Monthly Archives

November 2019

Expert Witness Testimony Interview with Jonathan W. Hak, Q.C.

Expert Witness Testimony Interview with Jonathan W. Hak, Q.C.

by Michael Post

You are an expert in your field, but being an expert court witness is no easy task. How confident and capable are you in expressing your knowledge in front of:

  • a judge?
  • a jury?
  • and under cross-examination?

In this interview with Jonathan Hak (a world class instructor on expert testimony), we discuss what are some ways to better prepare as an expert witness. 

Your reputation and career can either make or break based on your court-room testimony. Yet very few experts have invested time in developing their testimony and documentation skills – both essential when on the stand.

I hope this in-depth interview will help better prepare you for when you next testify in court.

Article Navigation

Mr. Jonathan W. Hak, Q.C.
Expert Witness & Investigator Testimony Instructor; Forensic Video Analysis Legal Instructor;
Barrister and Solicitor
https://www.jonathanhak.com

Read time: 20 minutes.

Introduction

By Rob Merriott

I recently had the pleasure to speak with and interview Jonathan W. Hak, Q.C. regarding expert testimony and his thoughts on notes and documentation.

Jonathan is a barrister and solicitor and law lecturer with over 30 years of experience as a Crown Prosecutor for the Alberta Crown Prosecution Service (ACPS) in Calgary, Alberta, Canada. He was appointed Queen’s Counsel in 2006.

Queen’s Counsel (Q.C.)
It is tradition in the province of Alberta to have the Lieutenant Governor in Council appoint lawyers who have made particular contributions to the legal profession or public life in the province as Queen’s Counsel. This is done under the authority of the Queen’s Counsel Act.

In his previous role as a Crown Prosecutor, he prosecuted major crimes including many homicides, and he continues to specialize in legal issues involving expert evidence, expert witnesses and digital evidence.

When Jonathan retired from the ACPS, the Calgary Sun wrote an article on the “loss of one of the province’s top prosecutors”.

Calgary Sun (Published: August 3, 2018)

He obtained his:
• Masters in Law from Cambridge University (UK)
• Bachelor of Laws from University of British Columbia (Canada)
• Bachelor of Science from California State University (USA)
• Diploma in Criminal Justice from Mount Royal University in Calgary (Canada).

Since concluding his service for the ACPS, Jonathan has transitioned into researching, writing, publishing, and teaching law on a full-time basis in Canada, the United States, the United Kingdom, Singapore and Hong Kong.

What is the equivalent status of a Canadian Crown Prosecutor in the United States?
A Crown Prosecutor in Canada is the USA equivalent of an Assistant United States Attorney (AUSA) or an Assistant District Attorney (ADA).

Mr. Hak is an expert in the legal field as it relates to expert testimony and presenting complex evidence like Digital Forensics, Cybercrime and Video Forensics in criminal and civil court. 

It was certainly an honour to speak with Mr. Hak and gain some insight into his views on the topics of notes and documentation. Please enjoy my interview with him.

My Conversation with Jonathan Hak, Q.C.

Jonathan Hak Q.C.
Instructor on Expert Witness Testimony
Rob Profile
Rob Merriott
Founder of
Forensic Notes

Rob:

Can you briefly describe your career or any memorable highlights?

Jonathan:

It is rather difficult to summarize a 30-year career as a Crown Prosecutor. I considered it an honour and a privilege to engage in the search for the truth, to see that justice is done for both victims of crime and defendants, and to shepherd victims of crime and their families throughout the court process.

Though I prosecuted many complex and high-profile cases, it was never about me. It was about the cases and the people that were part of them.

Rob:

After concluding your service as a Crown Prosecutor, where did your career take you?

Jonathan:

I have been teaching at the post-secondary level for over 30 years. I have also been teaching in the area of technology law as it relates to forensic video analysis for LEVA (Law Enforcement and Emergency Services Video Association International Inc.) for over 19 years. Additionally, I developed and have been teaching courses in Courtroom Testimony for Expert Witnesses and Courtroom Testimony for Investigators in Canada and the United States. After my ACPS service, I focused on this teaching as my full-time work.

What is LEVA?
LEVA is a non-profit organization that provides advanced training and certification in the science of forensic video analysis.

Expert Witness Training Courses

Rob:

Can you provide further details about the courses you offer through your private training?

Jonathan:

Yes, I developed and teach two courses geared for the expert witness and investigative audience.  I provide this training in the US and Canada, to federal, state/province, local law enforcement, forensic labs and other clients.  I expect to provide some training in the UK soon.

  1. Courtroom Testimony for Investigators
  2. Courtroom Testimony for Expert Witnesses

Courtroom Testimony for Investigators

The investigators course is designed for investigators at all levels of experience.

Topics covered during the course include:

  • Writing investigator notes and reports
  • Preparation for courtroom testimony
  • Disclosure issues
  • The role of the investigator in court
  • Investigator objectivity – avoiding tunnel vision and bias
  • Strategies for effective direct examination
  • Essential communication skills needed when presenting evidence to juries and judges (many areas are covered under this topic)
  • Visual, multi-modal presentation of evidence
  • Use of notes and investigative material
  • Strategies for successfully handling cross-examination
  • Avoiding being controlled by defence counsel
  • Dealing with mistakes on the witness stand
  • How to handle aggressive cross-examination; various strategies are discussed
  • The investigator as affiant; Garofoli applications
  • Moot court practice

Of particular interest to Digital Forensic Examiners and Video Forensic Analysts is my course for Expert Witnesses.

What is an Expert Witness?

Expert Witness Definition:

An expert witness is a person with specialized knowledge in a particular field who applies that expertise in a legal setting in order to assist in the search for the truth. Becoming an expert witness in any field is a significant accomplishment. It means that through your education, training and experience you have gained knowledge in a particular field of endeavor that is superior to that of the trier of fact.

~ Jonathan W. Hak, Q.C.

Courtroom Testimony for Expert Witnesses

The Expert Witness course is designed for any person who may be called as an expert witness in criminal or civil matters. This includes Digital and Video Forensic Examiners and Analysts, though the course is intended for experts in all areas of expertise.

Testifying as an expert for the first time can be a terrifying experience for many when they feel ill-prepared for what may occur during their testimony. Unfortunately, their fears can be valid without proper preparation and training.

Communication is vital.  If all of the work the expert has done is not presented in an effective manner, then the full evidential value of the expert’s work may be lost.

Want to save your job?  Your reputation?
 Read Brett Shaver’s article “No job is finished until the paper work is done” on the importance of proper documentation!

The goal of the course is to teach experts how to become effective expert witnesses and to communicate their vital evidence in an effective and compelling manner so as to maximize its value when presented in court to a judge or jury.

The 3-day course covers the following topics:

  • Preparation for courtroom testimony
  • Drafting expert reports
  • Peer Review
  • The role of the prosecutor, defence attorney, judge and jury
  • Trial procedure
  • Becoming qualified as an expert witness for the first time
  • Expert witness bias
  • Drafting curriculum vitaes
  • The role of the expert witness
  • Strategies for effective direct examination
  • Essential communication skills needed when presenting evidence to juries and judges (many areas are covered under this topic)
  • Visual, multi-modal presentation of evidence
  • Strategies for successfully handling cross examination
  • Changing opinions
  • Daubert hearings
  • The role of the expert

Rob:

Can you explain what happens during Moot Court?

Jonathan:

Prior to the Expert Witnesses course, I ask participants to send me examples of curriculum vitaes and expert reports they have completed. During the course, we will then conduct moot court sessions with the writer of the document acting as the expert. Other participants will be asked to take on the role of defence and prosecutor.

Although this can be uncomfortable for the participant, the knowledge they gain from this moot court session is invaluable. Not to mention, it is better to feel uncomfortable in a friendly and safe environment than in court during a major criminal proceeding.

What is Moot Court?

Moot Court Definition:

Moot court allows participants to take part in a simulated court proceeding

Testifying as an Expert Witness in Court

Rob:

Do you have any advice for testifying as an expert?

Jonathan:

Far more than can be contained in this interview! A couple points to consider. You have to remember that when testifying, you are effectively having a conversation wherein your primary audience is the judge and jury. You want to talk naturally in a comfortable, informative and conversational manner.

