You’re going to receive a lot of different information from a lot of different sources including emails, SharePoint assets, meeting recordings, instant messages, etc. Don’t keep these bits of information in their disparate locations. Extract the key information and record it in one centralized location. For me, this is as simple as creating a text document in my test’s folder in which I dump all of the relevant URLs, email extractions, scoping notes, etc. I even name it allthethings.txt. It’s the full body of knowledge for the test in one file. If you were to check my timestamps, you’d see that the file is created the day I receive as much as whisper about the upcoming test.
Few things are going to cause you more aggravation than spending 20 minutes tracking down a tidbit of information that you need for three minutes of testing.
I go as far as to keep a list of preliminary findings and notes on interesting things in this file as well. However, you organize your information in a way that makes sense to your process. Organize it in a portable format; portable meaning that if you have to pass the work on to another tester, it is arranged in a logical and centralized way. This will be immensely valuable should you have to pass the test on. You’ll also find the value should you yourself have to return to the test at a later time. Have you ever gone back and looked at poorly documented code that you wrote? Don’t make the same mistake with your penetration testing documentation. It’s a pain—and an avoidable one at that!