This Won’t Go to Court!
SOP’s Essential During Cross-Examination
Current Views on Note-Taking
Experts Agree – Documenting DFIR Investigations is Important
Lawyers View on Contemporaneous Notes
Destroy Notes After an Examination is Complete?
I’ll Remember It!
- Scrap Pieces of Paper
- Bound Paper Notebook & Pen
- MS Word or OneNote (and Notepad)
- Electronic Note-Taking Application
There are contradicting views on what Contemporaneous Examination Notes are and how they should be written.
Some Digital Forensic Examiners even question if they are actually required when conducting Digital Forensics and Incident Response (DFIR) investigations.
You might be thinking…. THIS IS GREAT!
Well, not exactly.
I believe that most professionals within the DFIR community understand that Contemporaneous Notes are a requirement based on professional training and recommendations by Digital Forensic Guides and leading DFIR Organizations.
The reality is that contemporaneous notes are often not completed nor are questions raised about their absence. As a result, some DFIR Examiners say they aren’t really required if no one asks for them.
But as a professional, should you be looking for shortcuts to complete your DFIR investigations?
And would failing to create documentation even save time in the long run?
At some point during your investigation, you will likely have to write a report explaining your findings which is a lot easier to complete when you have detailed notes to refer to.
This is especially true if those notes include screen captures of results during the investigation.
And if you are going to make notes, they should be made contemporaneously to the examination as this has more weight within criminal and civil court should you find yourself on the stand.
In fact, …
If you didn’t write your notes contemporaneously, the judge may rule that you are not able to refer to your notes while on the stand. (see case law below)
If this happens, will you be able to remember the details of an investigation that occurred 12 – 36 months prior?
Will your evidence have any credibility without notes?
As discussed below, it likely won’t.
And when it comes to court, even lawyers are expected to take contemporaneous notes.
In the court case below, a prosecutor had taken the stand to defend her actions to charge two officers for ‘attempt to obstruct justice’.
The judge scolded the prosecutor for failing to take detailed notes at the time of an important conversation with these two officers.
~ R. v. Clark et al – 2012 MBQB 246
We have to remember that the reliability of a testimony is not binary, in that it is believed or not believed. It is up to the judge or jury to determine how much ‘weight’ they are going to put on the testimony you provide which will be based on how credible you appear while testifying.
This Won’t Go to Court!
Those of us who have been in law enforcement for a number of years quickly realize that we are horrible at predicting what investigations will end up in court and which ones will be decided without our involvement.
Nearly all investigations I thought would end up in court have failed to result in that outcome with those investigations either ending in a Stay of Proceedings or Guilty Plea.
The reality is that you can’t predict which investigations will require you to testify and have the pleasure of being cross-examined by an opposing legal counsel.
So, you should treat every investigation as if you will have to defend your work in Supreme Court.
Even when Contemporaneous Notes are completed by DFIR examiners, many have different definitions of “Contemporaneous Notes”. The most concerning is the belief that notes taken at any time will suffice as “contemporaneous”.
But as we will see below, this couldn’t be farther from the truth.
SOP’s Essential During Cross-Examination
Failing to complete tasks you were either trained or instructed to do may not cause any issues 97% of the time. However, it’s the files that matter where the 3% could greatly affect the outcome of the investigations as well as your professional reputation.
If you gathered solid evidence against a suspect, what approach will the defense take to defend their client?
You guessed it, they will question your qualifications as an expert and whether you followed your training.
Were you trained to take contemporaneous notes during an investigation?
If yes, how do you plan to defend yourself against a defense expert questioning your professionalism if you clearly didn’t follow the training you were provided or the Standard Operating Procedures (SOPs) written by your organization?
Don’t believe this will happen?
This is exactly what one leading defense counsel suggests…
Going on to provide an example of a typical cross-examination on police note taking…
The article is well worth a read if you want to see how defense lawyers think when they are defending a client.
Current Views on Note-Taking
Recently, a number of leaders in DFIR such as Brett Shavers’s and Harlan Carvey provided their opinions on note-taking after @mattnotmax brought up the subject in his blog.
- Brett’s opinion on DFIR notes and note-taking (Brett Shavers)
- Notes, etc. (Harlan Carvey)
- Contemporaneous Notes: a forensicator’s best friend (@mattnotmax)
In Brett’s article, he believes that investigators fail to make notes for one of the following reasons:
- A belief that they are unimportant
- No one else makes them, so why should I?
Brett goes into detail on his point about the “Belief they are unimportant” stating…
If you don’t believe notes are important, one day you will find out just how important they are.