The Judge and Jury are the audience, not the person asking the questions. The goal should be to find the truth.

When you are testifying as an expert, it is important to note that it is in general an open-book exam, meaning you can and should when needed refer to your notes and report for answers to questions asked during the trial.

Since you can seek permission to refer to your notes and report, it is preferable to refer to your notes to answer questions in a specific and detailed manner rather than to provide vague or non-specific answers.

For example, it is better to refer to your notes and state that a key piece of evidence (video, text message, etc.) occurred on January 12th, 2019 at 3:42 AM (PST) than to say it occurred around the beginning of the year at about 4am.

Rob:

What is the role of the expert witness in court?

Jonathan:

Expert witnesses have a duty to the court to provide fair, objective and non-partisan assistance.

Within your expert report, you might consider including something similar to:

“I understand that my duty as an expert witness is to assist the court by providing impartial, objective, unbiased and independent opinions uninfluenced by the party who has retained me or called me as a witness.”

Though not a legal requirement in most jurisdictions in Canada, or the United States, this statement of duty is central to the role of the expert witness. It should guide an expert through all facets of his/her work.

Rob:

How should you answer questions when you are unsure of the answer?

Jonathan:

Know your limits. If you are unsure of the answer, simply advise the Judge that you do not know the answer or, if appropriate, that the question is beyond your area of expertise.

Remember, you build up your reputation and credibility as an expert over time.  However, you quickly ruin that reputation if you are caught speaking beyond your area of expertise.  A damaged reputation can make any future testimony difficult.

Recent Court Decision on Jonathan’s Blog

Rob:

Do you have any testimonials or reviews from previous students who have taken your courses that you would like to share?

Jonathan:

The most common comment that I get from people who attend these courses is that they wished they had the courses earlier in their career.  They are very popular courses that are well received.

Rob:

Where do you offer your Expert Witness training?

Jonathan:

My courses are offered in various locations in Canada and the United States.  While many of them are closed registration courses, limited to members of the agency hosting the course, some are open registration.  I list the open registration courses on my website.  Agencies wishing to host a course can contact me at jonathan@jonathanhak.com

For further information, please see https://www.jonathanhak.com

Documentation & Notetaking

Now that we know more about you, let’s get into questions specific to notetaking, documentation and how it relates to testifying in court as an expert.

Rob:

How valuable is proper notetaking during an investigation?

Jonathan:

Contrary to popular belief, although technically it is the defendant who is on trial, in reality it is the police investigation that is on trial.

This reflects the fact that the burden is on the Crown to prove its case beyond a reasonable doubt and the defence is entitled to, and should, take advantage of errors in the police investigation and the documentation of that investigation.

In my 30+ year career as a Crown Prosecutor with the Alberta Crown Prosecution Service, I conducted innumerable trials, most of which involved police witnesses and many of which involved forensic evidence. In that context, I have seen defence counsel cross examine police witnesses at length about their notes, sometimes to considerable effect.

Contrary to popular belief, although technically it is the defendant who is on trial, in reality it is the police investigation that is on trial.

~ Jonathan W. Hak, Q.C.

Jonathan:

Poorly created, drafted and preserved notes can, and have, resulted in the following:

  • A judge finding that the officer’s testimony lacked credibility because it did not properly reflect what was recorded in the officer’s notes. In such cases, reasonable doubt can be raised on such fundamental issues as dates, times, events, opinions formed, evidence collected, and statements made.
  • Where there is a contest between the testimony of the defendant and the officer, poor notes can result in the judge preferring the evidence of the defendant where it varies with that of the officer.
  • An outright dismissal of a case because the Crown’s own case had so many internal problems that the defendant need not even testify.
  • An officer looking rather foolish. Poorly created notes reflect poorly on the officer.
  • An officer committing perjury when trying to fill in gaps in notes.
  • An officer seemingly guessing about what should have been, but was not, recorded.

The defence does not have to prove anything. All they have to do is raise a reasonable doubt. When that doubt comes from the officer’s notes, or lack thereof, then there is effectively no trial on the merits of the investigation. The officer’s notes alone create the doubt needed to gain an acquittal.

The information above is the same for private investigators who likely don’t have the same experience testifying in court. As a result, detailed notes and documentation will help to calm the nerves and allow you to present the evidence you need.

The defence does not have to prove anything. All they have to do is raise a reasonable doubt. When that doubt comes from the officer’s notes, or lack thereof, then there is effectively no trial on the merits of the investigation. The officer’s notes alone create the doubt needed to gain an acquittal.

~ Jonathan W. Hak, Q.C.

Rob:

Can you explain how to properly take notes?

Jonathan:

Some fundaments aspects of police and forensic notetaking follow. These are discussed in my Courtroom Testimony for Investigators course.

  • The purpose of producing investigator notes is to record pertinent observations during the course of an investigation. Such observations may include:
  • dates and times specific events occurred
  • dates and times noted observations were made
  • details of events and observations
  • witness information
  • information regarding exhibits
  • scene related data
  • ongoing progress of investigation

In order for notes to be used in court, they must have been properly made and retained.

  • Relevant considerations include:
    – rough notes can be made at the scene but should be retained as part of disclosure (we don’t want to get sidetracked on disclosure arguments)
  • rough notes can be used to create more detailed notes provided the more detailed notes are made in a timely fashion
  • notes should be written in chronological order
  • this means that when additions are made to notes, add them at the end rather than modifying existing notes
  •  all modifications to notes should be noted, initialed and dated
  • indicate the date and time notes are being made
  • notes can be made in supplied notebooks or bound journals that have page numbers (or where you add page numbers)
  • notes should not be made on loose sheets of paper (except for rough notes)
  • notes can be made in electronic format but the same rules apply re additions or modifications
  • only use electronic notes if you know how to use them properly

Lastly, notes should be made in English (or an appropriate official language).  This may seem obvious but I had a case wherein an officer made notes in Greek. That would be perfectly acceptable if we were in Greece but as I recall, we were in Canada at the time.

Electronic Notes
Notes can be made in electronic format but the same rules apply re additions or modifications – only use electronic notes if you know how to use them properly  

~ Jonathan W. Hak, Q.C.

Jonathan:

In my Courtroom Testimony for Investigators course, I explain that officers are entitled to an open-book exam when testifying. Therefore, the more complete and helpful the officer’s notes are, the more effective his/her testimony will be and the less fruitful cross examination may be.

If you know in advance that the test is open-book, why not properly prepare for it?

Open-Book Exam – Courtroom Testimony

If you know in advance that the test is open-book, why not properly prepare for it?

~ Jonathan W. Hak, Q.C.

Electronic Notes

Rob:

When discussing Electronic Notes, what would be examples of poorly created or preserved notes?

Jonathan:

An example would be notes that have been edited or otherwise do not properly reflect true content.

Rob:

If an Investigator decides to edit an Electronic Note they made previously, how can this be accomplished properly to ensure no issues in court?

Jonathan:

The reader must be alerted to the fact that an edit has been made, the details of the edit, and when the edit was made.  The witness stand is not the time to reveal this information.

Rob:

Have you ever experienced any issues with electronic notes?

Jonathan:

I once had a patrol officer use OneNote (not normal for patrol) to record his observations at the scene.  His notes and observations were very important, including the times things happened.  Imagine my surprise when in cross, he admitted that he just put in guesstimates for times, even though the time was listed down to the seconds, for example, 8:03:14.  So the notes looked good but were not accurate because the officer fiddled with them.

It comes down to the credibility of the investigator or expert testifying. If they say that the notes were contemporaneously written and not changed after the fact, then there would be no issues if the witness was viewed as credible within the courtroom. However, if the opposing party can cause doubt, then issues could arise.

Rob:

With Forensic Notes, the investigator can edit notes, but the original note is saved as a previous version for disclosure purposes. To adhere to ISO 17025 requirements and other standards, we will also be requesting that the investigator provide a reason for any changes made. In addition, each note is Digitally Signed and Timestamped by an independent timestamping authority which clearly shows when a note was saved.

