Recently there has been a lively debate regarding the type of notes that should be produced during a Digital Forensics Examination.
Several top Digital Forensics Guides and Organizations state that Contemporaneous Notes should be written during a digital forensic examination, including:
- ACPO – Association of Chief Police Officers
- FSR – Forensic Science Regulator (UK)
- ENFSI – European Network of Forensic Science Institutes
- NIST – National Institute of Standards and Technology
Though there seems be strong agreement amongst organizational bodies that contemporaneous notes (CN) should be written during a Digital Forensic Examination, as will be discussed in further detail below, there is still much debate about what exactly ‘contemporaneous notes’ are.
That was a nightmare that I made sure never happened again.
If you didn’t document it, it didn’t happen.
Digital Forensics Practitioner, Author, and Instructor
Author of “Placing the Suspect Behind the Keyboard”, “Hiding Behind the Keyboard”, and the “X-Ways Forensics Practitioner’s Guide”.
Brett Shavers Blog
What are Contemporaneous Notes?
~ Contemporaneous Notes Article
This is where the debate gets interesting.
Some Digital Forensic Examiners question the actual need to create contemporaneous notes, or at least the type of contemporaneous notes that most police officers have been taught how to record.
Police Officers are taught to write notes at the time of an incident or shortly thereafter, and provide those “contemporaneous notes” to Crown Prosecution and Defense with any reports that may lead to criminal charges.
They are also expected to keep their notes should a person complain or question police actions days, months, or even years after the fact.
As a result, many departments have retention policies regarding officer notes that require the officer to keep all notebooks for several years after an incident and make them available to the department if requested.
Failure to provide your contemporaneous notes can result in disciplinary action.
In comparison, many Digital Forensic Examiners see contemporaneous notes as simply a document to help produce a final forensic report with no need to provide those notes to the opposing party.
In fact, in at least one US State, the common practice is to destroy all notes upon the completion of a Digital Forensic Report.
As I will explore in depth below, this belief seems to contradict those that are writing the guidelines.
This could result in legal issues should defense question the location or existence of your contemporaneous notes while at trial.
Verba volant, scripta manent
Technical Consultant – Senior Forensic Focus Forum Member (3727+ Posts)
Jaclaz is an active and senior member of the Forensic Focus forums offering advice and guidance on a variety of questions.
Forensic Focus Interview
Don’t believe that issues with failure to properly keep contemporaneous notes could cause legal issues?
Then please continue to read the rest of the article as we dive deeper into the potential issues you are likely to face.
Testifying in Court
The courts can be an unfriendly place especially to ‘experts’ who must articulate and explain every aspect of their investigation. Often the opposing counsel’s plan will be to discredit you as an expert rather than attack the actual evidence of the case.
“This is a court of law, young man, not a court of justice”
~ Oliver Wendell Homes Jr.
U.S. Supreme Court Justice 1902 to 1931
Contemporaneous Notes are Required!
Greg Smith, a well-respected UK expert in Digital Forensics states the following in regards to contemporaneous notes.
They hold the examiner to their own account of conduct when no one else is around to witness what is happening.
Greg Smith
Mobile Forensics & Telecomms Consultant : Institute for Digital Forensics (IDF)
31+ years of experience in handling digital and mobile telephone evidence in criminal and civil investigations.
Principal Consulting Forensic Engineer DEEU, Institute for Digital Forensics (IDF), Chief Training Officer Mobile Telephone Examination Board (MTEB), Principal Trainer Trew MTE.
Greg Smith Blog
LinkedIn Profile
ACPO – Association of Chief Police Officers
The following ACPO guidelines are taken from the Good Practice Guide for Digital Forensics.
The ACPO guideline is very clear on the need to take detailed contemporaneous notes and disclose those to defense as required.
Within the ACPO guidelines, many sections refer to “Principle 3” which states that documentation should be created and preserved:
The ACPO guidelines also advise to take “meticulous notes” during live forensics which meet the goals of “Principle 3”.
The guide further emphasizes the need to keep all documentation in order to comply with “Principle 3”.
Within the Data Reporting section of the ACPO Guide, it states very clearly that “Examination Notes MUST be preserved for disclosure or testimony purposes”.
Greg Smith (known as TrewMte on Forensic Focus) asks a very important question within a Forensic Focus post, “…if these bodies and guidelines had intended notes could be altered surely they would say so?”
Unfortunately, amongst many examiners there appears to be an incomplete understanding of what Contemporaneous Notes are.
Some examiners believe that their notes can be altered without the need of being able to PROVE what the original note had stated when it was first written.
Legally Speaking
As the definition of ‘preserved’ indicates, examination notes must be kept in their original state.
To me, this means that if you are hand writing your notes, you must keep those original hand-written notes. If notes are being produced electronically, then you must have a way to PROVE that the notes have not changed or been altered since they were created.
Lawyer Stuart Rudner agrees that the original notes should be kept.
Stuart expands on this statement, saying that modifying the original contemporaneous notes without keeping the original would be an example of witness impeachment.
