Not being a pen tester, I have been wondering how one would keep track of the information gathered during the test.

The way I see it, there is always the possibility of needing information you have gathered for legal/forensic reasons later so I imagine the amount of data kept and it's integrity should be high.

Not only that but there is tons of information to sift through on Google, etc.

Where would you keep and collate this? Is there a tool for this sort of thing? Do you just create a new SQL database every time? do you need to use a keystroke logger on your own machine plus some kind of mitm logger on the network? 

That is actually quite a lot of questions, sorry. 

Hi Breeze.

The answers you get will vary, to an extent.  It depends upon what tools you / the tester uses.  Many tools (such as Core Impact) setup a separate project with it's own mini database and logs, for each project you are doing.  GFI Languard behaves similarly, for record-keeping, for an individual test scenario.  But when using BackTrack or other tools, you often use other means and data folders for record-keeping, where you may file screen captures, logs, files you extracted from a customer machine, etc.  It's sort of based upon the tester, as to how you want to keep record, but you're absolutely correct, in that ALL records should be kept, both for clarification of what steps and tests were performed, as well as for your own safety, after the testing is performed, to cover your backside.  And as for how any / all of this data is collected to begin with, each tester has their own preferences, but in the end, it could be keyloggers, packet captures, screen captures, or any one of MANY other methods of capturing your activities for record.

Once my tests have been completed and the customer has signed off on the deliverables, I securely archive all of the data (won't go into how, as again, this changes per tester, and I prefer to keep my methods to myself,   ) and file it away, for future reference, if absolutely necessary.  (Otherwise I never open it again.)

Hope that helps, at least a little bit...

I won't discuss as far as safe deposit boxes, but I will tell you that in my case, all data, first is safely tar'd / zipped up into a passworded file and stored on encrypted file store, and I then store the encrypted files in an undisclosed, 'safe' location.

Again, as with the logging, it's all about preference, and yuo sort of have to work out what's best for you and for your customers' satisfaction and safety.