Rob:

Do you feel these features safeguard investigators from having issues in court with electronic notes if their credibility is less than perfect?

Jonathan:

Yes. Objective proof is always advisable. It allows for the officer to have his/her final notes in the best form, without the need to explain edits as they are fully shown.

Rob:

If an investigator is not using specifically designed software, like Forensic Notes, what can they do to create electronic notes properly?

Jonathan:

The investigator would then use OneNote or any other program but then the credibility of the officer is very important as we need to believe the officer when he/she says the notes are accurate. With handwritten notes, we can see alterations. Not so with electronic notes that permit edits without an audit trail.

Rob:

What are your thoughts on people using Word, OneNote or Excel to record and capture notes?

Jonathan:

See my comment above. I have not had issues with OneNote (except for noted exception) but that is because the officers I have worked with have generally earned a reputation for being trustworthy. When using electronic notes, we should not put all of our eggs in the “credibility basket.” We should also be satisfied objectively that the notes are sound. Again, objective proof is important.

Rob:

What are your thoughts on investigators who say that you should not put too much into your notes as too many details give the opposing party more information to question you while on the stand?

Jonathan:

I have heard that myth for over 30 years. For expert reports too. The more detailed notes and expert reports are, the fewer questions there typically are since the document gives most of the answers. I would rather know as much as possible from the notes and expert report. It is not appropriate to reveal new and exciting stuff on the witness stand. Surprises often result in a trial being adjourned for disclosure issues or for the evidence of the witness to suffer greatly.

Rob:

What should you include in your notes?

Jonathan:

Drafting notes requires thoughtful consideration. The goal with notes is for them to properly reflect the work of the investigator, assist the investigator on the stand, and be of assistance to counsel.

Some investigators espouse a view that the less they include, the less they will be questioned on. That has not been my experience. I have found that comprehensive notes generally result in more focussed questioning rather than a shotgun approach. That benefits all in the process.

I have also seen notes that are overdone.

It is not necessary to put every warrant, photo, document, etc. in notes. Notes should not be a dumping ground for whatever the investigator comes across or does.

Use some judgment when determining what is needed to properly document your work. Just because you can put something in your notes doesn’t mean it has to be included.

600 pages of notes are not necessarily better than a carefully considered 200 pages.

Thoughtful consideration is required as to what should be included, with the caveat that being informative and helpful are the key.

Helpful Tip

Comparing court testimony to an open-book exam is a great analogy to consider when preparing your notes. Include everything in your notes you may need during your testimony but don’t include information outside of the scope of the investigation.

Including non-relevant data in your notes will make it more difficult to find an answer quickly. This is especially true when you are under pressure or feeling flustered on the stand.

Final Thoughts

Rob:

Any last comments?

Jonathan:

Depending on their integrity and quality, investigator notes can be either integral to successful testimony or a tool used to discredit both the witness and the investigation.

In my opinion, Forensic Notes has been designed to foster professional notetaking.

After all, the focus of the trial should be on the search for the truth, not whether the witness’s notes are up to snuff.

Using a tool such as Forensic Notes will help to ensure that we can focus on issues of importance and not get sidetracked on problematic notes.

Forensic Notes have been designed to help the user (and therefore the investigation) succeed.

Contemporaneous Notes

Contemporaneous Notes

by Michael Post
 Contemporaneous Notes are unavoidable, thus inescapable, when it comes to examining evidence and are akin to the standard of Ethics. 

Recently I had the amazing opportunity to ask Employment Lawyer and Mediator Stuart Rudner some questions regarding contemporaneous notes.

As you will read, it is not just law enforcement that need to be diligent in taking contemporaneous notes, but any type of investigator, including those investigating the workplace.

The principles behind notetaking really do cross all disciplines, and I am excited to share Stuart’s responses to some big questions around this important (and often overlooked) task.

Stuart answers why notes need to be contemporaneous and why integrity of the notes is vital.

If after reading Stuart’s responses you have any questions or comments, please let me know at robert@forensicnotes.com

Robert Merriott
Founder – Forensic Notes

Contemporaneous Notes
Play Video

What are Contemporaneous Notes?

Contemporaneous Notes are notes made at the time or shortly after an event occurs. They represent the best recollection of what you witnessed.

Legal Definition of Contemporaneous as defined by Lawin.org
Events which occur at the same time or very proximate to each other are said to be contemporaneous.

Contemporaneously : Meaning as defined by Dictionary.com
Living or occurring during the same period of time — contemporary.

“As an Employment Lawyer, I know that documentation is critical.
…cases will be decided based upon the evidence, and not necessarily the truth. “
~ Stuart Rudner
 

Summary of Stuart's Responses

As you can read within the following responses, Stuart’s professional and legal opinion is that contemporaneous notes should not be changed except for potentially small corrections.

As stated below, the original contemporaneous note should always be kept and provided as requested.

Failure to provide the original contemporaneous note could result in impeachment after an exhaustive cross-examination shows that you may have made changes to the original notes meaning to change the outcome of your investigation.

If you fail to provide the original notes, you have made the opposing lawyer’s job easier in causing doubt within the courts regarding your testimony.

Forensic Notes was intentionally designed to help mitigate any attempts discredit your notes, by allowing you to:

  • Create Electronic Contemporaneous Notes
  • PROVE the Date & Time of EVERY Note
  • Make Changes or corrections to Contemporaneous Notes while still maintaining the original
  • Package Everything in a single ZIP Archive for Easy Review & Disclosure
If I’d know about these Forensic Notes two years ago my life might be very different right now. This is exactly what I needed and tried to create for myself through emails, but emails can be intercepted and are property of the employer.
 
I have signed up for the free trial to give it a test run. 

~ Maureen D., Customer

My Full Conversation with Stuart Rudner

Stuart Rudner
Employment Lawyer & Mediator
Rob Profile
Rob Merriott
Founder of
Forensic Notes

Rudner Law

Rudner Law
Listed in “Best Lawyers in Canada”
Top Legal Social Media Influencer
Author on Employment Law

Stuart Rudner and his firm, Rudner Law, specialize in Canadian Employment Law.

Stuart has been listed in Best Lawyers in Canada (Employment Law) and named a Top Legal Social Media Influencer (follow him on Twitter @CanadianHRLaw).

His firm was named one of the Top 3 Employment Law Firms in the country.

Stuart is the author of a leading text on Summary Dismissal as well as chapters in four other books.

He can be reached at stuart@rudnerlaw.ca or 416.864.8500.

For more information about the firm, see RudnerLaw.ca

Rob:

How valuable are contemporaneous notes as evidence within courtrooms?​

Stuart:

In my practice, I spend a lot of time guiding or assessing investigations. It is important to always bear in mind that when conducting an investigation, the investigator should consider how their work would be viewed if it had to be assessed by a Court or Tribunal. This applies to investigations of misconduct generally, harassment, or anything else. Ultimately, if a decision is challenged, a Court or Tribunal is not only considering the conclusion, but the process. In recent years, it has been confirmed repeatedly that employers have a duty of fairness in the course of an investigation.

When an investigation is contemplated, employers must remember that the purpose is to determine what happened. It is an investigation, and not a prosecution. All of the evidence will be assessed; this includes documentary evidence, and evidence given by witnesses. With respect to the latter, it is critical that there be a clear record of what they said.

When conducting an interview, an investigator must determine how to create a detailed and accurate record of the discussion. In some contexts, a record will be appropriate. That is not always possible or appropriate, however. If no recording will be used, then taking good notes is a must. And the most reliable notes are those taken contemporaneously. Otherwise, they will be subject to the frailties of the interviewer’s memory, which will only be exacerbated over time.

If no recording will be used, then taking good notes is a must. And the most reliable notes are those taken contemporaneously. Otherwise, they will be subject to the frailties of the interviewer’s memory, which will only be exacerbated over time.

Stuart:

Notes cannot always be used as evidence per se, but they can be used to support the evidence of the interviewer/investigator. And if they were taken contemporaneously, they will be more compelling than notes put together after the fact.

Prior to an investigation taking place, employers should document all incidents of misconduct, as well as performance concerns, regarding their employees. When a corporate client contacts me to discuss potential dismissal, I always ask to see the employee’s file. It is amazing how often there is absolutely no evidence of the allegedly ongoing issues.

