Capturing Evidence & Notetaking
Table of Contents:
- What Do I Note?
- Sticky Notes
- Search & Capture
- Contemporaneous Notes
OSINT INVESTIGATIONS – The Right Way
OSINT (Open Source Intelligence) has gone mainstream. Not long-ago OSINT was something tech savvy investigators did off the side of their desk. As agencies became more aware of its value, OSINT became the domain of specialized OSINT investigators. And today the expectation is that all well-rounded investigators need to understand and be able to perform their own rudimentary OSINT research.
With the vast amount of personal information individuals are posting about themselves (and their friends and family) online, no longer can you expect a few specialized investigators to capture everything on the Internet, especially as this information is volatile and can disappear just as quick as it goes up.
However, doing OSINT correctly is important. Investigators and analysts are often tasked with conducting OSINT with little training and instruction into how that information should be documented, captured or later disclosed. This is partly because many people, falsely, equate OSINT work as simply knowing how to “Google”.
The other issue that arises, is that Open Source Intelligence, especially when completed for Law Enforcement purposes can cross the line from “Intelligence” to “Evidence”. This is significant line to cross, as ‘evidence’ means your OSINT work may very likely come under court scrutiny.
Not surprisingly, this has led to case law requiring improved procedures and tools for conducting OSINT investigations. One well known case in Canada is [R v Hamdan].
subsequent decisions may find the police action to be unreasonable.
Honourable Mr. Justice Butler
Supreme Court of British Columbia – Canada
OSINT is important work and it requires execution in a purposeful manner. This is where using Hunchly and Forensic Notes can improve and simplify your OSINT investigations and aid in your findings being accepted in a court of law.
Hunchly and Forensic Notes cover two vital elements that may come under scrutiny months or years after your investigation:
- Ensuring your capture is a true and accurate representation of what you observed;
- Contemporaneous notetaking.
Conducting OSINT investigations can be tedious and time consuming, especially when you are capturing and documenting all your findings.
There are number of questions an Investigator must ask and find solutions to, such as:
- How do I capture a wide variety of webpages (often with scrolling content)?
- What format should I save webpages in (PDF, HTML, PNG)?
- Should I capture every page I view?
- Can I trust that the software tools I find online are not transmitting sensitive information to third parties or organizations?
- How do I remember search terms used during my investigation and the search sites used?
This is where Hunchly comes in.
Hunchly is an incredibly powerful software tool that will save you time and eliminate the headaches and stress in trying to capture every detail of your on-line investigation. Hunchly is highly recommend by some of most renowned people in OSINT, including Michael Bazzell at IntelTechniques.com, and is the tool of choice for law enforcement agencies around the world.
There are other web capture tools out there that you will also find useful from time to time. Hunchly, however, is quite distinctive in that it is a purpose-built web capture tool designed for conducting OSINT investigations. This becomes quite apparent when you begin to use Hunchly. It not only does a great job capturing webpages, but it also helps you conduct your investigation and organizes your results for reporting and disclosure in court.
Hunchly is light-weight and runs as an extension in your Chrome web-browser. Once installed, it’s a simple click to activate or deactivate the capture function. When activated, it begins to capture every search you make and every web page you visit, with no further action on your part.
This is more powerful and helpful than you might expect!
You are tasked with conducting OSINT research on a target in a homicide. The detective provides you with a name and possible associates, but states that no other information is known as the incident had just occurred.
As you research on-line you become overwhelmed with the amount of information you are finding and have no idea what might be relevant. The next day, you speak with the detective who mentions that sand was found on the body of the victim, to which you quickly say, “I saw a picture posted on the suspect’s Instagram account showing a picture of him by the beach”. Believing you have a key piece of evidence, you quickly log into your computer and navigate to his Instagram page, only to realize that you can’t find the picture. It has been deleted!
This is where Hunchly really saves the day. Remember, it captures EVERYTHING you view and does so in a forensically acceptable manner. Now, instead of losing that key piece of evidence, you can simply look back through your Hunchly history to find the information you already found!
Remember: the internet is a live and constantly changing source of information.
A Facebook post that was once publicly visible might suddenly become private (or deleted) by the time you decide to go back and review it. Or perhaps the information is still there but you can’t remember the web trail you took and can’t find your way back to that key bit of information.
Going back to the example above, what if the suspect had multiple social media accounts all with thousands of posts and pictures?
How many additional hours will you spend trying to find the potentially deleted images if you are not confident that it wasn’t an Instagram post, but rather posted on a different social account? Hours, days?
I can guarantee this will be the most frustrating hours or days of the investigation, not only for you, but also for the lead detective who will be likely looking over your shoulder for the big break in her case.
Life is too short not to use Hunchly!
