For those of you who know me, you will know that I try to integrate technology with most aspects of my life. From the health and steps tracker on my wrist, to the use of mobile devices, in-vehicle GPS, Google Home, and the various array of Raspberry Pi based hardware in my home. I consider myself a digital investigators dream target.
If you don’t know where to look, what evidence are you missing?
Going through my data would show you where I was, at what time, what I was looking at, my heart rate at the time, what I was purchasing, who I was talking to, and many, many more aspects of my digital life.
Recently, I was at a conference where I was talking to an investigator about a crime he was investigating where the Apple Watch on the wrist of the deceased was used to determine the time of death. It also helped convict the perpetrator by sensing that the body had been moved. Even with all of the information available at our fingertips, sifting through that vast amount of data is a difficult and lengthy process. There could be many places where that important piece of data could be hiding, and if looking in that specific place isn’t part of your usual process, or is not accessible by your current tool kit, then that important data might never be found.
Being able to find the correct data comes down to a number of factors that I have listed below. Please feel free to let me know if I have missed any:
- The investigation workflow and process have to be compliant with 17025!
- The tools being used—being able to find and parse the correct data.
- Time. Most investigations come with a short deadline, and it is necessary to reach a conclusion quickly for the sake of both the investigator and the custodian.
The faster an investigation reaches its conclusion, the better it is for all parties involved. So, how do you improve your time management?
So, how do we improve our time management?
- Faster evidence processing. By using faster evidence processors or a lot of separate evidence processors you can speed up the result
- Smarter evidence processing. Process only the evidence that is pertinent to the investigation.
- Collaboration and tasking. Using simple and easy-to-use tools that enable lesser skilled analysts to assist with investigations.
- Efficient tools. Be able to find the most relevant evidence in an efficient way without spending huge amounts of time scrolling through a load of evidence items.
AccessData has been heavily focused on producing tools to improve time management for forensics and digital investigations professionals. With new versions of AD Lab, FTK, AD Enterprise and AD eDiscovery, the speed of investigations has been significantly improved through the use of multiple evidence processors, scaling both horizontally and vertically, efficient database indexing, cross-case investigations, collaboration, as well as the integration of third party parsers into a single interface. This allows different types of data to be analysed in a single collaborative front-end.
Too often, when I am showing the interface to an individual or group who have not seen it before, I see their eyes light up at the prospect of being able to utilise more people and more computers to assist with investigations. They struggle with severe case backlogs since ‘higher priority’ investigations are always coming in.
I also really like the collaboration feature, with many investigators able to work on the case, platform agnostic. For example, an investigator can be using FTK or AD Lab, and allocate tasks to a number of users using real time bookmarks and labels, which can be seen and tagged from both sides. Another example—one group of people could be responsible for identifying and bookmarking pictures, while another group could be analysing the email and WhatsApp/telegram chats, all the while working to calendar synced tasks to keep management happy!
I have only been with AccessData for just over a year, and with a technical compliance background, I am reasonably new to forensics and digital investigations. A tool like FTK is perfect for a user such as myself to keep investigations simple, and the data obvious! I have seen investigations where a ridiculous amount of data was analysed in the social analyser, and I was shocked at how very easy it was to drill down on the target data. Not all of us are seasoned forensic professionals, but FTK makes us feel like we are!