Termination for Just Cause

Do you believe you are justified in firing an employee without providing a severance package due to ongoing issues?

Read Stuarts informative article on Termination for Just Cause to ensure you are taking the proper steps.

 

Rob:

How soon should notes be written after an incident for them to be considered contemporaneous?

Stuart:

“Contemporaneous” notes should be taken during the interview. Notes should be written throughout the discussion, with the note-taker writing down questions and answers as they are spoken. They can be typed if that is more efficient.

Rob:

In your legal opinion, can contemporaneous notes be edited after they are initially written?

Stuart:

Contemporaneous Notes should not be changed without an extremely compelling reason. “Corrections” to fix spelling or grammatical issues, or to make the notes more legible, are acceptable but the original version of the notes should be kept in case there is any issue regarding the nature of any changes that were made. Other than fixing such issues, notes of an interview should not be changed. Doing so will raise serious concerns regarding the accuracy of the notes and the legitimacy of any conclusion reached by the investigator.

Want to save your job?  Your reputation?
 Read Brett Shaver’s article “No job is finished until the paper work is done” on the importance of proper documentation!

Contemporaneous Notes should not be changed without an extremely compelling reason. “Corrections” to fix spelling or grammatical issues, or to make the notes more legible, are acceptable but the original version of the notes should be kept in case there is any issue regarding the nature of any changes that were made. 

Rob:

How would you cross-examine a witness, if you suspected that he had modified his contemporaneous notes?

Stuart:

Modifying contemporaneous notes would be an example of witness impeachment. The prior statement, which in this context would be the original notes, could be put to the witness, who would then have to explain the change. If the original notes do not exist, then the cross-examiner would have to assess the physical or digital notebook and look for any evidence of tampering.

Modifying contemporaneous notes would be an example of witness impeachment. The prior statement, which in this context would be the original notes, could be put to the witness, who would then have to explain the change.

Rob:

If you questioned the date & time of when a contemporaneous note was allegedly made, what proof of the date & time would you accept for electronic documents?

Stuart:

That is a difficult question, as there are so many tools for taking notes, and many ways for “changing” the date and time of a document. Some applications will allow you to see a history of changes. In some cases, we could have a forensic analysis of the document performed, which could reveal changes and the timing thereof.

 In some cases, we could have a forensic analysis of the document performed, which could reveal changes and the timing thereof.

Caution

The ability to change a documents date & time can be easily accomplished with various Anti-Forensic tools or techniques. This is discussed within our Fake-A-Date article..

This is why Forensic Notes Digitally Signs and Timestamps each note creating a Forensic Note that can be easily validated.

Rob:

Any final thoughts regarding contemporaneous notes?

Stuart:

Contemporaneous notes of an interview in the course of an investigation are a crucial piece of evidence, particularly when there is some dispute over what was said. A good practice is to take notes during the interview and then have the witness review and sign them before they leave, confirming their accuracy. It will then be hard for the witness to change their story later. However, the interviewer should also not change their evidence after the original contemporaneous notes have been made. They can always be supplemented, but should not be changed in any way that would change their meaning.

…the interviewer should also not change their evidence after the original contemporaneous notes have been made. They can always be supplemented, but should not be changed in any way that would change their meaning.

Forensic Notes was intentionally designed to help mitigate any attempts discredit your notes, by allowing you to:

  • Create Electronic Contemporaneous Notes
  • PROVE the Date & Time of EVERY Note
  • Make Changes or corrections to Contemporaneous Notes while still maintaining the original
  • Package Everything in a single ZIP Archive for Easy Review & Disclosure

~ Designed for Team Environments

Please Share this Article with the Digital Forensics Community

Or Download the App

ISO 17025 – Right for Digital Forensics?

ISO 17025 – Right for Digital Forensics?

by Michael Post

Most of us in the Digital Forensic community agree we need some level of standards.  But who should determine these standards?  And which standards are truly relevant in ensuring the integrity of digital forensic work?

In 2020 the debate still continues on whether ISO 17025 is right for Digital Forensics.  In some countries such as United Kingdom, it is now a mandatory standard.

Should this standard be adopted in the United States and Canada? If not, what standard should be digital forensic community be held to? 

Play Video

What is ISO 17025?

ISO 17025 – Right Fit for Digital Forensics?

In Conclusion

ISO 17025 - Square Peg in Round Hole

ISO 17025 is a mandatory standard for Digital Forensics laboratories in the United Kingdom (UK) as of October 2017.

All labs that are not ISO 17025 certified must disclose their ‘non-compliance’ on every report produced.

The following article is meant to provide information and open the discussion around this topic.

This ISO 17025 accreditation will impact how Digital Forensic examinations are conducted in the future and by whom around the globe.

As it stands, views are mixed about the suitability of this standard for Digital Forensics.

Certainly, some Digital Forensic Examiners (DFE’s) believe that using ISO 17025 for Digital Forensics is like placing a square peg into a round hole.

Is this belief based on fact or fear?

ISO 17025

ISO 17025 is also referred to as ISO/IEC 17025.

ISO – International Organization for Standardization
IEC – International Electrotechnical Commission

What is ISO 17025?

 

ISO 17025 was first published in 1999 to standardize labs around the world to ensure results from one lab would be accepted or repeated by other standardized labs.

This helps to break down international borders between countries when sharing forensic lab results.

To become ISO 17025 accredited, nationally recognized laboratory accreditation bodies assess the labs for conformity.

These accreditation bodies must follow established “methods of evaluation” developed by the International Laboratory Accreditation Cooperation (ILAC).

The ISO/IEC 17025 standard is split into 5 distinctive categories:

  1. Scope
  2. Normative Resources
  3. Terms and Definitions
  4. Management Requirements
  5. Technical Requirements

Some areas that may be addressed within the above 5 categories include:

  • Testing and Calibration Standards
  • Staff Competence
  • Equipment Standards
  • Quality Management
  The goal of ISO 17025 accreditation is to “consistently produce valid results 

Source: Wikipedia ISO/IEC 17025

Although ISO 17025 was written for testing and calibrating laboratories, many believe that it is the best fit for Digital Forensic Laboratories simply because no other international standard for digital forensics currently exists.

This has been discussed in many articles including a conference paper on ResearchGate.

ResearchGage - ISO 17025:2005 closest relation to a management system for Digital Forensics

The belief that ISO 17025 is the best fit is shared by the Forensic Science Regulator in the UK, Dr. Gillian Tully who mandated that ISO 17025 would be mandatory for all Digital Forensic Labs in the UK by October 2017.

What is the FSR (Forensic Science Regulator)?

 The Forensic Science Regulator ensures that the provision of forensic science services across the criminal justice system is subject to an appropriate regime of scientific quality standards. 

Source: Gov.uk

Who is the Forensic Science Regulator in the UK?

 The post of FSR was established in 2007 and is currently held by Dr Gillian Tully. The Regulator is a public appointee, sponsored by the Home Office, who ensures that the provision of forensic science services across the Criminal Justice System (CJS) is subject to an appropriate regime of scientific quality standards. 

Source: Forensic Science and Beyond

Update to ISO 17025:2005

The update to ISO 17025:2005 has been referred to as ISO 17025:2017 or ISO 17025:20xx.

The new standard was released near the end of 2017.  The original standard was produced in 1999 with only minor revisions in 2005.

 The present revision addresses the need to align it with the other more recent ISO 17000 series standards, as required by ISO CASCO and to modernise the standard, recognising advances in technology and business practices. 

Source: United Kingdom Accreditation Service

ISO 17025 – Right Fit for Digital Forensics?

 

There are others within the digital forensic community that do not believe that ISO 17025 is a good fit for Digital Forensics.

Some of those concerns were captured in a recent UK survey, which is discussed below.

Want to save your job?  Your reputation?
 Read Brett Shaver’s article “No job is finished until the paper work is done” on the importance of proper documentation!

ISO 17025 UK Survey

survey in the UK was conducted in early 2017 by Pat Beardmore, Geoff Fellows and Peter Sommer with results released in April 2017.

A total of 176 people responded to the survey.