In our OSINT Guide we’ll explore even more Hunchly features, including:
- How to highlight key information such as username, email, phone and address using “selectors”.
- Categorizing your findings with “tags”
- Disclose your captures
- Capture metadata
- Adding notes
This last feature, adding notes, ties into the next key concept of OSINT and note-taking.
A great feature of Hunchly is that it allows you add notes to web captures. This is helpful to give context (for yourself or others) on how or why particular web captures are relevant. BUT don’t confuse this great note feature as your “investigative notes”. Yes, Hunchly keeps a great record of OSINT data, but there is still an important need for contemporaneous notes.
This is where Forensic Notes complements Hunchly.
Why Forensic Notes
You may ask,
“Aren’t my web captures (screenshots) basically my notes?”
“Why do I need to take additional notes?”
The answer is that there is a lot more to OSINT than just what you saw and captured online, especially if you are going to end up in court.
First, you should be making notes about why you are even conducting the investigation in the first place.
- Who requested that you assist in this investigation?
- What or who were you asked to investigate?
- Were you provided with any information to begin your search, such as names, usernames, birthdays, addresses, email addresses, phone numbers, etc?
- Did you use any police databases to help determine or collaborate information you found online?
- What did you find online?
- Who did you notify about your findings?
Notes are also about your own CYA. Consider this, what if you had discovered some key information that would have pushed an investigation forward, but months later it turns out no one ever acted on that information. Whether honestly forgetting or trying to protect themselves, the investigator blames you, alleging that you never provided that information. Having notes that show otherwise could keep you out of the hot-seat!
So, if you are convinced that note-taking is an important part of OSINT, there’s good reason why you should be using a tool like Forensic Notes to take the BEST notes.
When it comes to taking notes, hopefully it’s obvious that the old pen and paper way of taking notes is really unsuitable for OSINT (though it’s much better than making no notes at all).
Digital notes are easier to read for both you and others. They are also more efficient and help you record information more accurately. For example, consider recording URLs:
Would you really want to copy that out by hand?
Probably not, and even if you wanted to, there is a very high chance you would record it incorrectly. The power of digital note-taking can come down to this simple phrase: “copy & paste”.
Copy & Paste will not only save you a lot time, it will ensure you don’t make typos and other errors when it comes to recording the content you view online.
For OSINT, digital notes really are the way to go. So, the next question is, “Why can’t I just use Word, Excel, Notepad, etc?”
It simply comes down to the strict rules for Law Enforcement surrounding acceptable note-taking – requirements that just can’t be met with typical word processing applications.
For hand-written notes, you keep notes in a notebook and are forbidden from removing pages, using white-out, or leaving blank spaces. This ensures that an officer’s notes can be shown in court to be unaltered and that no notes are missing from the notebook. With a typical word processing application, you could change your notes days, weeks, years later and it’s quite possible that no one would be able to track or identify those changes. Well, unless you use a font that didn’t exist at the time you claim your notes were made.
The reason for this demand on Law Enforcement note-taking is that memory is fragile, and the more time passes, the less reliable it becomes. That’s why it’s vital to take notes as soon as practical after an event, to ensure nothing important is forgotten or perhaps worse, remembered incorrectly.
Before being allowed to refer to your notes in the courtroom, the judge will want to know if they were made contemporaneously. Making notes days, weeks, or months later greatly reduces their reliability and any weight the judge or jury may give to them.
With this in mind, individuals may feel tempted to “backdate” their notes when they realize they forgot to write something down. This is where Forensic Notes keeps you honest while also ensuring you can prove your notes are authentic and unaltered from the time you made them.
Forensic Notes is designed to give users the ease of recording digital information (like complex URL’s) while maintaining the security and integrity of a bound paper-notebook. This security is provided by a process much like the blockchain, where every note is tracked and verified via its hash and timestamp.
Lastly, the true power of Forensic Notes is that if you don’t want to change your current note-taking method, you can keep it and then add your notes, such as word-processing documents, directly to Forensic Notes to get access to the same verification features. Simply upload almost any type of file to obtain the same security and authentication as making notes directly in Forensic Notes.
And if you aren’t ready to give-up the pen & paper, Forensic Notes also allows you taken hand-written notes with a stylus, on an Android tablet or an Apple iPad.
In this Guide we’ll explore how to conduct an OSINT investigation using Hunchly & Forensic Notes to help ensure your investigation is documented properly.
To begin, we’ll need to setup both applications.
Don’t worry, it only takes a couple minutes to get both up and running – and they both offer free trials!
Get Hunchly Visit: https://www.hunch.ly/
- Click on the “TRY IT FREE”
- Enter your name & email and you’ll receive a trial license via email.
