By Paul Slater, Director of Forensic Solutions, Nuix
In search of the smoking gun, forensic investigators must wade through growing volumes of digital evidence across an increasing number and variety of sources. Sometimes it’s hard enough just keeping in mind all the details of the case you’re working on right now. But what if the key to your current case is lying in a matter one of your colleagues or another agency is investigating?
The facts that will prove or disprove a case may not be limited to the same investigation, the same agency, or even the same country. If we are to have any hope of putting together the separate pieces of the puzzle, we must be able to share forensic intelligence quickly and efficiently – both internally and with other investigative agencies.
Current challenges to collaboration
Many forensic investigators are acutely aware of just how important it is to share intelligence internally and externally. But these efforts often fail at a practical level. Small budgets and lack of resources can make this sharing prohibitively expensive and time consuming.
Forensic investigation using traditional methods requires examiners to analyse each data source individually. With this approach, investigators struggle to compare information between individual evidence sources in a single investigation, let alone across multiple investigations. Large-scale investigations in areas such as counter-terrorism and serious and organised crime may involve data from multiple suspects, each with up to a dozen potential evidence sources.
The connections between people, objects, locations and events can be critical in providing intent or collusion, but often they are not immediately obvious. It would take superhuman skill to mentally correlate connections from a single suspect’s hard drives, mobile devices, instant messages, cloud email, cloud storage and social media interactions. Multiply this by the number of suspects in an investigation and the task is staggering.
Harness brainpower with technology
The answer for investigators lies in using technology to give them the ability to work smarter rather than harder, and then putting in place workflows to effectively share relevant and actionable intelligence.
Effective investigation technology can enable people to share intelligence, to collaborate across geographic and jurisdictional boundaries, and to find seemingly hidden connections across very large volumes of data and many evidence sources through the ability to visually represent and analyse data, which can provide a rapid shortcut to locating the key facts and connections of a case. Here’s how technology can be applied in the right places to assist human investigators.
Intelligence
Using the traditional digital investigation model, investigators must manually compare intelligence items across each evidence source. Advanced investigative tools use a “named entities” model to extract intelligence items that follow a particular pattern of letters and numbers. This list may include anything from personal or company names, to credit card or passport numbers.
Having identified relevant intelligence items, investigators can see instantly which suspects have those items in common across all the evidence sources in the case. Typically they can also identify who shared what, with whom and when, using techniques such as timelines and network diagrams.
This ability to extract lists of relevant named entities makes it simple to compile and share libraries of intelligence related to investigations. Agencies can assemble lists of relevant names, email addresses, phone numbers, bank account numbers or other intelligence items and search any available evidence sources for those lists. These lists are easy to share with other agencies, who can quickly search their case files for the same items to see if any connections emerge.
Visualisation
As digital evidence becomes larger and more complex, investigators’ greatest struggle is not a lack of information, but having too much to make sense of. Visually representing large volumes of data can be a fast way to locate the key facts and connections within the case. It enables people, even with limited technical knowledge, to follow a hunch or idea down to very specific details in a matter of seconds.
For example, you could filter an entire evidence set to just email messages within a relevant date range that contain credit card numbers or personally identifiable information. If that still returns too many results, you could use other techniques such as suspect names or keyword searches to further filter the evidence. Then you can use a network diagram to see who is emailing sensitive material to whom.
Collaboration
Last year Nuix laid out a series of workflows for setting up an investigative lab. The first stage of this process involves the investigative team assembling all available evidence – including forensic images, email and mobile phone communications – into a single location. The team can then divide up the task of reviewing the evidence between multiple people in whatever way they see fit.
At a basic level, this is a way to share work between multiple investigators to complete the task faster. Investigators can divide the evidence by date ranges, custodians, location, language or content. It can also be a way to distribute different types of evidence to the people most qualified to understand it and its context. For example, investigators could pass on financial records to forensic accountants, internet activity to technical specialists or suspect images to specialist child protection teams.
Larger law enforcement agencies, advisory firms and businesses are using this model to set up centralised evidence processing facilities that can provide access to the results to any desktop across the organisation. This model has considerable advantages for sharing intelligence. A centralised lab which stores case files related to all current investigations makes it easy to cross-reference intelligence items. It is also easy for one location or agency to provide in-depth access to their case data for colleagues in other locations.
What about forensics?
The techniques I’ve covered allow investigators to apply technology where it is most suited, free themselves from tiresome menial work and make best use of their brainpower and intuition. These investigative workflows help time-poor investigators effectively share relevant and actionable intelligence.
I want to be clear, that these techniques do not eliminate the need for forensic analysis, particularly in the areas of provenance and authenticity. However, the volume of evidence in most cases makes it too time-consuming to conduct deep forensic analysis on every data source. As a result, in-depth forensic analysis must become the exception rather than the rule.
Using these techniques is a faster and more efficient way of identifying the evidence sources that contain the data required to prove or disprove the case. The investigative team can then pass a small number of evidence sources back to digital forensics specialists so they can conduct in-depth analysis that will satisfy courts and authorities.