Over 65% of those that responded stated that they were within Law Enforcement.

ISO 17025 UK Survey

The Cost of Accreditation

One of the main concerns often raised by practitioners is about the costs associated with ISO 17025 accreditation and whether smaller organizations can bear these extra costs.

Interestingly, as the survey discovered, even the majority of those who went through the accreditation process were unaware of the actual costs.

An additional 14% believed the cost was under £50,000 (approx. $66,000 USD) and 15% believed the cost was over that amount.

With these survey results in mind, it is important to realize that those opposing ISO accreditation based on costs may be doing so due to fear of the unknown rather than hard facts based on research and past experiences.

ISO 17025 UK Survey - How much did it cost?

Understanding of ISO 17025

Another interesting result from the survey, was on the participants understanding of ISO 17025.

Less than 25% believed they had a “Very good” or “High, ..” understanding of ISO 17025.

Can a person strongly oppose a requirement or movement towards accreditation, such as ISO 17025, if they only have a “Reasonably good” or less understanding of what it entails?

ISO 17025 UK Survey - Understanding of ISO 17025

To view the entire PDF Survey, click here.

Forum Discussions

Moving away from stats and charts, another good method to understand what Digital Forensic community really thinks on ISO 17025 is looking at what members have posted on forums.

Probably the most well-known Digital Forensic forum is “Forensic Focus”.

In a 2012 Forensic Focus discussion regarding ISO 17025, several key contributors to the forums provided the following comments.

Forensic Focus Discussion - ISO 17025 Right for Digital Forensics

Forensic Focus Discussion Thread - Is accreditation necessary

Although this “MindSmith” comment was posted in 2012, it’s still a valid question in most parts of the world where ISO 17025 is not yet mandated or even discussed.

Of course, in the UK, this appears to no longer be an option for discussion.

I believe the following comment by Jaclaz’s hits at the heart of what ISO 17025 is attempting to accomplish…

Consistency in Quality!

Forensic Focus Discussion - ISO 17025 is about consistency

The latest discussions on ISO 17025 and this article are taking place on Computer Forensics World Forum.

Computer Forensics World Forum Discussion - ISO 17025

Join the discussion in the Forums! 

ISO 17025 does not ensure higher quality work, but it at least sets minimum quality standards to be adhered to, to ensure all labs are at the very least starting on a level playing field.

ISO 17025 Accreditation create a level playing field?

Standards

When it comes to having high standards in digital forensic work, the voices from the community are loud and clear.

Without standards or accreditations in place, the credibility of forensic examiners will likely be questioned in the future.

“Credibility” would certainly endure increased scrutiny in the event of high-profile cases, especially where it is found that the examiner failed to have the proper training or knowledge to complete standard digital forensic examinations.

 The lack of requirements for digital forensic practitioners to be certified in their discipline, be accountable to industry best practices and standards, or work out of accredited laboratories places the credibility of this forensic science in jeopardy. 

~ Josh Moulin
Deputy Chief Information Officer
US Federal Government, National Security

Impact of Inconsistent Standards

Josh Moulin backs up the above statement with the following information in his “Disheveled Digital Forensics: The Impact of Inconsistent Standards, Certifications, and Accreditation” 2014 Thesis Paper with the following comment.

 Although digital forensics has been recognized as a legitimate forensic science and has been utilized in the criminal justice system for the same length of time that DNA has, the discipline is anything but disciplined. Within the United States, any law enforcement agency, business, or individual can open a forensic “laboratory” and begin providing services without having to demonstrate even foundational knowledge, skills, or abilities.
To further evidence this, within the law enforcement community alone there are only 67 digital forensic laboratories accredited to the ISO 17025:2005 standards for the nearly 18,000 law enforcement agencies in the country. 

~ Josh Moulin
Deputy Chief Information Officer
US Federal Government, National Security

Although Josh Moulin does agree with the idea of accreditation, he is aware that it’s not the “be-all and end all”.

 Having a laboratory accredited according to best practices such as ISO 17025 removes many questions about the quality assurance of the laboratory and the personnel performing work. Accreditation is not the be-all and end-all or a magic solution to issues plaguing the digital forensic discipline.
Accredited laboratories have been known to have issues with their findings as well, the only difference is that the laboratory accreditation standards generally help bring misconduct to light. For example, in 2014 the Oregon State Police quietly closed down their handwriting analysis unit after conducting an internal review of allegations involving bias, sloppy work, and dishonesty (Denson, 2014).
A report to the U.S. Congress said, “In the case of laboratories, accreditation does not mean that accredited laboratories do not make mistakes, nor does it mean that the laboratory utilizes best practices in every case, but rather, it means that the laboratory adheres to an established set of standards of quality and relies on acceptable practices within these requirements” (National Research Council, 2009). 

~ Josh Moulin
Deputy Chief Information Officer
US Federal Government, National Security

If you haven’t had an opportunity to read his Thesis paper (84 pages), I highly recommend that you do as it includes a lot of great information on the subject of accreditation and why it is needed within the Digital Forensic Community.

He goes on to state the following, and I believe most forensic examiners would agree with it, especially if someone they cared about was being accused of a criminal act.

 Much of the digital forensic community desires to have their evidence seen in court as forensically sound and bulletproof, yet do not want to go through the rigors that other traditional forensic sciences have done to prevent evidence spoliation and other mishandling and misinterpretations. …
If any digital forensic analyst ever found themselves in a position where digital evidence was being used in a legal proceeding against them, they would absolutely want that digital evidence processed in the best forensics lab with the most skilled analyst who meets certain standards. 

~ Josh Moulin
Deputy Chief Information Officer
US Federal Government, National

Josh Moulin is not the only Digital Forensic Examiner who is worried about the current lack of standards and accreditation.

Brett Shavers recently wrote a blog article titled “The last thing we want in DF/IR is the first thing we need in DF/IR (aka: regulations…)”.

Within this article, Brett states the following…

Brett Shavers : Digital forensics practitioner, author, and instructor.

 The DF/IR field, as it stands today, is practically the Wild Wild West.  We have few regulations outside of obtaining a business license …  It’s freewheeling at the moment without any government intervention. 

Brett Shavers
Digital Forensics Practitioner, Author, and Instructor
Author of “Placing the Suspect Behind the Keyboard”, “Hiding Behind the Keyboard”, and the “X-Ways Forensics Practitioner’s Guide”.
Brett Shavers Blog

Brett goes on to suggest that we need to start implementing our own regulations and standards before the government decides what is best for our profession.

For those of us in the United States or Canada, it appears that we still have time to guide this process towards an accreditation that fits Digital Forensics and isn’t too burdensome to implement.

But all it takes is one major court case and the government could quickly swoop in with regulations they deem necessary.

 Let me get to the solution before getting into the issues.  Simply copy and modify what is being done in other professions to fit the DF/IR profession, and give our ideas to the respective government regulatory agencies to implement…Pick a profession, any profession, and get started. 

~ Brett Shavers

Accreditation IS Useful – but is ISO 17025 the Solution?

Preston Coleman provides further insight into ISO 17025 accreditation as an examiner working within one of the few accredited labs in the United States.

Working in an ISO 17025 lab himself, he doesn’t disagree that there is a high cost and more work involved while working in an ISO 17025 lab, however he does say “accreditation as a concept should be useful and highly desired”.

Forensic Focus Discussion - Working in an ISO 17025 Lab in USA

~ Source: Forensic Focus Forum

Preston Coleman also mentions the need for “proper documentation”.

— INSERT SHAMELESS PLUG —

Forensic Notes helps you to meet ISO 17025 Requirements

— END SHAMELESS PLUG —

Forensic Science Regulator’s View – UK

Dr. Gillian Tully who is the UK’s Forensic Science Regulator recognizes the issues stating the following within the Forensic Science Regulator Annual Report (released January 2017).

 A year on, it is clear that the single biggest challenge to achieving my aim is financial: the costs associated with complying with and being assessed against the standards. 