- Follow the simple instructions to download and install Hunchly
- You may also need to install Chrome (if you don’t already have it).
- You now have 30 days to try it out!
Get Forensic Notes Visit: https://www.forensicnotes.com/
- Click on “CREATE ACCOUNT”
- You’ll be brought to a pricing page where you can select “Start My Free 7-Day Trial”
- Yes, it REALLY is free to try.
- You won’t be asked for any payment details.
- You’ll then be brought to the sign-in page.
- Create your account by:
- logging in via an existing Google or LinkedIn account.
- by clicking the “Sign up now” link. You will be required to enter an email and complex password.
- You will need a phone number to enable to Multi-Factor Authentication – which is mandatory.
- Follow a few more onscreen instructions and you’ll be brought to the Forensic Notes notetaking screen.
Let’s Begin an Investigation
Let’s conduct on Open Source investigation on Justin Seitz the creator of Hunchly.
Like a lot of things in life, it’s better to start with a blueprint of how you will approach your investigation rather than simply jumping in.
Having a blueprint keeps your work looking more consistent, which is both beneficial to you and others who may review your work.
As you will see, Forensics Notes makes this process simple & easy to complete.
To begin, let’s create a folder structure that helps organize our notes.
Forensic Notes is built on the foundation of physical notebooks, but with some key advantages.
With a physical paper notebook, you might record multiple investigations in the same notebook (or be stuck with MANY notebooks!). Your notes for various investigations could be scattered among different pages and even different physical notebooks.
This makes finding information for just that investigation difficult and time consuming.
With Forensic Notes, we recommend you create a separate notebook for each investigation. This will keep your notes together and simplify disclosure or referring back to a specific note at a later time.
Forensic Notes also allows you to create folders to help organize your notebooks that might be on the same topic / year / or other relevant categorization.
Below is one example of how you might organize and name your notebooks for OSINT investigations.
- Folders to organize/group notebooks by year.
- Notebooks are named by File #, Offence Time, and Date Assigned.
You can always rename notebooks, and it’s easy to drag & drop folders and notebooks if you decide you want change the way your notes are organized – all without affecting the content of those notebooks.
Once you have decided on a notebook structure, it’s time to start making notes.
The simplest method would be to just create notes as you go and they will be organized in chronological order. However, you have the flexibility to again name individual notes and organize them in folders. As shown in the example below, you could organize your notes on various sources of OSINT information as well as general notes about the requests and conversations with other investigators.
If you want an overview how to quickly create notebooks and notes, and why they are different from your typical word document, watch the video below:
WHAT DO I NOTE?
So you have a blueprint for how to organize your notes, but what should you record in your notes?
To begin, you should document why you are conducting an OSINT investigation and what information you were given from the lead investigator or anyone involved with the investigation
This might include:
- who provided the OSINT request?
- the purpose of the investigation
- information provided on the subject of the search such as:
- email addresses
- phone numbers
- known social media accounts
- known websites / URL associated with subject
It’s good to note this information now, because as your OSINT investigation progresses, you will likely come across a lot of additional information. If you don’t document now, looking back a few days later it might be difficult to recall the source of the information.
In the example below, we document that we have been provided with Justin’s first and last name, that he may be an author, and an associated email address.
You will also want to review your own notes to remind you of tasks you may not have yet completed. And if you are someone who loves sticky notes, Forensic Notes allow you to create reminders that you can clear once completed and are not included when you download your notebooks.
SEARCH & CAPTURE
Now it’s time to get searching and this is where Hunchly comes into play.
Instead of having to note every search and every page you viewed, which is a lot of effort, Hunchly can track this for you. Not only that, Hunchly will save a copy of every webpage you’ve viewed, so you can always go back and review pages you’ve visited.
Let’s Watch How to Capture our First Webpage with Hunchly
If you followed along with the video above, you will have completed a simple Google search for “justin seitz”. We immediately found some results that could possibly be associated to our subject, including a Twitter and LinkedIn account.
Looking closer at the Twitter result, we see that Justin’s uses a Twitter handle “@jms_dot_py”. People often with use a username for multiple sites, so this will be a great term to search later.
This leads to the next great feature of Hunchly – “selectors”. Hunchly allows you add terms (names, usernames, URLs, email addresses, phone numbers, etc) as selectors to help Hunchly to track and identify that information if it appears on any webpage you access.
This can be helpful as you conduct your ONSINT investigation, as any “selectors” that appears on webpages as your search can be highlighted directly in your Chrome browser, ensuring don’t overlook key content. And because every webpage you viewed is saved locally on your computer, you can also go back and search all the past pages you viewed again for those selectors or new selectors that you discover throughout your investigation.
