Time
1 hour 34 minutes
Difficulty
Advanced
CEU/CPE
1

Video Transcription

00:00
in this lesson, we'll talk about contemporaneous notes often just referred to as notes Prunella. Because contemporaneous is too many syllables,
00:09
we'll cover what notes are
00:12
who should take them,
00:13
why they're important
00:15
and what they should contain.
00:17
What are contemporaneous notes
00:22
and temporary gnaeus notes notes, which are created during an enterprise security case, which accurately record various aspect off the case. As it progresses,
00:33
contemporaneous notes must be created as soon as possible after an action or event takes place.
00:40
For example,
00:41
if an analyst is examining a device and runs a power show command to parse data from an event log,
00:47
both the command and outward should be noted down as soon as possible after being run.
00:53
The more time that passes between the action being taken
00:57
and the notes being created, the less likely it is to be accurate,
01:02
the less timely the notes will be and the less credible they will be.
01:07
As we've discussed previously, credibility is a big consideration
01:11
during Enterprise Security Case management.
01:15
What should be recorded in contemporaneous notes
01:19
notes taken by an analyst should be detailed enough that another analyst could follow those same notes and achieve the same results
01:26
or arrive at the same conclusions.
01:30
If a command, his run record, the command and its upward
01:34
if evidence is received, record as much detail about that evidence
01:38
such as date, time and location and any other details.
01:44
In an ideal world, notes should be taken at every step of the process
01:49
and by anyone involved in the case management work. For
01:53
there are very few cases where having more notes after the fact will cause problems
02:00
and an inordinate number of situations we're not having notes
02:04
when they're needed will cause major problems.
02:07
Physical versus digital notes
02:10
There are varying opinions on whether it is okay to take digital notes.
02:15
Personally, I think as long as the notes can be ordered it
02:20
and confirmed to have integrity,
02:23
there is no problem with taking digital notes.
02:25
In fact, digital notes offer a number of benefits, which traditional pen and paper notes do not.
02:34
First of all, there is hashing
02:36
notes can be hashed when taken digitally to ensure integrity
02:40
by providing cryptographic proof that they have not been modified since they were created.
02:46
Of course, there are further considerations to be made, like where to store the hashes
02:52
separately from the notes to ensure that neither are changed.
02:55
Secondly, there is speed.
03:00
I am not able to take physical notes as quickly or as efficiently as I can type up notes.
03:07
In a lot of cases, traditional notes transcribed anyway,
03:10
so why not cut out that middle step?
03:14
Digital notes also allow the analysts to copy paste commands, total output and anything else relevant to the case,
03:22
including screenshots if necessary.
03:24
Number three is an order trail,
03:28
depending on the method or tool used to create contemporaneous notes. Digital notes can be audited.
03:34
For example,
03:35
notes created inside a wiki SharePoint, or confluence like product
03:40
have automatic ordering built in,
03:43
which shows when notes were created when they were modified and by whom.
03:49
This is not true or pen and paper notes.
03:52
Finally, number four storage and backup so multiple copies off digital notes are able to be kept.
03:59
PdF hashed etcetera very easily.
04:02
The same can be done with physical notes, but they have to first be transcribed.
04:09
At the end of the day, it's up to your organization to determine what is the best fit for your use case.
04:16
Physical notes.
04:18
There are a few things which every analyst should know about taking physical notes.
04:25
UH, one.
04:26
They must be taken in bound notebooks, never on loose sheets of paper or scrap paper
04:31
to. There should be no large gaps left between notes,
04:36
which would allow for surreptitious modification off the nights after the fact.
04:43
Three. There should be no blank pages
04:46
on all pages should be numbered.
04:49
So if there are any errors made while taking notes like you
04:55
incorrectly write down a command or you
04:57
mistakenly put down the wrong time stample or something like that,
05:00
these areas should only ever be struck through with a single line such that the our mission or the
05:08
the era that has been removed or related
05:11
can still be read.
05:13
So that
05:14
evidence is
05:15
not seem to have been tampered with
05:18
and then thes changes. These errors that have been struck out must be signed and dated.
05:24
Alternatively, Arana can be appended at the end of notes in a notebook,
05:30
so you're number six.
05:30
They must be dated in time stand, or at least they should be dated in time stamped.
05:35
Whenever you perform
05:38
any activity during a case
05:40
and you're taking your notes either physically or digitally. However, you choose to take them, make sure that you date and time stamp at least the beginning and end of the notes by Dele. Each step of the process should be dated in time snapped
05:53
and finally make sure that the location off the notes is recorded.
05:57
So if you are out on client site or if you're at a warehouse that is owned by organization instead of in your home office, make sure that that location is recorded because it may later become relevant.
06:10
Most of these things should also be recorded in digital notes,
06:15
such as time stamps locations. That's it.
06:17
The idea is to record as much detail as possible
06:21
so that your notes can be relied upon later,
06:25
because you will have to refer to them in the future.
06:29
What should be recorded in contemporaneous notes?
06:33
So many things should be recorded, but at a minimum we want date and time,
06:39
location,
06:40
what was done, observed or heard what actions were taken
06:44
on, why, why in action was taken or not taken in this particular instance.
06:48
So why I take notes in the first place?
06:53
Well, firstly, the most common argument against taking notes is that analysts just don't have time.
07:00
This is absurd.
07:01
There is always a progress bar during analysis that you end up sitting and watching. So whenever there is free time during processing or analysis, notes can be taken.
07:13
Alternatively, if this truly isn't the case and you are unable
07:17
due to time restrictions to take notes,
07:19
notes can and should be taken as soon as possible after an event occurs
07:26
so that the main reason
07:27
for taking notes is that human memory is basically like RAM.
07:31
It is volatile and easily corrupted over time.
07:35
If you can remember exactly what you did six months ago, including commands Iran and their output,
07:43
then maybe notes aren't necessary.
07:46
But if you can't then take notes,
07:49
not taking notes in a lot of organizations is a fireable events,
07:54
and rightly so. In my opinion, if you aren't taking notes, you aren't doing your job.
08:00
Take notes to protect yourself and your company because if you end up in court
08:05
unable to reliably and accurately recount what was done or found during an investigation during on enterprise security case, you could be sued for the negative outcomes. Which result?
08:18
The key take away here is that
08:20
everyone involved in a security case should take contemporaneous notes.
08:26
You will thank yourself later.
08:28
In this lesson, we learned about contemporaneous notes.
08:31
We discussed what notes are
08:33
who should take them,
08:35
why they're important and what they should contain.

Up Next

Enterprise Security Case Management

In this online course about Enterprise Security Case Management, you will learn about tools and techniques which help cybersecurity practitioners manage evidence and related case data to preserve their integrity.

Instructed By

Instructor Profile Image
Seth Enoka
Consultant
Instructor