Read our recent interview with John Douglas, creator of the investigative note taking software CaseNotes, and find out about his background, how his tool works and why it can be beneficial to investigations.
Please tell us about yourself and the work that you currently do?
I’m a digital forensic scientist with a background in programming and systems architecture.
I’m the Technical Director at First Response and I head up the Incident Response Team. This work mainly revolves around assisting clients respond to cybersecurity incidents, like ransomware attacks and other cyber breaches, that may have resulted in data loss.
Can you give an overview of what CaseNotes is and what makes it useful for investigations?
The whole purpose of CaseNotes was to provide a lightweight, standalone application for forensic analysts to record contemporaneous notes securely and verifiably during a forensic investigation.
This provides investigators with a tool that enforces a robust and reliable audit trail that will withstand significant scrutiny. Notes made during an investigation cannot be edited or changed later and are secured with multiple levels of MD5 hashes.
One of the key benefits of this tool to investigators, is that as notes are disclosable, there may be allegations that an examiner’s notes are either incomplete or that they were created after the event, to back-fill a requirement. CaseNotes provides a robust way for labs and examiners to prove the veracity of their notes to experts on the other side and to provide a level of reassurance to those involved that results can be relied upon.
What are the key features of CaseNotes that separate it from other note taking tools?
It currently does most of the things my original program specification that I wrote in 2003 does, but there have been some notable additions.
There are many key features, but the main ones are:
- Flexible configuration of case meta-data (case details, like the reference number, etc.)
- Secure ‘write-once, read-many’ style of case notes data capture and storage
- Full audit trail of case notes data entry and meta data edits in a self-contained log
- Spell checker built in, with the ability to add/delete words from the dictionary
- A GUI interface builder for creating multiple checklists
- A templating function for storing text snippets for often entered phrases
- Tamper evident storage of data using internal MD5 hashes (and hashes of hashes!) for all data entered
- No heavy database technologies – all you need is the program and your SQLite case file
- Use of AES 512bit encryption (optional) to further secure data in sensitive cases
- Storage of configuration information in a user editable text based .xml files
- Support for running multiple copies of CaseNotes at the same time, great for working on multiple cases simultaneously.
- Compatible with non-roman and double-byte character sets (Japanese, Russian, Greek, Chinese, Korean, Arabic …)
What were your motivations for creating CaseNotes?
When I was doing my Forensic Computing MSc at Shrivenham, I was asked “How can we rely on your note taking?” and I realised, there was no way to prove that my notes had been made at the time and that they hadn’t been modified since.
I spent some time looking into what applications existed for note taking and found very little of use. The only tools present were part of much larger (and expensive!) enterprise level case management systems running on minicomputer systems, mainly in the health sector.
So, as a programmer, I decided to write something myself.
What difficulties did you face when developing this tool?
There weren’t too many problems – CaseNotes itself is a very simple application – it doesn’t do anything particularly complicated.
One issue I faced was finding a way to allow a user to enter in the details of a new note in an editable window, and then append that to the existing entries in the case, without creating the possibility for the user to alter the data in the main window.
Other issues came about when I integrated the spell checking capability and adding in user created/edited check lists, but generally, these were eventually overcome.
I did originally consider only storing plain text data – but my colleagues at the time made a good case for full RTF support and also to store screen captures – so that got added too.
What challenges and/or surprises have you faced with training people to use CaseNotes?
At first, I only produced CaseNotes for myself and the other members of my team carrying out forensic work for UK law enforcement. Word quickly spread and it started to be used by a larger user base.
As I recall, by the end of 2005, we had over 1,500 users around the world. Today, we have a little more than 15,000, with users in just about every law enforcement agency you can think of.
What has been surprising is the wide variety of use cases – the obvious one is computer forensic investigations, but other teams also use it, for example when carrying out health & safety inspections.
We’ve never trained anyone to use CaseNotes, part of the design philosophy was for it to be intuitive to use – supported by a manual that explained the main functions and limitations.
I think most organisations that conduct examinations have a solid understanding of the legal requirement to make good notes, as described in various good practice guides for dealing with electronic evidence, so take up was organic.
I didn’t spend any time at all on marketing CaseNotes, I made one post on Forensic Focus to say it was available for download and it took off from there. It helps that it’s free I suppose. Lots of universities teach it as part of their forensic courses, which is also nice.
What do people need to know to be able to use CaseNotes effectively?
I’ve found the best way to use it is to have it open on a separate monitor on your examination machine – this makes storing screen captures from your forensic application much easier.
The next thing is: Read the manual! There’s a lot of good information tucked away there, so have a read – it’ll take you ten minutes and then you’ll be up and running.
Think carefully before you start your case about what data you’re likely to save. Your notes are obvious, but there are up to ten separate tabs available as scratch pad areas where to-do lists, exhibit lists and other useful data can also be stored.
It’s possible to automate boring and repetitive text snippets so you don’t have to type them out each time – you can also create check lists, as many as you like, so that the steps required for different types of examinations don’t get missed.
So taking a bit of time to prepare your case will save you time later.
Did I mention reading the manual?
CaseNotes launched in 2003 – how has it changed since then?
Not much really – the audit data was expanded in 2018 to cover aspects of ISO17025, but otherwise it’s remained remarkably stable.
The first version did use a proprietary binary format casefile, which was great for saving space, but it wasn’t easily upgradable. As a result, I switched to use a completely standard SQLite database to store notes in, on a case-by-case basis.
Using a standard SQLite database like this, meant that users would potentially be able to alter data stored in it. So, this led to the implementation of multiple layers of MD5 hash verification, where each note is MD5’d, then all the notes are MD5’d and finally all the MD5 values are also MD5’d. If any hash value for any data component no longer matches the underlying data, then the user will receive a tamper warning. The case file will still operate perfectly well, but the warning will be recorded in the audit data and will be displayed to the user every time the case is opened.
Do you have any plans for CaseNotes in the future?
Not really – it pretty much does everything it needs to – it’s just a note taking engine, the whole premise was for simplicity.
There are a couple of minor bugs that I really should fix, but these days I simply don’t have time.
I have been considering in recent months, putting the source code on GitHub and open sourcing the whole project – I’d be interested to hear from your readers what their thoughts are about that.
It would give other coders the opportunity to add in functionality that I’ve perhaps missed and to fix those bugs – my only reservation is exposing my terrible code for critique and ridicule!
Any final comments?
I’m very grateful to the forensic community that took the time to take me under their wing and teach me how to be a half decent forensic analyst.
Giving CaseNotes to the community was my way of paying everyone back. I’m glad that after such a long time, people still find it useful.
For more information about CaseNotes go to First Response: CaseNotes