This could be due to personal embarrassment or a hit on your professional reputation when all you had to do was take a few notes a few months earlier on one of those few cases you were working.
Regret sucks, let me tell you…
Digital Forensics Practitioner, Author, and Instructor
Author of “Placing the Suspect Behind the Keyboard”, “Hiding Behind the Keyboard”, and the “X-Ways Forensics Practitioner’s Guide”.
Brett Shavers Blog
I think this is a great list, but I would also add:
The DFIR community is constantly expanding with new examiners entering the field every year. Many of these new examiners are young and ambitious, but also overwhelmed at the amount of information they have to learn and go through.
When it comes to note-taking, they know they should, but how?
As a result, they try several different ways to document their examination during the same investigation resulting in a mis-mash of notes which are hard to put together.
Further confusion results when a senior examiner says “Don’t worry about it. You don’t have to disclose that stuff as its just ‘working copy’.
If you are told that you don’t need to include some information because it is just working copy, ask them where they heard that. Often it will be from a fellow member when they started in the section.
This is called “Hearsay” and won’t help you in court.
When in doubt, ask a trusted lawyer in your area for advice on what is considered ‘working copy’.
Brett goes on to provide some useful tips on Note Taking, including:
- use technology to take notes, not a pen…if you are a messy writer
- Keep your notepads. Don’t tear out sheets. Keep all of them. Store them in a box when full..forever *
- Date/time stamp your notes
Key Tip to Remember
* “Keep your notepads. Don’t tear out sheets…”
Keep this last point in mind when we discuss MS Word and OneNote since when you use word processing applications to take notes, you are essentially removing your ability to prove that you didn’t make changes or remove notes you previously made.
Brett also provides some real-life Win/Fail Scenario’s involving note-taking which is well worth a read.
So what do the experts say?
Documenting DFIR Investigations is Important
Recently, experts and influential leaders in Digital Forensics provided quotes on the Importance of Documentation.
Contemporaneous Notes are unavoidable, thus inescapable, when it comes to examining evidence and are akin to the standard of Ethics.
They hold the examiner to their own account of conduct when no one else is around to witness what is happening.
Mobile Forensics & Telecomms Consultant : Institute for Digital Forensics (IDF)
31+ years of experience in handling digital and mobile telephone evidence in criminal and civil investigations.
Principal Consulting Forensic Engineer DEEU, Institute for Digital Forensics (IDF), Chief Training Officer Mobile Telephone Examination Board (MTEB), Principal Trainer Trew MTE.
Greg Smith Blog
Computer Forensics Author, Researcher & Practitioner
Author of “Windows Registry Forensics” and “Windows Forensic Analysis Toolkit”. Developer of RegRipper.
Windows Incident Response Blog
You may never need to defend your DFIR investigation in court, but you should complete every case as if you would be testifying as an expert in Supreme Court.
Because, you will never know which files are going to end up in court. By the time you are notified, it will be too late to create Contemporaneous Notes.
Since we just brought up court, what do lawyers have to say about Contemporaneous Notes?
Lawyers View on Contemporaneous Notes
I recently interviewed Stuart Rudner for his legal opinion regarding Contemporaneous Notes. Stuart stated:
Lawyer & Mediator
Stuart goes on to discuss the need to keep original copies of digital notes and not alter those notes unless you can show the changes that were made.
Changing notes and failing to properly disclose what changes were made while claiming the notes to be contemporaneously made could lead to legal issues and questions about your credibility.
Lawyer & Mediator
When thinking about court, always remember the following quote.
Destroy Notes After an Examination Is Complete?
In some American states, it is common practice to destroy both paper and electronic notes once a final examination report has been written.
If the destruction of examination notes is currently allowed or mandated where you work, you should ask yourself:
- What happens if the accuracy or credibility of the report is questioned?
- What reasoning will you provide if questioned on why you felt it was necessary to destroy your notes?
- The opposing party may ask “What were you trying to hide in those notes that it was so important that you destroy them prior to court?”
- Are you 100% sure that you copied them exactly as you had written them?
These questions formed the argument by defense in a New Jersey Supreme Court Decision in which a new trial was ordered in a previous murder conviction.
~ NJ Supreme Court – State v. Dabas (FindLaw.com)
As you can see from the above decision, even though Investigator Dando followed police practices at the time, his decision to destroy the notes still caused issues at trial.
Let me be clear…
You should FOLLOW your department’s Standard Operating Procedures (SOP) or documented procedures.
But if your department does encourage the destruction of notes, then I would suggest you send them this article, confirm with them that they want this practice to continue and document your discussion.
In many regions, warrants authorizing forensic examinations are becoming restrictive with respect to the type of data that can be analyzed and included in forensic reports.
In practice, you may observe other evidence in plain view (eg: Child abuse material) that does not fit within the restrictions of the warrant.
In this case, it is suggested that you immediately stop your current examination and re-apply for a new warrant that includes the evidence you observed in plain view.
If you fail to take proper contemporaneous notes or destroy your notes upon completion of a report, would you be able to properly articulate how you came across the images or data that you weren’t authorized to have searched which resulted in a more comprehensive warrant being sought?
If not, you risk having all your evidence excluded from the trial.
Many investigators fail to recognize that obtaining a new warrant is easy in comparison to defending the merits of the new warrant at trial.
Are you willing to lose all your evidence due to a lack of proper documentation?
I’ll Remember It!
You might be thinking…
I don’t need to take notes, I’ll remember this!
But as R. v. Sharma (2014] O.J. No. 1289 indicated, as an investigator you can NOT rely on your memory for key facts during an investigation.
The judge also stated that…
case law is quite clear that absence of notes by a police officer in relation to pivotal issues diminishes the weight attached to their evidence.
The following relevant cases were discussed:
At this point, I hope it is CLEAR that you MUST document your DFIR investigations contemporaneously.
So, what tools should you use to document?
The rest of this article will explain HOW to properly create Contemporaneous Notes during your investigation.
DFIR Investigations will be documented in one of several ways:
- Scrap pieces of paper
- Bound paper notebook and pen
- Word processing applications such as MS Word or OneNote (and notepad)
- Purpose built electronic note-taking system such as Forensic Notes
Scrap Pieces of Paper
Although it’s common to use scrap pieces of paper to quickly jot down information, they should not be used as a place to write notes during an examination unless other options discussed below are not available.
If scrap pieces of paper are used to document important information, this should be transcribed into your proper notes as soon as possible. Often, if done in a reasonable time frame, these transcribed notes will be considered contemporaneously written.
It is also recommended to keep these pieces of paper should they be requested at a later time.
Bound Paper Notebook and Pen
This is the classic way of writing contemporaneous notes, relied upon in law enforcement for decades.
This form of documentation has continued to stand up to the scrutiny of the courts when properly completed.
When using this form of documentation, you must keep in mind the ELBOWS set of rules for writing notes
E – No Erasures
L – No Leaves torn out
B – No Blank spaces
O – No Overwriting
W – No Writing in margins
S – Statements to be written in direct speech
Notes should also be in a bound paper notebook with pre-printed page numbers.
Although widely accepted in courts, this often results in notes that are illegible and incomplete.
For many young examiners that can quickly type out long messages on a virtual mobile keyboard, the idea of handwriting notes seems like a step back in time. This makes it more difficult to convince young examiners to take notes in the first place.
If you correct spelling and grammatic mistakes, you make the notes harder to read resulting in an end product that appears unprofessional to those that need to read them.
I’ve even seen cases were the author of the note had a hard time reading and interpreting their own handwriting.
The issues are further compounded by investigators that believe that their notes are their notes and making them illegible will eliminate the opposing party from asking tough questions in court.
However, several court cases have clarified that this is not true.
Illegible notes do NOT constitute disclosure.
And the following decisions clarify the need to provide a typed copy of officer notes if the original is illegible.
In order to discharge this duty the Crown is under an obligation to request and procure from the police all relevant information and material concerning the case.
As a result, in my view, the provision of a typed version of one of the investigative officer’s notes where that officer’s handwritten notes were illegible was more than simply a courtesy; it was part of the Crown’s disclosure obligation.
Writing notes this classic way may be convenient, but I find it hard to believe that many would say it is an efficient use of time if you are adhering to all the requirements to write detailed contemporaneous notes that anyone can read and understand as required to satisfy full disclosure.
Given the court decisions discussed above, do you think Notebook Examples #1 (below) would cause any issues for full disclosure or if you wanted to use it in court to refresh your memory?
What issues would you face if you were on the stand and this was your notebook?
Okay, how about this example notebook?
In Notebook Example #2, wite-out® was used to make a correction to a note.
Do you think the defense attorney would have any issues with the above correction when you are being cross-examined in court, especially if the accused admitted to the crime?
Now that we fully understand the acceptable ways to write notes in a paper notebook, let’s discuss…
MS Word or OneNote (and Notepad)
The use of MS Word and OneNote is becoming more common even in traditional settings like law enforcement where pen and paper have been the standard for decades. But…
I know this is a strong statement, but I strongly believe this as I will describe below.
If you don’t agree with me, then I encourage you to voice your thoughts in public forums, but please be prepared to prove your points with facts and caselaw examples.