~ Dr. Gillian Truly – Forensic Science Regulator

However, Dr. Gillian Tully goes on to state why she believes in ISO accreditation, stating…

 To be clear, the standards are not some unachievable ‘gold-plated’ ideal; they are the minimum standards expected of any reliable forensic science organisation, drawing from general good scientific practice and also learning from errors and omissions of the past and of other industries. There have been enough examples of poor practice, lack of validation of methodology and ‘rogue’ laboratories in recent years (largely outside the UK) to make the case for a robust but proportionate quality system, with an assurance mechanism to check compliance.
Funding for forensic science across the board, and particularly, perhaps, for defence provision via legal aid, must be at a level that enables the standards to be met. 

~ Dr. Gillian Truly – Forensic Science Regulator

Finishing with a powerful statement on why regulations must be put in place within Digital Forensics…

 Otherwise we will face the costs, both in criminal justice terms and financially, of quality failures and loss of confidence in forensic science. 

~ Dr. Gillian Truly – Forensic Science Regulator

In Conclusion

 

I believe the above statement really does summarize why accreditation is required within the Digital Forensic field.

Many of our reports are used to help convict or exonerate individuals.

We cannot forget that these individuals are fathers, mothers, sons, daughters, family members and friends of people we may know.

They deserve to have any evidence used in their trial to be treated and assessed to a rigorous and high standard.

We would not expect Forensic Labs handling DNA to NOT be accredited, so why would we want digital forensic labs to remain un-accredited?

How much would it cost your organization to lose a civil lawsuit if a report your organization produced resulted in the conviction of an individual who was later found to not be guilty?

Moving towards accredited Digital Forensic Labs is just part of the reality of progress within our field.

As an investigator, I would not want to use DNA results from a non-accredited office if I could get results from an internationally recognized lab which meets stringent regulations.

Accreditation is not unattainable or unbearable, as labs accredited in ISO 17025 have existed for many years as indicated within Josh Moulin’s Disheveled Thesis and the FSR Annual Report.

Forensic Science Regulator - Annual Report - Digital Forensics

~ Source: FSR – Annual Report

But many of these larger accredited organizations are losing contracts to smaller non-accredited companies.

Forensic Science Regulator - Annual Report - Larger Organizations

~ Source: FSR – Annual Report

This isn’t to say that small Digital Forensics labs shouldn’t exist, but they will need to raise their fees if they want to become accredited and compete for high profile criminal cases where accreditation becomes a requirement.

For many sole-proprietors, this may unfortunately push them out of business.

The FSR states within their Annual Report that they are looking at ways to reduce the costs to sole-proprietors so there is hope that the costs can be reduced to allow them to remain competitive within the market.

The FSR Annual Report also recognizes that many organization will have failed to meet the requirements by the October 2017 deadline stating that “a substantial proportion of digital evidence produced after that date, disclosure of non-compliance will be required.”

Forensic Science Regulator - Declaration of Non-Compliance

~ Source: FSR – Annual Report

Once again, I am not saying that ‘ISO 17025’ is the best fit with Digital Forensics, but I do believe some sort of accreditation is required

We can’t ignore the fact that if accreditation is mandated in your country, there will be additional costs which could negatively impact some of the smaller digital forensic offices.

However, the goal is to have the overall consistency of digital forensic examinations increase to help ensure the evidence is presented fairly and accurately while reducing the chances of costly litigation due to incorrect or insufficient reports.

What are your thoughts regarding the information provided in this article?

My goal is to keep the discussion going on forensic standards and accreditation, whether it is ISO 27025 or otherwise.

I hope this article will help generate further debate amongst the digital forensic community as we all continue to look for ways to ensure excellence in our field.

Please post any comments at Computer Forensics World Forum at:

https://www.computerforensicsworld.com/forum/threads/17025-for-digital-forensics-does-it-make-sense.6687

Join the Twitter Discussion #17025

 

This article has spawned several good discussion on Social Media including the following one on Twitter (#17025).

Twitter Discussion on #17025 - p1

Twitter Discussion on #17025 - p2

It will take the efforts of members of their DFIR org to push their board to cooperate together with other DFIR orgs. Most efficient is board members communicating across organizations, rather than individuals trying to do this alone.

~ Brett Shavers (@Brett_Shavers)

OSINT Tools

OSINT Tools: Capturing Evidence & Notetaking

by Michael Post

How should you conduct Open Source Intelligence (OSINT) investigations?  

Are their tools that can help you?  

Are you thinking about how you will present your findings in court?

In this post, we hope to answer these questions and explain how both Hunchly and Forensic Notes will aid in not only conducting OSINT investigations – but also ensuring they stand-up under court scrutiny. 

Play Video

Article Navigation

OSINT – There is a right way

Why use Hunchly

Why use Forensic Notes

The OSINT Tool Guide

Conclusion

OSINT INVESTIGATIONS

A Right Way To Information Gathering?

OSINT (Open Source Intelligence) has gone mainstream.  Not long-ago OSINT was something tech savvy investigators did off the side of their desk.  As agencies became more aware of its value, OSINT became the domain of specialized OSINT investigators.  And today the expectation is that all well-rounded investigators need to understand and be able to perform their own rudimentary OSINT research.

With the vast amount of personal information individuals are posting about themselves (and their friends and family) online, no longer can you expect a few specialized investigators to capture everything on the Internet, especially as this information is volatile and can disappear just as quick as it goes up.

However, doing OSINT correctly is important.   Investigators and analysts are often tasked with conducting OSINT with little training and instruction into how that information should be documented, captured or later disclosed.  This is partly because many people, falsely, equate OSINT work as simply knowing how to “Google”. 

The other issue that arises, is that Open Source Intelligence, especially when completed for Law Enforcement purposes can cross the line from “Intelligence” to “Evidence”.   This is significant line to cross, as ‘evidence’ means your OSINT work may very likely come under court scrutiny.

Not surprisingly, this has led to case law requiring improved procedures and tools for conducting OSINT investigations.  One well known case in Canada is [R v Hamdan].

…if the police procedures do not improve,
subsequent decisions may find the police action to be unreasonable.

Honourable Mr. Justice Butler
Supreme Court of British Columbia – Canada

OSINT is important work and it requires execution in a purposeful manner.  This is where using Hunchly and Forensic Notes can improve and simplify your OSINT investigations and aid in your findings being accepted in a court of law.

Hunchly and Forensic Notes cover two vital elements that may come under scrutiny months or years after your investigation:

  1. Ensuring your capture is a true and accurate representation of what you observed;
  2. Contemporaneous notetaking.
Hunchly

Why use Hunchly

Conducting OSINT investigations can be tedious and time consuming, especially when you are capturing and documenting all your findings. 

There are number of questions an Investigator must ask and find solutions to, such as:

  • How do I capture a wide variety of webpages (often with scrolling content)?
  • What format should I save webpages in (PDF, HTML, PNG)?
  • Should I capture every page I view?
  • Can I trust that the OSINT tools I find online are not transmitting sensitive information to third parties or organizations?
  • How do I remember search terms used during my investigation and the search sites used?

This is where Hunchly comes in.

Hunchly is an incredibly powerful software tool that will save you time and eliminate the headaches and stress in trying to capture every detail of your on-line investigation. Hunchly is highly recommend by some of most renowned people in OSINT, including Michael Bazzell at IntelTechniques.com, and is the tool of choice for law enforcement agencies around the world.

Want to save your job?  Your reputation?
 Read Brett Shaver’s article “No job is finished until the paper work is done” on the importance of proper documentation!

There are other web capture tools out there that you will also find useful from time to time.   Hunchly, however, is quite distinctive in that it is a purpose-built web capture tool designed for conducting OSINT investigations. This becomes quite apparent when you begin to use Hunchly.  It not only does a great job capturing webpages, but it also helps you conduct your investigation and organizes your results for reporting and disclosure in court.

Hunchly is light-weight and runs as an extension in your Chrome web-browser.   Once installed, it’s a simple click to activate or deactivate the capture function.  When activated, it begins to capture every search you make and every web page you visit, with no further action on your part.  

This is more powerful and helpful than you might expect!

For example:

You are tasked with conducting OSINT research on a target in a homicide. The detective provides you with a name and possible associates, but states that no other information is known as the incident had just occurred.

