For the assignment I am currently finishing off for the Open University module I am studying at the moment, on digital forensics, I needed to do some contemporaneous note taking. It sounds fancy but it just means notes written around the time of the events they are recording, ideally in a tamper evident format. The old school approach is a bound notebook, from which pages can’t be removed without leaving a trace and which don’t leave scope for substantial editing. That is why police traditionally write everything down in notebooks – these are regarded as admissible in court. However, this is the 21st century and we are losing the art of handwriting while creating a legible and searchable repository of forensically sound notes is a very attractive proposition.
The course materials suggest a piece of software called CaseNotes particularly written for the task – it uses a ‘write once, read often’ paradigm and protects the integrity of note contents by signing them with a one-way hashing function (the result of which will be substantially different from the smallest change in the original). Unfortunately it is only available for Windows or iOS and the three operating systems I prefer to use are Linux, Mac OS X and Android. However, I have a clutch of command line tools; what could I brew from that?
I did a bit of work this morning pulling together a very simple system. My program (a bash script) requires a single argument. If it can’t find a text file with the same root name as the argument, it creates it, stamping the current date and time at the top and opens it in a text editor. If it can find the expected file (because I am running it after finishing a note taking session), it puts another timestamp at the end, renames the file to include the timestamp as the first part of the file name and sets it to be read only. It also updates an index file with a hash generated from the contents of the file (I am using SHA-256 rather than the older, less robust MD5 used by CaseNotes) and the name of the file and appends a hash of the index file to a second monitoring file.
If I wanted to cheat and change the contents of one of the files, I would probably have to regenerate all of the files and the index and monitor files and ensure the timestamps of the files matched those included at their ends; not impossible but time-consuming. It would be even better if I could also log access in one of the central system log files, giving another trail that would have to be meticulously cleared away. If I ever work on stuff which might go to court, then I might want a more validated approach (although I’m not entirely convinced that even CaseNotes would be impossible to spoof) but it will do for now! Hurrah for the command line and the plethora of tools which provide me with an ample supply of software Lego to cobble together little programs!