So why wouldn’t I ever trust MS Word or OneNote for Investigations?
It comes down to court disclosure and the requirement to provide accurate and detailed contemporaneous notes, but before we get into the issues of MS Word and OneNote, let’s discuss the many benefits of these great programs.
Yes, it is true.
MS Word and OneNote are great software applications.
I am actually using MS Word to type up this article and wouldn’t trust any other application for this purpose.
MS Word is designed to write articles and reports providing all the required tools like spell checker, word count and grammar correction.
OneNote is also an amazing product for quickly recording notes, handwritten sketches and allowing multi-user collaboration.
I am a big fan of both applications, but not if you need to create court-ready documentation.
Software products are designed with a purpose in mind. MS Word and OneNote were NOT designed to create contemporaneous notes for court purposes.
Before I get into the reasons why they shouldn’t be used for investigator notes, let me note the reasons why investigators are using these products currently.
- Ability to edit notes
- Professional Presentation: Correct any spelling, grammatical errors or omissions
- Easily include images or external files
- Include screen captures from webpages and computer applications
As a result, some investigators feel electronic documentation provides a more professional form of their notes as they are able to correct these issues prior to providing them to colleagues or the courts.
I agree with this statement 100%.
But if notes can be changed at a later date with no previous history of the contents originally entered, can they really be considered and trusted to be contemporaneous?
As we discussed in “Lawyers View on Contemporaneous Notes”, altering contemporaneous notes after the fact could result in witness impeachment if the original note was not kept.
Witness Impeachment: Definition
“Witness impeachment is the process of challenging the credibility of a witness in a trial. There are several ways by which a witness can properly be impeached.”
And does this open up Pandora’s Box for defense lawyer questioning?
MAC Dates & MetaData – Date Information is Easy to Alter!
Video’s showing how easily the Date & Time can be changed on an MS Word & PDF Document.
Will you be able to defend the authenticity of your MS Word or OneNote examination notes in court if questioned?
How will you explain changes?
Are you willing to be named in a judgement where the accused is found not guilty based on your lack of credible evidence?
The best option is to use an electronic note-taking system designed for court purposes so that you are confident in court.
Never Trust Notes Created with MS Word or OneNote?
I never stated that you shouldn’t TRUST notes created with MS Word or OneNote. I said…
But like everything in life, there are exceptions.
Your organization may have Document Management Systems (DMS) in place to track, manage and store electronic documents. As a result, MS Word and OneNote documents can be ingested into the DMS and therefore made immutable within the system.
Make MS Word and OneNote immutable with Forensic Notes
To make your MS Word and OneNote documents immutable and court-ready, they can be added as attachments to Forensic Notes or copied into the editor.
Other organizations may have processes in place to Digitally Sign and Timestamp the documents as they are created.
But the reality is that most small and medium sized organization will not have any systems in place and this is why I believe you should never use MS Word or OneNote.
Neither product is designed to create court-ready documentation without using other systems or services to make the documents immutable.
But should you TRUST notes that haven’t been properly saved into a DMS or immutable system like Forensic Notes?
If there is no reason to question the credibility of the investigator or witness, then there is no reason to question the credibility of the notes they say they made.
A similar point was recently brought up in a Terrorism case (R. v. Hamdan, 2017 BCSC 676) within the BC Supreme Court (Canada).
The defense expert questioned the tools and systems used to acquire Open-Source (OSINT) evidence on the suspect.
The decision then discussed the Canadian Evidence Act.
 Section 31.5, though not referred to by the parties, allows a court to consider evidence about standards, procedure and usage when determining the admissibility of a document under any rule of law:
31.5 For the purpose of determining under any rule of law whether an electronic document is admissible, evidence may be presented in respect of any standard, procedure, usage or practice concerning the manner in which electronic documents are to be recorded or stored, having regard to the type of business, enterprise or endeavour that used, recorded or stored the electronic document and the nature and purpose of the electronic document.
Within the judges’ decision, he writes…
 When I consider all of these circumstances, I conclude there is no basis for concluding that evidence was lost through unacceptable negligence…
The defence submission that the RCMP should have considered better software and techniques has some traction as of that time…
The RCMP understood it had accurate screenshots of those posts and the associated Timelines…
In these circumstances, I find that it was not unreasonable for the RCMP to continue with the process it had in place.
 This decision should not be seen as endorsing the use of less-than-forensic-grade software to capture and preserve social media evidence.
