Digital Forensics Documentation - Contemporaneous Notes Required

 

Recently there has been a lively debate regarding the type of notes that should be produced during a Digital Forensics Examination.

Several top Digital Forensics Guides and Organizations state that Contemporaneous Notes should be written during a digital forensic examination, including:

  • ACPO – Association of Chief Police Officers
  • FSR – Forensic Science Regulator (UK)
  • ENFSI – European Network of Forensic Science Institutes
  • NIST – National Institute of Standards and Technology

Though there seems be strong agreement amongst organizational bodies that contemporaneous notes (CN) should be written during a Digital Forensic Examination, as will be discussed in further detail below, there is still much debate about what exactly 'contemporaneous notes' are.


Brett Shavers : Digital forensics practitioner, author, and instructor.

I also agree with the importance of notes, especially after having had an experience where I did not take notes (nor did anyone else) in one particular case.

That was a nightmare that I made sure never happened again.

If you didn’t document it, it didn’t happen.

Brett Shavers
Digital Forensics Practitioner, Author, and Instructor

Author of "Placing the Suspect Behind the Keyboard", "Hiding Behind the Keyboard", and the "X-Ways Forensics Practitioner’s Guide". 
Brett Shavers Blog

What are Contemporaneous Notes?

Contemporaneous Notes are notes made at the time or shortly after an event occurs. They represent the best recollection of what you witnessed.

~ Contemporaneous Notes Article

This is where the debate gets interesting.

Some Digital Forensic Examiners question the actual need to create contemporaneous notes, or at least the type of contemporaneous notes that most police officers have been taught how to record.

Police Officers are taught to write notes at the time of an incident or shortly thereafter, and provide those “contemporaneous notes” to Crown Prosecution and Defense with any reports that may lead to criminal charges.

They are also expected to keep their notes should a person complain or question police actions days, months, or even years after the fact.

As a result, many departments have retention policies regarding officer notes that require the officer to keep all notebooks for several years after an incident and make them available to the department if requested.

Failure to provide your contemporaneous notes can result in disciplinary action.

In comparison, many Digital Forensic Examiners see contemporaneous notes as simply a document to help produce a final forensic report with no need to provide those notes to the opposing party.

In fact, in at least one US State, the common practice is to destroy all notes upon the completion of a Digital Forensic Report.

As I will explore in depth below, this belief seems to contradict those that are writing the guidelines.

This could result in legal issues should defense question the location or existence of your contemporaneous notes while at trial.  


Jaclaz

I learned to pay the maximum possible attention to details, to document everything, to keep archives - paper or digital - well ordered.

This is a key factor when and if you need - possibly years later - to review a project or to support or challenge claims in court. 

Verba volant, scripta manent

Jacopo - "Jaclaz"
Technical Consultant - Senior Forensic Focus Forum Member (3727+ Posts)

Jaclaz is an active and senior member of the Forensic Focus forums offering advice and guidance on a variety of questions. 
Forensic Focus Interview

Don’t believe that issues with failure to properly keep contemporaneous notes could cause legal issues?

Then please continue to read the rest of the article as we dive deeper into the potential issues you are likely to face.

Testifying in Court

The courts can be an unfriendly place especially to ‘experts’ who must articulate and explain every aspect of their investigation. Often the opposing counsel’s plan will be to discredit you as an expert rather than attack the actual evidence of the case.

“This is a court of law, young man, not a court of justice”
~ Oliver Wendell Homes Jr.
U.S. Supreme Court Justice 1902 to 1931

Contemporaneous Notes are Required!

 

Greg Smith, a well-respected UK expert in Digital Forensics states the following in regards to contemporaneous notes.


Greg Smith : Mobile Forensics & Telecomms Consultant : Institute for Digital Forensics (IDF)

Contemporaneous Notes are unavoidable, thus inescapable, when it comes to examining evidence and are akin to the standard of Ethics.

They hold the examiner to their own account of conduct when no one else is around to witness what is happening.

Greg Smith
Mobile Forensics & Telecomms Consultant : Institute for Digital Forensics (IDF)

31+ years of experience in handling digital and mobile telephone evidence in criminal and civil investigations.
Principal Consulting Forensic Engineer DEEU, Institute for Digital Forensics (IDF), Chief Training Officer Mobile Telephone Examination Board (MTEB), Principal Trainer Trew MTE.  
Greg Smith Blog
LinkedIn Profile

ACPO – Association of Chief Police Officers

 

The following ACPO guidelines are taken from the Good Practice Guide for Digital Forensics.