As you research on-line you become overwhelmed with the amount of information you are finding and have no idea what might be relevant. The next day, you speak with the detective who mentions that sand was found on the body of the victim, to which you quickly say, “I saw a picture posted on the suspect’s Instagram account showing a picture of him by the beach”. Believing you have a key piece of evidence, you quickly log into your computer and navigate to his Instagram page, only to realize that you can’t find the picture. It has been deleted!

This is where Hunchly really saves the day. Remember, it captures EVERYTHING you view and does so in a forensically acceptable manner. Now, instead of losing that key piece of evidence, you can simply look back through your Hunchly history to find the information you already found!

Remember: the internet is a live and constantly changing source of information.

A Facebook post that was once publicly visible might suddenly become private (or deleted) by the time you decide to go back and review it.  Or perhaps the information is still there but you can’t remember the web trail you took and can’t find your way back to that key bit of information. 

Going back to the example above, what if the suspect had multiple social media accounts all with thousands of posts and pictures?

How many additional hours will you spend trying to find the potentially deleted images if you are not confident that it wasn’t an Instagram post, but rather posted on a different social account? Hours, days?

I can guarantee this will be the most frustrating hours or days of the investigation, not only for you, but also for the lead detective who will be likely looking over your shoulder for the big break in her case.

Life is too short not to use Hunchly!

In our OSINT Guide we’ll explore even more Hunchly features, including:

  • How to highlight key information such as username, email, phone and address using “selectors”
  • Categorizing your findings with “tags”
  • Disclose your captures
  • Capture metadata
  • Adding notes

This last feature, adding notes, ties into the next key concept of OSINT and note-taking.  

A great feature of Hunchly is that it allows you add notes to web captures. This is helpful to give context (for yourself or others) on how or why particular web captures are relevant. BUT don’t confuse this great note feature as your “investigative notes”.  Yes, Hunchly keeps a great record of OSINT data, but there is still an important need for contemporaneous notes.

This is where Forensic Notes complements Hunchly.

Why use Forensic Notes

You may ask,

“Aren’t my web captures (screenshots) basically my notes?”

“Why do I need to take additional notes?”

The answer is that there is a lot more to OSINT than just what you saw and captured online, especially if you are going to end up in court.


First, you should be making notes about why you are even conducting the investigation in the first place. 

  • Who requested that you assist in this investigation?
  • What or who were you asked to investigate?
  • Were you provided with any information to begin your search, such as names, usernames, birthdays, addresses, email addresses, phone numbers, etc?
  • Did you use any police databases to help determine or collaborate information you found online?
  • What did you find online? 
  • Who did you notify about your findings?

Notes are also about your own CYA. Consider this, what if you had discovered some key information that would have pushed an investigation forward, but months later it turns out no one ever acted on that information.  Whether honestly forgetting or trying to protect themselves, the investigator blames you, alleging that you never provided that information.  Having notes that show otherwise could keep you out of the hot-seat! 

So, if you are convinced that note-taking is an important part of OSINT, there’s good reason why you should be using a tool like Forensic Notes to take the BEST notes. 

When it comes to taking notes, hopefully it’s obvious that the old pen and paper way of taking notes is really unsuitable for OSINT (though it’s much better than making no notes at all).

Why?

Digital notes are easier to read for both you and others.  They are also more efficient and help you record information more accurately.   For example, consider recording URLs: 

Would you really want to copy that out by hand?

Probably not, and even if you wanted to, there is a very high chance you would record it incorrectly.  The power of digital note-taking can come down to this simple phrase: “copy & paste”. 

Copy & Paste will not only save you a lot time, it will ensure you don’t make typos and other errors when it comes to recording the content you view online.  

For OSINT, digital notes really are the way to go. So, the next question is, “Why can’t I just use Word, Excel, Notepad, etc?” 

It simply comes down to the strict rules for Law Enforcement surrounding acceptable note-taking – requirements that just can’t be met with typical word processing applications. 

For hand-written notes, you keep notes in a notebook and are forbidden from removing pages, using white-out, or leaving blank spaces.  This ensures that an officer’s notes can be shown in court to be unaltered and that no notes are missing from the notebook.  With a typical word processing application, you could change your notes days, weeks, years later and it’s quite possible that no one would be able to track or identify those changes. Well, unless you use a font that didn’t exist at the time you claim your notes were made.

The reason for this demand on Law Enforcement note-taking is that memory is fragile, and the more time passes, the less reliable it becomes.  That’s why it’s vital to take notes as soon as practical after an event, to ensure nothing important is forgotten or perhaps worse, remembered incorrectly. 

Before being allowed to refer to your notes in the courtroom, the judge will want to know if they were made contemporaneously.  Making notes days, weeks, or months later greatly reduces their reliability and any weight the judge or jury may give to them. 

With this in mind, individuals may feel tempted to “backdate” their notes when they realize they forgot to write something down.  This is where Forensic Notes keeps you honest while also ensuring you can prove your notes are authentic and unaltered from the time you made them.

Forensic Notes is designed to give users the ease of recording digital information (like complex URL’s) while maintaining the security and integrity of a bound paper-notebook. This security is provided by a process much like the blockchain, where every note is tracked and verified via its hash and timestamp. 

Lastly, the true power of Forensic Notes is that if you don’t want to change your current note-taking method, you can keep it and then add your notes, such as word-processing documents, directly to Forensic Notes to get access to the same verification features.  Simply upload almost any type of file to obtain the same security and authentication as making notes directly in Forensic Notes.

And if you aren’t ready to give-up the pen & paper, Forensic Notes also allows you taken hand-written notes with a stylus, on an Android tablet or an Apple iPad. 

The OSINT Tool Guide

In this Guide we’ll explore how to conduct an OSINT investigation using Hunchly & Forensic Notes to help ensure your investigation is documented properly.

To begin, we’ll need to setup both applications.

Don’t worry, it only takes a couple minutes to get both up and running – and they both offer free trials!

Get Hunchly Visit: https://www.hunch.ly/

  1. Click on the “TRY IT FREE”
  2. Enter your name & email and you’ll receive a trial license via email.
  3. Follow the simple instructions to download and install Hunchly
    1. You may also need to install Chrome (if you don’t already have it).
  4. You now have 30 days to try it out!

Get Forensic Notes Visit: https://www.forensicnotes.com/

  1. Click on “CREATE ACCOUNT”
  2. You’ll be brought to a pricing page where you can select “Start My Free 7-Day Trial”
    • Yes, it REALLY is free to try.
    • You won’t be asked for any payment details.
  3. You’ll then be brought to the sign-in page.
  4. Create your account by:
    • logging in via an existing Google or LinkedIn account.
    • OR
    • by clicking the “Sign up now” link. You will be required to enter an email and complex password.
  5. You will need a phone number to enable to Multi-Factor Authentication – which is mandatory.
  6. Follow a few more onscreen instructions and you’ll be brought to the Forensic Notes notetaking screen.
How to Create an Account
Play Video

Watch this short video to learn how to sign-up Forensic Notes

Start Investigating

Let’s conduct on Open Source investigation on Justin Seitz the creator of Hunchly.

Like a lot of things in life, it’s better to start with a blueprint of how you will approach your investigation rather than simply jumping in.

Having a blueprint keeps your work looking more consistent, which is both beneficial to you and others who may review your work. 

As you will see, Forensics Notes makes this process simple & easy to complete.

The first time you start Forensic Notes – you’ll start with a blank notebook and note.

NOTEBOOKS

To begin, let’s create a folder structure that helps organize our notes.

Forensic Notes is built on the foundation of physical notebooks, but with some key advantages.

With a physical paper notebook, you might record multiple investigations in the same notebook (or be stuck with MANY notebooks!).   Your notes for various investigations could be scattered among different pages and even different physical notebooks.

This makes finding information for just that investigation difficult and time consuming.

With Forensic Notes, we recommend you create a separate notebook for each investigation.  This will keep your notes together and simplify disclosure or referring back to a specific note at a later time. 

Forensic Notes also allows you to create folders to help organize your notebooks that might be on the same topic / year / or other relevant categorization.

Here is one example of how you might organize and name your notebooks for OSINT investigations.

  • Folders to organize/group notebooks by year. 
  • Notebooks are named by File #, Offence Time, and Date Assigned.

