The Problem with Microsoft Word and OneNote for Investigation Notes

Microsoft Word and OneNote are ubiquitous office productivity tools used by billions of people worldwide for everything from business correspondence to personal note-taking. However, when it comes to investigation notes, case documentation, and evidence records, these tools are fundamentally unsuitable. Their design prioritizes flexibility and ease of editing, which are precisely the qualities that make them dangerous for documentation that may be scrutinized in legal proceedings.

This article explains why Microsoft Word and OneNote should never be used for investigation notes and what alternatives exist for creating documentation that will withstand legal scrutiny.

No Tamper Protection

The most critical deficiency of Word and OneNote for investigation purposes is the complete absence of tamper protection. Both applications are designed to allow unlimited editing, rewriting, and revision of content. A document created in Word can be opened, modified, and saved at any time without any indication that changes were made. The original content is overwritten and lost, and there is no built-in mechanism to detect or record the modification.

In an investigative context, this means that notes created in Word or OneNote can be altered after the fact, whether intentionally or accidentally, without leaving any trace. An officer's notes could be changed to add details that were not originally recorded, to remove inconvenient observations, or to adjust the timeline of events. Even if the officer has no intention of altering their notes, the mere possibility of undetected modification undermines the evidentiary value of the document.

The Legal Implication

Defense attorneys are increasingly aware of the vulnerabilities of standard office documents. During cross-examination, an officer who presents notes created in Word or OneNote may face questions about whether the document has been modified since its original creation. Without a tamper-evident system, the officer has no way to prove that the notes have not been altered, creating reasonable doubt about the reliability of the documentation.

Metadata Vulnerabilities

Word and OneNote documents contain metadata that records information about the document's creation, modification, and authorship. While this might seem like a protective feature, the metadata in these applications is neither reliable nor secure. Document metadata can be viewed, edited, and stripped using readily available tools. An individual with basic technical knowledge can change the "Date Created," "Date Modified," "Author," and other metadata fields to make a document appear as though it was created at a different time or by a different person.

Metadata Stripping

Microsoft Office includes a built-in "Document Inspector" feature that allows users to remove all metadata from a document with a single click. While this feature is intended to protect privacy when sharing documents, it also means that any metadata-based evidence of a document's history can be deliberately destroyed. A document that has had its metadata stripped provides no verifiable information about when it was created or who created it.

Metadata Manipulation

Beyond stripping, document metadata can be actively manipulated. The file system timestamps, which record when a file was created, accessed, and modified, can be changed using freely available utilities. The internal metadata within the document file itself can be edited using hex editors or specialized metadata editing tools. This means that a Word document's metadata cannot be relied upon as evidence of when the document was actually created or last modified.

No Audit Trail

Word and OneNote do not maintain a comprehensive audit trail of document access and modifications. While Word offers a "Track Changes" feature, this feature must be manually enabled by the user, can be disabled at any time, and all tracked changes can be accepted or rejected, permanently removing them from the document. There is no independent, system-level log of who accessed the document, what changes were made, or when those changes occurred.

OneNote maintains a version history that shows previous versions of a page, but this feature has significant limitations. Version history can be purged by the user, versions can be deleted individually, and the feature does not provide the granular, tamper-evident logging required for forensic documentation. An investigator cannot point to OneNote's version history as proof that their notes have not been altered because the history itself can be manipulated.

Timestamps Can Be Changed

One of the most fundamental requirements for investigation notes is a reliable, verifiable timestamp that establishes when the notes were created. Neither Word nor OneNote provides timestamps that meet this requirement.

File System Timestamps

The creation and modification dates shown in File Explorer or Finder are file system timestamps that are trivially easy to change. Any user with basic access to the file system can modify these timestamps using built-in operating system commands or freely available utilities. Copying a file to a new location changes the creation timestamp. Opening and saving a file updates the modification timestamp. These timestamps provide no reliable evidence of when the document was actually created or last edited.

Internal Document Timestamps

The timestamps stored within Word and OneNote documents are equally unreliable. They are derived from the computer's system clock, which can be set to any date and time by the user. An individual could set their computer's clock to a date in the past, create a document, and the document would appear to have been created on that earlier date. There is no independent verification mechanism to confirm that the system clock was accurate at the time of document creation.

What Should You Use Instead?

Purpose-Built Investigation Tools

Investigation notes should be created using tools specifically designed for the purpose. These tools provide features that Word and OneNote fundamentally lack:

  • Digital signatures: Every note is cryptographically signed upon saving, creating a seal that detects any subsequent modification to the content.
  • Independent timestamps: Timestamps are generated by trusted, independent time sources, not the user's local system clock, ensuring that the recorded time is accurate and verifiable.
  • Immutable audit trails: Every access, modification, and interaction with the document is logged in a tamper-evident audit trail that cannot be deleted or altered by the user.
  • Version control: Complete version history is maintained automatically and cannot be purged or manipulated, providing a permanent record of the document's evolution.
  • Chain of custody documentation: The system automatically documents the chain of custody for every piece of documentation, recording who created, accessed, and modified each record.

Forensic Notes

Forensic Notes was designed from the ground up to address every vulnerability described in this article. Every note created in Forensic Notes is automatically digitally signed and timestamped using an independent, trusted time source. The system maintains a complete, immutable audit trail of all document activity. Content cannot be silently modified or deleted. And the entire system is built on security architecture that protects the integrity of your documentation at every level.

The Stakes Are Too High

Investigation notes are not ordinary documents. They may be used to justify arrests, support search warrants, inform prosecutorial decisions, and serve as evidence in court proceedings. The integrity of these documents is not merely a matter of administrative convenience; it is a matter of justice. When investigation notes are created in tools that offer no tamper protection, no reliable timestamps, and no audit trail, the entire foundation of the investigation is vulnerable to challenge.

The convenience of Word and OneNote does not outweigh the risks they introduce. Purpose-built investigation tools are available, affordable, and straightforward to adopt. There is no justification for continuing to use office productivity software for work that demands the highest standards of integrity and accountability.