~ Stuart Rudner
Employment Lawyer & Mediator
Stuart expands on the quotes above within our Contemporaneous Notes article where he answers the following question…
How would you cross-examine a witness if you suspected that he had modified his contemporaneous notes?
To see the answer to the above question and other questions regarding contemporaneous notes, please click here.
Please Share Article with the Digital Forensics Community
Forensic Notes was intentionally designed to help mitigate any attempts discredit your notes, by allowing you to:
- Create Electronic Contemporaneous Notes
- PROVE the Date & Time of EVERY Note
- Make Changes or corrections to Contemporaneous Notes while still maintaining the original
- Package Everything in a single ZIP Archive for Easy Review & Disclosure
~ Designed for Team Environments
FSR – Forensic Science Regulator
The UK government website describes the Forensic Science Regulator as:
Source: Gov.uk
The current regulator is Dr. Gillian Tully. She has mandated that all Digital Forensic laboratories in the UK be ISO 17025 accredited.
To read more about the FSR and ISO 17025 accreditation, read our article “ISO 17025 – Right for Digital Forensics?”
Below are excerpts from the various FSR publications.
Method Validation in Digital Forensics
Source: Gov.uk – Method Validation in Digital Forensics
Codes of Practice and Conduct
Source: Gov.uk – Codes of Practice and Conduct
Codes of Practice for Forensic Providers
Source: Gov.uk – Codes of Practice for Forensic Service Providers
ENFSI – European Network of Forensic Science Institutes
The European Network of Forensic Science Institutes (ENFSI) provides the following information within their “Best Practice Manual for the Forensic Examination of Digital Technology”.
Source: http://enfsi.eu/documents/best-practice-manuals/
Computer Forensic Manager with the Government of Canada
Former Police Officer specializing in Computer Forensic Investigations. Masters Degree in Computing & Cybercrime Investigation.
Jacques Boucher LinkedIn
NIST – National Institute of Standards and Technology
This guide provides information on accreditation for all areas of forensic sciences including digital forensics.
Source: National Commission on Forensic Science – Critical Steps to Accreditation
Virginia Department of Forensic Science
The following section can be found under “Examination Documentation”
Source: Virginia Department of Forensic Science – Quality Manual
The above highlighted section clearly shows that if electronic notes are used, mechanisms must be in place to ensure that the notes cannot be changed or altered.
Digital Forensic Books
The following Digital Forensic books also recommend that contemporaneous notes be created during the examination.
Digital Forensics Processing and Procedures:
Meeting the Requirements of ISO 17020, ISO 17025 and ISO 27001
Forensic Notes on Mobile
Did you know that Forensic Notes is accessible on Mobile devices?
Take a picture within our app, include it in your notes and have it timestamped in a couple of easy steps.
Source: Book available on Amazon
Other Fields that Require Contemporaneous Notes
The following are excerpts from a Criminal Law book titled Fingerprints and Other Ridge Skin Impressions
Source: Fingerprints and Other Ridge Skin Impressions
~ Source: Fingerprints and Other Ridge Skin Impressions
Examination Notes – Current Solutions
I recently wrote an in-depth article on Greg Smiths blog titled “What’s happening with Contemporaneous Notes?”
Senior Instructor – SANS Institute
Co-author of “Practical Mobile Forensics” and Technical Editor of “Learning Android Forensics”.
FOR 585 – Advanced Smartphone Forensics
In this article, I compare the different solutions available for creating Examination Notes, including:
- Traditional paper notebook and pen
- Word processors such as MS Word or OneNote
- Purpose built electronic note-taking system
- Scrap pieces of paper
- Do not document (highly NOT recommended)!
Of course, as the founder of Forensic Notes, I freely admit that I might be slightly biased in holding the opinion that Forensic Notes is the perfect solution for documenting your Digital Forensic and Open-Source Investigations.
But as you likely have realized I am passionate about this topic, and I want to provide the Forensic Community the best possible tool to allow examiners to take contemporaneous notes in an easy, though robust way, while also ensuring security and authenticity of the notes when needed in court.
Easily Prepare Notes and Reports for Court
You can download a Forensic Notebook at any time, significantly reducing the time needed to prepare for court.
The Forensic Notebook will contain all your notes related to the case, timestamped and Court-Ready.
Example: Digital Forensic Report
Full Package:
Forensic Notebooks are downloaded within a Password Protected ZIP Archive which contains:
- Forensic Notebook (PDF)
- Digital Timestamp for Notebook
- All Individual Forensic Notes with associated Timestamps
- Original High Quality Embedded Images (if images are included in notes)
Full Package – ZIP Archive
NOTE: For demonstration purposes, ZIP Archive password removed.
How will YOU document your next Digital Forensic Examination?
Will you stick with the classic pen and paper, utilize a word processing application such as MS Word or OneNote or go with a more forensic solution such as a purpose-built electronic note-taking system like Forensic Notes?
Properly document your investigations in an electronic format while ensuring the security and immutability of your notes.
SIGN UP TODAY for a FREE 7-Day Full-Feature Trial
– no credit card or payment information required –