My Road to Digital Forensics Excellence

The All-Important Case Notes

Posted by Paul Bobby on November 4, 2008

A crucial part to any investigation is the taking of crisp, clear and repeatable case-notes. The key is to not construct a restrictive procedure for the creation, format and contents of the case-notes since the nature of investigation, especially digital forensic investigations do not lend themselves to a repetitive process: short of a very few common steps. Case notes should be free form; the application, whether it be a piece of paper or electronic note-taking software, should allow for creative freedom in both the recording of notes and the data that can be included in them.

For a while I would use paper, and paper only, for my case-notes. This choice was made consciously as I had yet to find a tool that I could cope with. Along came Microsoft OneNote, and I’ve never looked back. Let me share with you how I use OneNote.


OneNote is about as freeform as you can get. To put some sort of organization to my case notes, I’ve created a blank template with the pages/sub-pages that you can see in the image to the left.

The Allegation contains a freeform description of just what exactly the case is about. The People Involved list those individuals involved in the case, either directly a part of the allegation, or individuals I can contact further information, or individuals I should not contact at all.

The Evidence List contains a summary of all items that will be used as evidence for my investigation, and each sub-page contains details (typically a Disk report from Encase).

The Technical Analysis contains a list of approaches regardless of the type of investigation (more on this later), followed by a series of sub-pages. Document Analysis is typically Office documents and their contents/significance. Case Startup contains any items of interest arising from the case-startup procedures (more later).  If Enterprise Encase was used, Snapshot and Memory Analysis may contain items of interest from the snapshot or memory dump taken from the remote asset.

Malware investigations often benefit from the analysis of Antivirus and other Malware prevention products installed on the computer. Very often, these logs provide the initial timeframe to begin a file system analysis.

Notable Software, dependent on the investigation type, records name, path, hash and timestamps of folders/files on the evidence. Media Analysis records items of interest about multimedia files, including static images. Email Analysis, Internet Activity Analysis and Registry Analysis are straightforward enough.

The Summary of Findings contains a timeline/skeleton of Final Report items.


For each investigation I take this template and re-save it using the Case number, and save it to my Case directory. This becomes the case notes for the investigation.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: