This post can actually be pretty short: write contemporaneous notes. There. Done. Finished.
Need more detail?
Writing contemporaneous notes is the smartest, best, and most important thing you will do in your DFIR career. They will help you, save you, protect you, and aid you in every aspect of your work. DON'T make the mistake of thinking that contemporaneous notes will be some 'extra evidence' that will get you in trouble, or contradict your report findings. Instead, they will be your best friend.
What are contemporaneous notes?
I'm not a lawyer, so I'll just give you my take. Contemporaneous notes are documentary evidence of what you did, said, observed, or were told. These are produced by you during the course of your work. They should be written as close as practical to the event. It can be handwritten notes, a typed document, logs/screenshots from tools, emails, photographs/videos, or a <insert favourite note taking app here> file. In reality, they will probably be a mix of all of these.
Contemporaneous notes are used so as you can account for your actions during an incident or investigation. They also assist others working in your team to know what actions you took. This will avoid errors, duplication of work, or (worse) missing steps that need to be undertaken. Lastly, contemporaneous notes will provide evidence and accountability of your actions in the weeks, months, or even years after the fact.
The 'rules' of contemporaneous notes
There are no hard and fast rules, and everyone will develop their style as they write more and more notes. Some people write only a little and prefer to rely on logs of tools, screenshots, or photographs. Others will document obsessively. You'll have to find what will work for you and your style, as well as your type of DFIR work. You must also take into account any regulatory framework you fall under.
So, let's start with the following:
- All entries, photos or logs should have a date and time. This date and time doesn't need to be synchronised to a Swiss atomic clock, but it should be accurate.
- If you are handwriting notes and you make a mistake,
panic, cross out what you wrote with a single line, so it is still readable, write what you meant, then sign and date the crossed-out section.
- If you forgot to document an event (and you are handwriting notes or have printed them), at the bottom write 'out of order', put the date and time of the event and then add the relevant details. Sign this handwritten section if necessary.
What should I include?
You can't include everything, but you need to work out what is important to document. If you make an image of a hard drive, don't write out the MD5/SHA1 if it's in the tool log - just include the log in your notes. Think about the nebulous aspects of your work that aren't captured by tool logs or other automated output.
Some areas I believe are critical to document are:
- Date/time you became involved in an investigation/incident.
- Where you are located (on-site, over the phone, remote access etc.).
- When you receive information; who provided this information.
- When you provided advice or a status update; to whom; and what information was provided.
- Steps you took when dealing with an incident or handling evidence.
- Meetings held; who was present at those meetings; the general gist of the meeting; critical decisions made at that meeting.
- If you provided verbal options or recommendations to a client or management (e.g. the scale of a breach, what sensitive data was potentially exfiltrated, illicit data identified, possible containment or remediation steps); what were those options? Who did you provide them to?
- Did the client understand those options? What did they choose (or not choose) to do?
- When you received data/evidence/information and from whom.
- When you passed data/evidence/information to someone, or placed it somewhere.
- Success of a tool (e.g. hard disk successfully imaged).
- Failure of a tool (e.g. memory capture failure, script breaking, hard drive not readable).
- When you stopped working or made a shift change. Who did you transfer ownership to? What information did you provide them?
- ...probably more that people can add here
That's a lot. Anything else?
Yes, write down when you stuffed up.
Ha Ha Ha. Sure.
No really. Dropped a hard drive? Make a note. Forgot to hash a memory sample until you came back to the lab? Hash the file. Then make a note. Stuffed up a time zone in your calculations? Fix it. Make a note.
Notes protect you. People make mistakes. You will make mistakes. If you are having your work peer reviewed or challenged, then having those notes will back up your version of events. Sure, you forgot to hash the output of a tool. It happens. But you fixed it. It's better than hashing it, not documenting it, and then one or two years later wondering why the time stamp of the hash is three days after the memory capture. It's always much worse to explain errors without notes to back up your version of events. Notes give you credibility even if you made a mistake.
So...'contemporaneous', what does that mean?
In an ideal world, your notes will start when you start an investigation, but this is not critical or sometimes practical. Obviously, the closer you write the notes to the actual event the better. HOWEVER, the golden rule is 'some notes written after the fact, are better than no notes at all'. For example, you're out and you take a phone call. During this call, you triage a situation, provide advice, and make a decision on what actions you or your team might make. If you write these notes up the next day, it's OK. The fact that you write them up is the important part.
How should I take contemporaneous notes?
There are plenty of software programs. The truth is that whichever program works for you AND works with your team. If everyone uses OneNote: then use that. If people have a specialised application, then it makes sense to align your notes to that software. I've put some links at the bottom of this post, and if you have any favourites, let me know and I'll add them.
Do I print them...or hash them...or what?
Again, there is no rule other than make it consistent. Best practice (in my opinion) would be to at least have a signed, hard copy. This is simply because (should it come to it) lawyers and courts love signed hard copies. Yes, you could cryptographically sign a document or hash the file(s) and it's probably good to do a mix of verifications like this. Again, you should be guided by your team or regulatory framework.
If you have any tips, examples, corrections let me know at firstname.lastname@example.org or via Twitter at @mattnotmax.
Trust me Believe me, writing clear contemporaneous notes is the best career move you can make.
Resources & Links
Update 6 August 2018: I was contacted by the creators of 'Forensic Notes' and considering their product appears to be designed for the above purposes I have included them below. No personal benefit was derived from promoting any of the below applications. I have also noted paid/free options.