The ACPO guideline is very clear on the need to take detailed contemporaneous notes and disclose those to defense as required.

ACPO - Contemporaneous Notes

Within the ACPO guidelines, many sections refer to “Principle 3” which states that documentation should be created and preserved:

ACPO - Principle 3

The ACPO guidelines also advise to take “meticulous notes” during live forensics which meet the goals of “Principle 3”.

ACPO - Take Meticulous Notes

The guide further emphasizes the need to keep all documentation in order to comply with “Principle 3”.

ACPO - Records to Keep

ACPO - Documenting the Scene

Within the Data Reporting section of the ACPO Guide, it states very clearly that “Examination Notes MUST be preserved for disclosure or testimony purposes”.

ACPO - Data Reporting

Preserved: Definition

“Maintain (something) in its original or existing state.”

~ Oxford Dictionary

Greg Smith (known as TrewMte on Forensic Focus) asks a very important question within a Forensic Focus post, "…if these bodies and guidelines had intended notes could be altered surely they would say so?"

…if these bodies and guidelines had intended notes could be altered surely they would say so?

TrewMTE Quote

Unfortunately, amongst many examiners there appears to be an incomplete understanding of what Contemporaneous Notes are.

Some examiners believe that their notes can be altered without the need of being able to PROVE what the original note had stated when it was first written.

Legally Speaking

As the definition of ‘preserved’ indicates, examination notes must be kept in their original state. 

To me, this means that if you are hand writing your notes, you must keep those original hand-written notes. If notes are being produced electronically, then you must have a way to PROVE that the notes have not changed or been altered since they were created.

Lawyer Stuart Rudner agrees that the original notes should be kept.

Original Contemporaneous Note should be kept.

Stuart expands on this statement, saying that modifying the original contemporaneous notes without keeping the original would be an example of witness impeachment.

Modifying contemporaneous notes would be an example of witness impeachment


~ Stuart Rudner
Employment Lawyer & Mediator

Stuart expands on the quotes above within our Contemporaneous Notes article where he answers the following question…

How would you cross-examine a witness if you suspected that he had modified his contemporaneous notes?

To see the answer to the above question and other questions regarding contemporaneous notes, please click here.


Share Article with Digital Forensics Community


Forensic Notes was intentionally designed to help mitigate any attempts discredit your notes, by allowing you to:

  • Create Electronic Contemporaneous Notes
  • PROVE the Date & Time of EVERY Note
  • Make Changes or corrections to Contemporaneous Notes while still maintaining the original
  • Package Everything in a single ZIP Archive for Easy Review & Disclosure

~ Designed for Team Environments

Document Digital Forensics Examinations with Forensic Notes

FSR – Forensic Science Regulator

The UK government website describes the Forensic Science Regulator as:

The Forensic Science Regulator ensures that the provision of forensic science services across the criminal justice system is subject to an appropriate regime of scientific quality standards.

Source: Gov.uk

The current regulator is Dr. Gillian Tully.  She has mandated that all Digital Forensic laboratories in the UK be ISO 17025 accredited.

To read more about the FSR and ISO 17025 accreditation, read our article “ISO 17025 – Right for Digital Forensics?”

Below are excerpts from the various FSR publications.

Method Validation in Digital Forensics

FSR - Contemporaneous Notes are Required

Source: Gov.uk – Method Validation in Digital Forensics

 

Codes of Practice and Conduct

FSR - Technical records shall be produced contemporaneously

Source: Gov.uk – Codes of Practice and Conduct

 

Codes of Practice for Forensic Providers

FSR - Technical Records ISO 17025 - contemporaneous audit trail shall be retained

Source: Gov.uk – Codes of Practice for Forensic Service Providers

ENFSI - European Network of Forensic Science Institutes

The European Network of Forensic Science Institutes (ENFSI) provides the following information within their “Best Practice Manual for the Forensic Examination of Digital Technology”.

ENFSI - Contemporaneous records shall be made at the time of seizure

ENFSI - Results are declared within the notes

ENFSI - Peer Review - complete notes on all the target items

Source: http://enfsi.eu/documents/best-practice-manuals/


Jacques Boucher

You wouldn't process a scene without keeping detailed notes of what you did. So why would processing a computer be any different?

Jacques Boucher
Computer Forensic Manager with the Government of Canada

Former Police Officer specializing in Computer Forensic Investigations. Masters Degree in Computing & Cybercrime Investigation.
Jacques Boucher LinkedIn


NIST – National Institute of Standards and Technology

This guide provides information on accreditation for all areas of forensic sciences including digital forensics.

