in this lesson, we'll talk about contemporaneous notes often just referred to as notes Prunella. Because contemporaneous is too many syllables,
we'll cover what notes are
who should take them,
why they're important
and what they should contain.
What are contemporaneous notes
and temporary gnaeus notes notes, which are created during an enterprise security case, which accurately record various aspect off the case. As it progresses,
contemporaneous notes must be created as soon as possible after an action or event takes place.
if an analyst is examining a device and runs a power show command to parse data from an event log,
both the command and outward should be noted down as soon as possible after being run.
The more time that passes between the action being taken
and the notes being created, the less likely it is to be accurate,
the less timely the notes will be and the less credible they will be.
As we've discussed previously, credibility is a big consideration
during Enterprise Security Case management.
What should be recorded in contemporaneous notes
notes taken by an analyst should be detailed enough that another analyst could follow those same notes and achieve the same results
or arrive at the same conclusions.
If a command, his run record, the command and its upward
if evidence is received, record as much detail about that evidence
such as date, time and location and any other details.
In an ideal world, notes should be taken at every step of the process
and by anyone involved in the case management work. For
there are very few cases where having more notes after the fact will cause problems
and an inordinate number of situations we're not having notes
when they're needed will cause major problems.
Physical versus digital notes
There are varying opinions on whether it is okay to take digital notes.
Personally, I think as long as the notes can be ordered it
and confirmed to have integrity,
there is no problem with taking digital notes.
In fact, digital notes offer a number of benefits, which traditional pen and paper notes do not.
First of all, there is hashing
notes can be hashed when taken digitally to ensure integrity
by providing cryptographic proof that they have not been modified since they were created.
Of course, there are further considerations to be made, like where to store the hashes
separately from the notes to ensure that neither are changed.
Secondly, there is speed.
I am not able to take physical notes as quickly or as efficiently as I can type up notes.
In a lot of cases, traditional notes transcribed anyway,
so why not cut out that middle step?
Digital notes also allow the analysts to copy paste commands, total output and anything else relevant to the case,
including screenshots if necessary.
Number three is an order trail,
depending on the method or tool used to create contemporaneous notes. Digital notes can be audited.
notes created inside a wiki SharePoint, or confluence like product
have automatic ordering built in,
which shows when notes were created when they were modified and by whom.
This is not true or pen and paper notes.
Finally, number four storage and backup so multiple copies off digital notes are able to be kept.
PdF hashed etcetera very easily.
The same can be done with physical notes, but they have to first be transcribed.
At the end of the day, it's up to your organization to determine what is the best fit for your use case.
There are a few things which every analyst should know about taking physical notes.
They must be taken in bound notebooks, never on loose sheets of paper or scrap paper
to. There should be no large gaps left between notes,
which would allow for surreptitious modification off the nights after the fact.
Three. There should be no blank pages
on all pages should be numbered.
So if there are any errors made while taking notes like you
incorrectly write down a command or you
mistakenly put down the wrong time stample or something like that,
these areas should only ever be struck through with a single line such that the our mission or the
the era that has been removed or related
can still be read.
not seem to have been tampered with
and then thes changes. These errors that have been struck out must be signed and dated.
Alternatively, Arana can be appended at the end of notes in a notebook,
so you're number six.
They must be dated in time stand, or at least they should be dated in time stamped.
Whenever you perform
any activity during a case
and you're taking your notes either physically or digitally. However, you choose to take them, make sure that you date and time stamp at least the beginning and end of the notes by Dele. Each step of the process should be dated in time snapped
and finally make sure that the location off the notes is recorded.
So if you are out on client site or if you're at a warehouse that is owned by organization instead of in your home office, make sure that that location is recorded because it may later become relevant.
Most of these things should also be recorded in digital notes,
such as time stamps locations. That's it.
The idea is to record as much detail as possible
so that your notes can be relied upon later,
because you will have to refer to them in the future.
What should be recorded in contemporaneous notes?
So many things should be recorded, but at a minimum we want date and time,
what was done, observed or heard what actions were taken
on, why, why in action was taken or not taken in this particular instance.
So why I take notes in the first place?
Well, firstly, the most common argument against taking notes is that analysts just don't have time.
This is absurd.
There is always a progress bar during analysis that you end up sitting and watching. So whenever there is free time during processing or analysis, notes can be taken.
Alternatively, if this truly isn't the case and you are unable
due to time restrictions to take notes,
notes can and should be taken as soon as possible after an event occurs
so that the main reason
for taking notes is that human memory is basically like RAM.
It is volatile and easily corrupted over time.
If you can remember exactly what you did six months ago, including commands Iran and their output,
then maybe notes aren't necessary.
But if you can't then take notes,
not taking notes in a lot of organizations is a fireable events,
and rightly so. In my opinion, if you aren't taking notes, you aren't doing your job.
Take notes to protect yourself and your company because if you end up in court
unable to reliably and accurately recount what was done or found during an investigation during on enterprise security case, you could be sued for the negative outcomes. Which result?
The key take away here is that
everyone involved in a security case should take contemporaneous notes.
You will thank yourself later.
In this lesson, we learned about contemporaneous notes.
We discussed what notes are
who should take them,
why they're important and what they should contain.