even remember or write down which software he used for some findings. I felt really bad for the guy, but then again, he was on the other side….win (for me).

Validation of wiping a drive: I was hired to wipe a drive. There was data on the drive that was really really important, like potentially national security important, and the data was court-ordered to be destroyed beyond recovery. I didn't pick the wiping/destruction method or had any input on the method, but I did the work. We had 5 witnesses, a cameraman, a note-taker, two attorneys, and two forensic examiners, all cramped in a small conference room. The wiping process consisted of drilling holes through the hard drive, all the while being video-recorded, and then holding up the hard drive to the camera with pencils sticking through the hard drive. Then the drive was destroyed even more. That was the most intensive "note-taking" I've done.

There are many other little stories, but it all comes down to either you take good notes or you don’t. This is a personal decision based on what you prefer to do. However, when I am in charge of any engagement, everyone takes notes. Everyone. I mean everyone. Literally everyone. If you show up expecting to get paid, you write what you did.

I’ve been the case agent or project manager on too many occasions where people were ‘helping’ at the time, but when the fun and games are over, they go home without writing a thing because writing is apparently no fun and unimportant since it’s not their project or case. As for me, no one goes home until the paperwork is done. That means everyone writes and everyone writes before closing up shop. If you don't make it happen at the time, do not expect it to ever happen and it will be your fault, not the fault of your helpers.

Note-taking tip for DFIR hiring managers and applicants

Ask the interviewees if they have a pen and paper on them at the time of the interview. If someone does, you got yourself a note-taker.  Extra points if there are actual notes in the pad and it's not wrapped in plastic because they bought on the way to the interview for the interview, in hopes you ask for it...

What's the standard?

As far as I can tell, there is no standard. If you ask the cross-examining attorney, she will tell you that the standard is the opposite of what you did, regardless of what you did. One supervisor will have a different standard than other. Different organizations may have different standards. Some may base their standards on technology, as in, "I really like this note taking application, so everyone use it!" or "I hate typed notes, everyone write them on paper."  It all depends. Practically, I believe that as long as you write it down, you will remember what you did, and that which you did not write, hopefully will be refreshed when reading your great notes. 

As to having to compute a hash value for your notes, encrypt the file, store it in a container, and preserve all metadata for eternity, I don't think that is all necessary. I have never been accused as to whether I fabricated any notes or evidence. I write it down. I write what I did. I write the date and time on everything. If my integrity is challenged as to the validity of the evidence I recovered, then that is the sign that the opposing counsel has absolutely nothing else to work with, other than trying to sling mud that isn't going to stick. All because I took notes. That's a win.