You can always rename notebooks, and it’s easy to drag & drop folders and notebooks if you decide you want change the way your notes are organized – all without affecting the content of those notebooks.

NOTES

Once you have decided on a notebook structure, it’s time to start making notes. 

The simplest method would be to just create notes as you go and they will be organized in chronological order.

However, you have the flexibility to again name individual notes and organize them in folders.

As shown in the example below, you could organize your notes on various sources of OSINT information as well as general notes about the requests and conversations with other investigators.

If you want an overview how to quickly create notebooks and notes, and why they are different from your typical word document, watch the video below:

How to Document
Play Video

Quick Start Guide Video

WHAT DO I NOTE?

So you have a blueprint for how to organize your notes, but what should you record in your notes?

To begin, you should document why you are conducting an OSINT investigation and what information you were given from the lead investigator or anyone involved with the investigation

This might include:

  • who provided the OSINT request?
  • the purpose of the investigation
  • information provided on the subject of the search such as:
    • names
    • usernames
    • email addresses
    • phone numbers
    • known social media accounts
    • known websites / URL associated with subject

It’s good to note this information now, because as your OSINT investigation progresses, you will likely come across a lot of additional information.  If you don’t document now, looking back a few days later it might be difficult to recall the source of the information.

In the example below, we document that we have been provided with Justin’s first and last name, that he may be an author, and an associated email address.

Example:

STICKY NOTES

You will also want to review your own notes to remind you of tasks you may not have yet completed.  And if you are someone who loves sticky notes, Forensic Notes allow you to create reminders that you can clear once completed and are not included when you download your notebooks.

SEARCH & CAPTURE

Now it’s time to get searching and this is where Hunchly comes into play.

Instead of having to note every search and every page you viewed, which is a lot of effort, Hunchly can track this for you. Not only that, Hunchly will save a copy of every webpage you’ve viewed, so you can always go back and review pages you’ve visited. 

Let’s Watch How to Capture our First Webpage with Hunchly

Play Video

Capturing Your First Page

If you followed along with the video above, you will have completed a simple Google search for “justin seitz”.  We immediately found some results that could possibly be associated to our subject, including a Twitter and LinkedIn account.

Looking closer at the Twitter result, we see that Justin’s uses a Twitter handle “@jms_dot_py”.  People often with use a username for multiple sites, so this will be a great term to search later.

SELECTORS

This leads to the next great feature of Hunchly – “selectors”.  Hunchly allows you add terms (names, usernames, URLs, email addresses, phone numbers, etc) as selectors to help Hunchly to track and identify that information if it appears on any webpage you access.

This can be helpful as you conduct your ONSINT investigation, as any “selectors” that appears on webpages as your search can be highlighted directly in your Chrome browser, ensuring don’t overlook key content.  And because every webpage you viewed is saved locally on your computer, you can also go back and search all the past pages you viewed again for those selectors or new selectors that you discover throughout your investigation.

In above example, by adding “jms_dot_py” as a selector we can quickly discover as we scroll through Google results that Justin also uses this username on two well-known sites, Medium and Reddit.

Okay, it’s time to learn how to use ‘selectors’ directly from Justin himself.

Using Selectors in Hunchly
Play Video

Using Selectors

As you learn more about your subject, and add new details to your “selectors”, you will quickly see how much easier it is to find new sites as well keep track of the ones you have already visited.  In our example with Justin, we quickly can find a bunch of relevant information and great new selectors to add to our case:

 

  • He is associated to additional twitter account @hunchly
  • There is an associated website: www.hunch.ly
  • He also has a website called: automatingosint.com
  • Confirm email address: justin@automatingosint.com
  • Claims to live in: Saskatoon, Saskatchewan
  • Has a Linkedin account: https://www.linkedin.com/in/seitzjustin/
  • And another email posted on the Linkedin account: justin.seitz@gmail.com

Now you can add these selectors in Hunchly to ensure you are notified if they are found on other webpages you view.  

TAGS

As we go about searching all we can on Justin, we could capture hundreds or even thousands of webpages.  Trying to manual organize all these captured webpage results would be tedious and time consuming.  Again, this is where using a purpose-built OSINT tool like Hunchly makes our lives much easier.  Hunchly allows you to “tag” webpages to basically categorize them and make filtering and searching easier down the road.

For example, you might want to tag webpages with very general themes such as “Social Media”, “News Sites”, or “Search Results”.  Once you create tags, you can quickly filter all the sites you have visited from the Hunchly dashboard to show only webpages tagged as “Social Media”. You can also filter to include your selectors, so we could filter on all social media pages that include “seitzjustin”.

And then you could still use the Hunchly search function to add additional text to filter your results on.

As you can see, this becomes incredibly powerful (and necessary) as you begin to collect hundreds of web captures.

Learn more about Tagging & Filtering directly from Justin:

Using Tags in Hunchly
Play Video

Tags

Hunchly Filtering
Play Video

Using Filters

CONTEMPORANEOUS NOTES

Hunchly does a great job capturing webpages effortlessly as you search.  You can go back to refer to those pages months or years later and review what you saw.  But as you can imagine, because every webpage you view is captured while you conduct your OSINT investigation, even with filtering and search tools, finding key information at a later date could be time consuming. 

The efficient approach is to take great contemporaneous notes as you search.  This is often the area where investigators drop the ball.  It is generally more fun to just keep searching and going from website to website.  But in the end, you need to be able to sum it all up and tell a concise story.  Note-taking is key, as it ensures you document the milestones of your investigation, and improve the quality of your final report. 

Your notes are also important to ensure you can accurately describe when and how you found information and what you did with that knowledge.

Notes are the foundation of your investigation.

For example, with Hunchly you can quickly capture a years’ worth of Justin’s tweets, but you may not actually review all those tweets until weeks later.  When reviewing those tweets, you discover a key tweet, that is highly relevant to your investigation and changes the course of the investigation.    If you make no notes, and simply rely on the dates of your web captures, others may assume you saw that information weeks earlier and failed to properly act on it. 

It is also important to remember that as an OSINT investigator you can easily stray beyond pure Open Source research and into a more invasive investigation.  For example, OSINT investigators are often tasked with exigent files where key information for resolving the situation are in the hands of 3rd party ISPs.  Considering that these are life and death situations, you want to ensure you keep good notes about what companies you called, when you called them, and whether they assisted in providing the needed information.  Who and when did you pass on this information to?

No matter what the task, keeping good notes is part of being a good investigator.

Now, before we move on from note-taking, let’s discuss a notetaking feature in Hunchly, that serves a different purpose, but is very helpful for flagging and later disclosing key web data discovered.

Let’s refer back to the example of going through a year of tweets and finding only one tweet of interest.  That web capture will be quite long, and though you may need to disclose the entire history, you also really want to highlight the relevant tweet.  While viewing your capture in Hunchly, simply right-click on the screen and choose the option to add a note.  Hunchly will also take a new screenshot of whatever is currently being shown in the browser and then let you add a few lines of text to help give context on why this content is important.

This can be helpful to give context or remind you why a page was useful and works as a useful filter when building your reports.

Notes can be access via your Hunchly dashboard.

Hunchly Dashboard using Note Features

You are now done your investigation.

How do you provide your work in Hunchly and Forensic Notes to the lead investigator, your client, or disclose to prosecution & defense?

 

REPORTING

Preparing for the disclosure of your work so others can use it is the last but perhaps most vital step. It’s important to be able to provide your work in a way that others can use to further the investigation for use in court.

Reporting for both Hunchly & Forensic Notes are both best explained by a couple short videos.

Report Building in Hunchly
Play Video

Hunchly Report Builder

Now let’s explore reporting in Forensic Notes:

How to Download Your Forensic Notes
Play Video

How to Download Your Forensic Notes

CONCLUSION

OSINT is an exciting field of work and study.  Hopefully this guide has given you some ideas on how using these OSINT Tool can improve your investigations. 

Remember, if the information you collect doesn’t stand-up in the court room, all your efforts could be for nothing.  Hunchly & Forensic Notes are built to ensure your success in documenting your investigations and presenting your evidence in court.

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More