In Part 1 of this series, I discussed my search for a tool to keep my forensic notes and research organized while providing readability and searchability. I decided on Microsoft OneNote as the ideal solution to fit my needs. In this post, I will show how I have decided to organize my OneNote notebook and the sections that go into it.
I started off by creating a new notebook for my forensic notes. I have multiple other OneNote notebooks but I wanted to keep my forensic notes separate for multiple reasons including better organization, password protection, as well as keeping forensic notes separate from personal notes.
For those that may not be familiar with Microsoft OneNote, there are a couple of different organization items that can be used within the notebook.
- Pages – resemble single sheets of paper in a 3 ring notebook
- Sub-Pages – same functionality of pages but linked under the main page
- Sections – Can contain only pages grouped by common subject
- Section Group – Can contain sections or other section groups.
Within the new forensic notebook, I created four section groups.
- The cases section group will contain notes for all cases organized by year
- Utilized to store documentation for software, forensic articles, etc.
- Research & Validation
- Documentation on any validation I personally perform of forensic software or techniques as well as notes for any tests that I conduct on data or forensic processes
- Notes from any forensic related training that I attend
In addition to the four section groups outlined above, I also created four sections within the notebook.
- User Manual
- Section and pages used to keep documentation regarding how to use the notebook as well as the case template
- Check Lists
- Used to store checklists related to either my forensic process, steps related to specific tools, etc.
- Case Template
- A predefined group of pages and subpages that I use to keep all of my notes related to a case. Those pages are then used to help generate my report later.
The case template contains pages for information such as a case summary to store contact information, case description, etc. A communication page that contains a log of any email or correspondence related to the case with subpages to store each piece of correspondence. An evidence page which contains an evidence log as well as sub pages for notes on each piece of evidence. There is also a page for analysis checklists that contain a list of all items that must be completed for each piece of evidence. Finally, a report page that is used to keep notes required for the report as well as to serve as a rough draft of the final report that will be submitted.
It is important to remember that one of the major advantages of Microsoft OneNote is the flexibility that it offers the forensic examiner. The organization of the notebook can easily be changed as needed without loosing information and can be added to, modified, combined, etc. as the needs and examiners experience increase.
In Part Three of this series I will discuss how I take information from my case notes to help generate my final report in Microsoft Word as well as how I share information from within Microsoft OneNote with other individuals.