One important aspect of Digital Forensics is reporting. There are many reasons for this. One is to keep track of work that you have done during analysis. Another is if you are working on a case and it ends up getting reassigned to another examiner, they can look over your notes and will know what you've done, how you've done it, when you've done it and what the results were up to that point of transfer. The most important reason though, is for your appearance in court to testify on a case. Now as most of us know, there are many cases that never make it to trial or end up getting settled out of court. That is no excuse to be lax in your reporting. Each case should be treated like it will go the distance.
With that said, I, like most, have taken my notes by hand. I find that handwritten notes tend to become sloppy in the long run. While taking notes, if you run out of room and don't have another clean sheet of paper handy to continue you may end up writing in margins. Plus, I don't know about the rest of you, but my handwriting tends to get progressively worse as the day wears on. If you weren't sure, sloppy handwriting ends up looking very unprofessional. Not to mention, opposing counsel may try to challenge your note's integrity by questioning when those notes were actually recorded. You may say, "why not switch to typing your notes into a text document or even a Word .doc file?". Well, although it will look cleaner than writing your notes by hand, it can still fall victim to the same integrity challenge by the opposition.
This is where CaseNotes comes in. I first learned of CaseNotes when I attended the SANS Forensics 408 course a few months ago. I started looking into the program and the more I played around with it the more I came to like it.
CaseNotes by QCC Information Security (www.qccis.com) is available for download at http://www.qccis.com/forensic-tools. It is a program that allows an examiner to securely record their digital notes. It runs on the Windows platform only, from XP through Windows 7.
Some of its notable features are:
- It's free and no dongle is needed to run it
- It allows for a "write once, read many" data capture
- Date and Time stamps for each entry
- Configuration of case meta-data (case number, examiner name, agency address, etc.)
- An audit log of data entry
- It uses AES 512bit encryption as an option to further secure data
- Oh, did I mention it's FREE???
For the purpose of this walkthrough/review, I used CaseNotes version 1.3.2010.6
Now once you've downloaded and installed CaseNotes, you will see the following icon on your desktop:
When you open the program, you will see the following splash screen and welcome screen:
From here, I suggest you configure your preferences before using CaseNotes for the first time by going to Case > Preferences. When you do that the following screen will appear:
It is on this screen where you will be able to choose how many meta-data items to store, the number of Tab windows to display, the default storage location for your notes, whether to automatically backup your file after saving changes and what fonts you would like for your meta-data and notes. You can choose to have a maximum of 10 meta-data items and 4 Tabs displayed. In the above screenshot, you can see that I chose to only have 4 meta-data items and 3 Tabs displayed. I decided to leave the default storage location for my notes. Also, the Case Notes and Audit Log tabs are always constant from case to case and cannot be changed. In the example screenshot above, you can see that I added tabs for a To-Do List, Exhibit Items and Software versions. There are other possibilities that you can choose to go with that will fit your Department/Agency/Office's examination plan.
Now to create a new case go to File > New or click on the "Create a new case" icon on the toolbar and you will be presented with the following screen:
Now you can see that the Case Number and Case Type Fields are blank for me to enter in the values I wish for those fields depending on my shop's naming conventions. For this walkthrough/review, I chose to enter "TEST" into both the Case number & Case type fields. I am also able to change the values for the Analyst Name and Analyst Agency fields if I needed to, but since I am the one working this "case" there is no need to at this time. Once I've entered the appropriate data to those fields and clicked on "Create", I see all of the meta-data that I entered in the Case Notes tab and in the Audit Log tab you will also see which tabs were updated during creation:
Now when you want to enter a new note entry, you can go to Case > Add a New Note or you can use the key combination Ctrl+N or click on the following icon in the toolbar:
It is in the screen that is shown in the above picture that you will enter the note that you wish to be added to this file. When finished, click on the "Commit" button. Note that once you choose the "Commit" button, your entry is final. It cannot be edited afterwards and will be in read only mode in the Case Notes tab.
After the new note is added, you will see a new entry in the audit log along with an MD5 hash value. Each note entry gets it's own hash, as well as a Date and Time stamp. RECOMMENDATION- If you make an incorrect entry or notice an error with a tool (or in my example case, incorrect time settings), make a new note entry with the proper information and give a reason for the prior incorrect entry. Observe the hash value for the new entry:
A good feature that is included in CaseNotes is the ability to search your notes. You may have been working a case for days and might need a little reminding as to what you have done so far. You can go to Case > Find or use keyboard combination Ctrl+F or find the binoculars icon in the toolbar. A search dialog will appear and you can just enter the term you are looking for. In my particular Test case, I wanted to check to see if I had already run RegRipper:
Remember I mentioned encryption earlier in this post. According to the CaseNotes Start Guide, QCCIS is using "AES 512bit algorithm which ships as part of the .NET framework" and "By using the version built in to .NET, I've used a standard, peer-reviewed and respected algorithm which is carefully implemented in accordance with Microsoft guidelines". Let's say that you didn't need to have your notes encrypted previously and now that has changed. You can add encryption by editing the Case Metadata by going to Case > Case Metadata or by using keyboard combination Ctrl+M or by clicking on the icon that looks like a pen/pencil over a piece of paper. When you do, the Edit Case Metadata screen will popup and it is here where you can click in the checkbox next to Encrypt Data option. Doing this will now make the Password and Confirm boxes available to type in. Enter you password/phrase here:
Now once you close out of the current note and attempt to reopen it, you will get the following dialog box:
Enter the passphrase that you chose for this case note and click OK. If correct, your file will open. If not, the following dialog window will pop up:
When you are ready to print your case notes, go to File > Print and the following window will pop up:
As you can see, you have the option to print only certain tabs or all of them. When printed, each page has a spot for a signature with the date & time the document was printed and the amount of pages that each tab included.
One other thing to point out about CaseNotes, is you can run multiple instances of the program if you are working on a bunch of cases at the same time. If you try to open the same case file though, you will get the following warning:
CaseNotes is an excellent free program that is feature rich for note taking, without compromising integrity. One thing I would like to see is support for adding graphics and/or tables in a future version of the program. As with any form of note taking, it is up to you to create a good investigative plan to follow.
Joe Garcia is a Law Enforcement Officer with over 16 years of experience, the last 4 of which he has been assigned to conduct computer crime investigations and digital forensics. He holds the GIAC GSEC Gold, GCIH Silver and AccessData ACE certifications. You can follow Joe on Twitter at @jgarcia62. Joe is also the host of the Cyber Crime 101 podcast, which can be found at www.cybercrime101.com and @cybercrime101 on Twitter.