NIST - Written procedures should require contemporaneous notes

Source: National Commission on Forensic Science – Critical Steps to Accreditation

Virginia Department of Forensic Science

The following section can be found under “Examination Documentation”

Virginia Department of Forensic Science

Source:  Virginia Department of Forensic Science - Quality Manual

 

The above highlighted section clearly shows that if electronic notes are used, mechanisms must be in place to ensure that the notes cannot be changed or altered.

Digital Forensic Books

The following Digital Forensic books also recommend that contemporaneous notes be created during the examination.

Digital Forensics Processing and Procedures:
Meeting the Requirements of ISO 17020, ISO 17025 and ISO 27001

Watson and Jones - Record Reliability requires contemporaneous notes

Note Taking - contemporaneous - Signed and dated

Personal Notebooks - Notes shall be contemporaneous

A screen shot is best with contemporaneous notes

Forensic Notes on Mobile

Did you know that Forensic Notes is accessible on Mobile devices?

Take a picture within our app, include it in your notes and have it timestamped in a couple of easy steps.
Forensic Notes is available on multiple devices including desktop, mobile (android, iOS), Mac, etc.

Maintaining Records - should be contemporaneous to reflect what was happening

Spoliation - Contemporaneous records to support all stages of the processing of the case is essential

Source: Book available on Amazon

Other Fields that Require Contemporaneous Notes

The following are excerpts from a Criminal Law book titled Fingerprints and Other Ridge Skin Impressions.

Case Notes should be made and be contemporaneous

R. v SMITH - Court was surprised by the absence of contemporaneous documentation made at the time of examination - Documentation is in our view an essential component of the right to a fair trial

Examiner should always take notes

Source: Fingerprints and Other Ridge Skin Impressions

Documentation is, in our view, an essential component of the right to a fair trial

~ Source: Fingerprints and Other Ridge Skin Impressions


Examination Notes – Current Solutions

I recently wrote an in-depth article on Greg Smiths blog titled “What’s happening with Contemporaneous Notes?

Heather Mahalik : SANS Instructor

I am old school and like to keep notes on paper and store it in a case file. However, it's nice to have electronic notes for ease of reporting.

Heather Mahalik
Senior Instructor - SANS Institute

Co-author of "Practical Mobile Forensics" and Technical Editor of "Learning Android Forensics".
FOR 585 - Advanced Smartphone Forensics


In this article, I compare the different solutions available for creating Examination Notes, including:

  • Traditional paper notebook and pen
  • Word processors such as MS Word or OneNote
  • Purpose built electronic note-taking system
  • Scrap pieces of paper
  • Do not document (highly NOT recommended)!

Starter vs. Professional -- Which account is right for you?

Of course, as the founder of Forensic Notes, I freely admit that I might be slightly biased in holding the opinion that Forensic Notes is the perfect solution for documenting your Digital Forensic and Open-Source Investigations. 

But as you likely have realized I am passionate about this topic, and I want to provide the Forensic Community the best possible tool to allow examiners to take contemporaneous notes in an easy, though robust way, while also ensuring security and authenticity of the notes when needed in court.

Easily Prepare Notes and Reports for Court

You can download a Forensic Notebook at any time, significantly reducing the time needed to prepare for court.

The Forensic Notebook will contain all your notes related to the case, timestamped and Court-Ready.

Example: Digital Forensic Report

Forensic Notes are downloaded as Digitally Signed and Timestamped PDF documents.
(Click to Download)

Full Package:

Forensic Notebooks are downloaded within a Password Protected ZIP Archive which contains:

  • Forensic Notebook (PDF)
  • Digital Timestamp for Notebook
  • All Individual Forensic Notes with associated Timestamps
  • Original High Quality Embedded Images (if images are included in notes)

Full Package - ZIP Archive

Forensic Notebooks are downloaded from within the application in ZIP Password Protected Archives.
(Click to Download)

NOTE: For demonstration purposes, ZIP Archive password removed.

How will YOU document your next Digital Forensic Examination?

Will you stick with the classic pen and paper, utilize a word processing application such as MS Word or OneNote or go with a more forensic solution such as a purpose-built electronic note-taking system like Forensic Notes?

Properly document your investigations in an electronic format while ensuring the security and immutability of your notes.

SIGN UP TODAY for a FREE 14-Day Full-Feature Trial
- no credit card or payment information required -


Share Article with Digital Forensics Community