My conclusion that the police conduct did not reach a level of unacceptable negligence at the later stages of the investigation is driven, in large part, by three considerations:
first, the police efforts to preserve the evidence were genuine and extensive;
second, the Crown obligation to disclose relevant information appears to have been satisfied by the considerable material produced…
and third, the collection and preservation of social media evidence by the police is a relatively new process and, prior to this case, there was no established RCMP policy or procedure and no legal standard for doing so.
I expect that, if the police procedures do not improve, subsequent decisions may find the police action to be unreasonable.
 In summary, I conclude that Mr. Hamdan’s s. 7 right was not breached by the manner by which the Key Posts and associated Timelines were captured and preserved.
One of the key points from the above excerpts is that the judge accepted the evidence as the ‘police efforts to preserve the evidence were genuine and extensive’.
The judge had no reason to question the authenticity of the evidence or what it meant.
This would be the same for notes created in a less than fool-proof way where they are not made immutable.
But the judge did end by stating…
subsequent decisions may find the police action to be unreasonable
Supreme Court of British Columbia – Canada
As a community, we need to look at ways to improve our processes and ensure significant cases are not lost due to technicalities or questions around a witness’s credibility unless there is evidence to support those concerns.
As a result of the above court case which specifically named “Hunchly” as a product designed to properly capture data during OSINT investigations, many departments are now purchasing and using this software to ensure they are following best practices going forward for all their open-source investigations.
Even Michael Bazzell, who is well known as an expert within the OSINT community recommends Hunchly saying..
The support from Justin and the team alone is worth the price ten-fold.
OSINT Expert – Founder: inteltechniques.com
So should you TRUST notes created with MS Word and OneNote?
Yes, unless you have a reason to question the credibility of the author.
If this is the case, the use of MS Word or OneNote could cause serious issues in the courtroom should the opposing party also question the authenticity of the notes created or if they were modified after the fact.
Electronic Note-Taking Application
Electronic Note-Taking applications offer the best of both worlds if designed and used properly. But remember, not all applications are created equal.
When deciding on what electronic note-taking application you want to use, you will have to consider your specific needs and requirements not only now, but in the future when your case finally goes to trial.
Does the application:
Replicate court accepted practices, by
- Functioning like a paper notebook, which has been trusted in courts for decades?
Secure your data, by
- Properly protecting the data using advanced encryption techniques?
Make your evidence Immutable, by
- Obtaining a Timestamp for every note entered from a Trusted Timestamping Authority (TSA)
- Using a Blockchain to further ensure no tampering?
Provide an intuitive & user-friendly interface, that allows you to
- Arrange notes to make your investigations easier to manage?
- Easily find items via search?
Provide advanced features, such as
- Including images in your notes?
- Automatically hashing (MD5 & SHA512) all attachments and images
Simplify Court Disclosure by:
- Showing that all notes were disclosed
- Allowing the prosecution and defense to quickly verify your notes are authentic and were not altered after disclosure.
And finally, is the application run and managed by trusted members in your community?
When choosing an Electronic Note-Taking Application, you should select an application that works the way you work instead of being forced to work within the constraints of the application they provide.
Forensic Notes has been designed to solve all the issues discussed in this article and is available both online (SaaS) and On-Premises.
In this article, I hope I was able to show you how to properly take contemporaneous notes during an investigation and why you should never use MS Word or OneNote for contemporaneous note-taking purposes.
Both are great products, but simply not designed to replicate paper bound notebooks which have been accepted in the courts for decades.
Some may continue to use a good pen and paper notebook to take notes during an investigation, but if you are looking to go digital, then Forensic Notes has been designed for you.
Have confidence when you go to court, knowing that the notes you created during your investigation will be accepted and trusted.
If you have any questions about Forensic Notes or regarding this article, please don’t hesitate to contact me directly.
Founder – Forensic Notes
Robert Merriott has been a municipal police officer for over 13 years working as a frontline police officer, tactical operator, and most recently as a detective in the Technological Crime Unit specializing in Digital Forensics and Cybercrime.
Prior to his policing career, Robert obtained a Bachelor of Science in Computer Information Systems and worked in the private sector as a web application developer. While working as a developer, Robert was awarded Microsoft MVP status and was a founding board member of the ASPInsiders, an organization that worked closely with Microsoft to provide expert feedback on the development of the ASP.NET web application framework.
Robert founded TwiceSafe Software Solutions Inc. (Forensic Notes) after realizing the need for a digital note-taking application that would meet the high standards of digital forensic evidence in the courts.
DISCLAIMER: This article is not meant to provide legal advice or information. Legal statements made are only provided as guidance for the reader to seek professional legal advice within their jurisdiction. No information contained within this article should be acted upon without discussing the merits of such information with a legal professional. The author of this article is NOT A LAWYER and takes no legal responsibility for the information presented.