In above example, by adding “jms_dot_py” as a selector we can quickly discover as we scroll through Google results that Justin also uses this username on two well-known sites, Medium and Reddit.
Okay, it’s time to learn how to use ‘selectors’ directly from Justin himself.
As you learn more about your subject, and add new details to your “selectors”, you will quickly see how much easier it is to find new sites as well keep track of the ones you have already visited. In our example with Justin, we quickly can find a bunch of relevant information and great new selectors to add to our case:
- He is associated to additional twitter account @hunchly
- There is an associated website: www.hunch.ly
- He also has a website called: automatingosint.com
- Confirm email address: firstname.lastname@example.org
- Claims to live in: Saskatoon, Saskatchewan
- Has a Linkedin account: https://www.linkedin.com/in/seitzjustin/
- And another email posted on the Linkedin account: email@example.com
Now you can add these selectors in Hunchly to ensure you are notified if they are found on other webpages you view.
As we go about searching all we can on Justin, we could capture hundreds or even thousands of webpages. Trying to manual organize all these captured webpage results would be tedious and time consuming. Again, this is where using a purpose-built OSINT tool like Hunchly makes our lives much easier. Hunchly allows you to “tag” webpages to basically categorize them and make filtering and searching easier down the road.
For example, you might want to tag webpages with very general themes such as “Social Media”, “News Sites”, or “Search Results”. Once you create tags, you can quickly filter all the sites you have visited from the Hunchly dashboard to show only webpages tagged as “Social Media”. You can also filter to include your selectors, so we could filter on all social media pages that include “seitzjustin”.
And then you could still use the Hunchly search function to add additional text to filter your results on.
As you can see, this becomes incredibly powerful (and necessary) as you begin to collect hundreds of web captures.
Learn more about Tagging & Filtering directly from Justin
Hunchly does a great job capturing webpages effortlessly as you search. You can go back to refer to those pages months or years later and review what you saw. But as you can imagine, because every webpage you view is captured while you conduct your OSINT investigation, even with filtering and search tools, finding key information at a later date could be time consuming.
The efficient approach is to take great contemporaneous notes as you search. This is often the area where investigators drop the ball. It is generally more fun to just keep searching and going from website to website. But in the end, you need to be able to sum it all up and tell a concise story. Note-taking is key, as it ensures you document the milestones of your investigation, and improve the quality of your final report.
Your notes are also important to ensure you can accurately describe when and how you found information and what you did with that knowledge.
Notes are the foundation of your investigation.
For example, with Hunchly you can quickly capture a years’ worth of Justin’s tweets, but you may not actually review all those tweets until weeks later. When reviewing those tweets, you discover a key tweet, that is highly relevant to your investigation and changes the course of the investigation. If you make no notes, and simply rely on the dates of your web captures, others may assume you saw that information weeks earlier and failed to properly act on it.
It is also important to remember that as an OSINT investigator you can easily stray beyond pure Open Source research and into a more invasive investigation. For example, OSINT investigators are often tasked with exigent files where key information for resolving the situation are in the hands of 3rd party ISPs. Considering that these are life and death situations, you want to ensure you keep good notes about what companies you called, when you called them, and whether they assisted in providing the needed information. Who and when did you pass on this information to?
No matter what the task, keeping good notes is part of being a good investigator.
Now, before we move on from note-taking, let’s discuss a notetaking feature in Hunchly, that serves a different purpose, but is very helpful for flagging and later disclosing key web data discovered.
Let’s refer back to the example of going through a year of tweets and finding only one tweet of interest. That web capture will be quite long, and though you may need to disclose the entire history, you also really want to highlight the relevant tweet. While viewing your capture in Hunchly, simply right-click on the screen and choose the option to add a note. Hunchly will also take a new screenshot of whatever is currently being shown in the browser and then let you add a few lines of text to help give context on why this content is important.
This can be helpful to give context or remind you why a page was useful and works as a useful filter when building your reports.
Notes can be access via your Hunchly dashboard.
You are now done your investigation. How do you provide your work in Hunchly and Forensic Notes to the lead investigator, your client, or disclose to prosecution & defense?
Preparing for the disclosure of your work so others can use it is the last but perhaps most vital step. It’s important to be able to provide your work in a way that others can use to further the investigation for use in court.
Reporting for both Hunchly & Forensic Notes are both best explained by a couple short videos.
Now let’s explore reporting in Forensic Notes:
OSINT is an exciting field of work and study. Hopefully this guide has given you some ideas on how to improve your OSINT investigations.
Remember, if the information you collect doesn’t stand-up in the court room, all your efforts could be for nothing. Hunchly & Forensic Notes are built with the goal of ensuring your success in documenting your investigational and presenting your evidence in court.