SlideShare a Scribd company logo

The Investigative Lab - White Paper

Nuix
Nuix

The document describes a new model called the investigative lab for conducting digital investigations more efficiently through collaboration. The model involves assembling all available digital evidence into a central location, using automated workflows to process the most relevant evidence, and then dividing the processed evidence into review sets for different investigators and experts to analyze based on their specialties. This allows an investigative team to dramatically increase the volume of digital evidence analyzed within set timeframes compared to traditional methods relying on solo forensic experts.

1 of 7
Download to read offline
NUIX WHITE PAPER THE INVESTIGATIVE LAB: A MODEL FOR EFFICIENT COLLABORATIVE DIGITAL INVESTIGATIONS
WHITE PAPER THE INVESTIGATIVE LAB: A MODEL FOR EFFICIENT COLLABORATIVE DIGITAL INVESTIGATIONS PAGE 2 CONTENTS Executive summary...............................................2 The digital forensic investigation impasse............3 Lessons from eDiscovery.......................................4 Case study: Serious Fraud Office...........................4 The investigative lab workflow model for digital investigations.......................................5 Share the workload —a production-line methodology.........................5 Ensure the right data gets reviewed by the right people................................................6 Use advanced investigative techniques................6 Perform deep forensics only when necessary........6 EXECUTIVE SUMMARY In this paper, we will discuss a model for setting up an investigative lab that allows digital forensic specialists, non-technical investigators and subject matter experts to collaborate on digital evidence. The end result is a dramatic increase in the volume and quality of digital evidence an investigative team can analyze within a fixed time. For many years, digital forensic investigators have used specialist forensic tools to “dig deep” into a handful of computers and other evidence sources. Typically, investigations rely on a single digital forensic specialist to examine these evidence sources one by one. This approach relies on the digital forensic investigator, who is usually not familiar with all the details or context of the case, to extract the information he or she thinks is relevant from each device. As a result, non-technical investigators and subject matter experts must rely on an incomplete and subjective slice of the evidence. By contrast, the model discussed in this paper enables investigative teams to divide up digital evidence and spread the review workload between many people. They can distribute different types of evidence to the people most qualified to understand it and its context. This methodology also provides opportunities to apply advanced investigative techniques such as data visualization and near-duplicate analysis, helping investigators look at the evidence from different angles. While in-depth forensic analysis remains an essential tool, this workflow limits its use to specific circumstances when it can deliver the most value. By adopting a collaborative investigation model like the one in this paper, the United Kingdom’s Serious Fraud Office (SFO) increased the volume of data it could process each year 20-fold. This methodology also enabled the SFO’s investigation teams to respond much faster to information requests from courts. The end result is a dramatic increase in the volume and quality of digital evidence an investigation team can analyze within a fixed time
WHITE PAPER THE INVESTIGATIVE LAB: A MODEL FOR EFFICIENT COLLABORATIVE DIGITAL INVESTIGATIONS PAGE 3 Digital investigators face a constant battle to find the truth in ever larger, more varied and increasingly complex stores of electronic evidence. At the same time they must balance business demands such as reduced budgets and resources, spiraling case backlogs and ever decreasing timescales. These demands are made all the more challenging because many digital investigations rely on workflows, processes and tools that were designed before this mass explosion of data and devices—in fact, they often hark back to a pre-digital age. As the growing volume of data has stretched traditional forensic tools to capacity, it becomes impossible to examine them all. Digital forensic investigators may take arbitrary decisions as to which evidence sources they analyze first—or at all. Many investigative organizations do not follow standard processes for each stage of this investigative workflow. For example, digital forensic investigators may not handle all data sources consistently during processing and analysis. They might deliver the relevant information in different ways, such as printing it out, copying it to a CD or flash drive, or placing it on a computer where other stakeholders can search it. A traditional investigation relies on two very different groups of people: • Case investigators—such as police detectives and corporate fraud analysts—understand the wider context of the investigation and examine crimes or investigative matters from all angles. If an investigation has a digital component, such as a computer recovered at a crime scene, an investigator would call on the support of one or more digital forensic investigators who would examine the computer and they report their findings back to them • Digital forensic investigators collect, image, process and examine the collected data. They typically identify and evidence digital material that they consider potentially relevant to the case. This division of roles (see Figure 1) is a major source of inefficiency. More worryingly, it highlights a disconnection in the investigation process. Very often case investigators view digital forensic investigators as providing a supporting service, rather than working with them collaboratively. For example, it is common for a single digital forensic investigator to handle all devices involved in an investigation. This solo digital forensic investigator will typically examine each storage device in turn, extracting the information he or she thinks is relevant then preparing a report for the less technical investigative team. This piecemeal approach is very inefficient, especially in larger cases. Digital forensic investigators must make critical decisions about the relevance of particular documents, email messages or images—or even entire evidence sources— often without knowing the broader details of the case. This is something like the ancient parable about six blindfolded men trying to describe an elephant. One is touching the elephant’s trunk and thinks the elephant is like a snake. Another is holding the elephant’s leg and thinks it is like a tree, and so on. While they are all correct about the individual parts, none of them can see the bigger picture (see Figure 2). The inability to understand the evidence in its broader context can have knock-on effects when digital forensic investigators must provide their findings to larger teams or other stakeholders such as prosecutors or human resources, legal or internal audit departments. These stakeholders must often rely on the pieces of the puzzle that the forensic investigator decided were most relevant. THE DIGITAL FORENSIC INVESTIGATION IMPASSE Focusing on one part at a time makes it hard to see the elephant in the room Figure 1: Typical division of roles in investigations with very little overlap between those performing technical and non-technical tasks. Figure 2: Focusing on one part at a time makes it hard to see the elephant in the room. Digital forensic investigators often working behind closed doors Case investigators managing the entire investigation and relying on digital evidence to help join the dots
WHITE PAPER THE INVESTIGATIVE LAB: A MODEL FOR EFFICIENT COLLABORATIVE DIGITAL INVESTIGATIONS PAGE 4 Some investigative organizations have streamlined their processes for handling digital evidence (see for example, the United Kingdom Serious Fraud Office case study). In this area, investigators have a great deal to learn from the way legal teams handle electronic discovery, which typically involves even larger volumes of digital evidence than investigations. In many jurisdictions, courts require litigants to collaborate and consider eDiscovery at the earliest opportunity. Doing so can help keep the costs of the case proportionate to the amount at dispute. To achieve this, discovery practitioners must quickly identify potentially relevant material among massive volumes of digital evidence. They must then place this potentially relevant material into the hands of the experts such as senior lawyers, financial investigators or subject matter experts. Legal teams often use a tiered review system, assigning junior staff to perform a “first cut” review of the material to eliminate the material that is clearly not relevant. Rather than allowing these reviewers to make arbitrary decisions, someone who has in-depth knowledge of the case would create a pre-defined set of guidelines for them to follow. This person may also review, validate or amend these decisions. In this way, smaller and smaller volumes of more and more relevant material are passed up the chain. The highly knowledgeable—and usually highly paid—experts need only see the “hot” documents, safe in the knowledge that someone has reviewed and classified all other material. This process is a very efficient way of classifying huge volumes of material into relevant or not relevant bundles. For it to work, legal teams must be able to: • Divide up the available evidence into parcels for multiple people to review • Ensure each reviewer understands the ground rules for deciding what is relevant • Make the most relevant documents available for experts to analyze and examine. This approach is not new, even in investigative circles. For example, in many complex criminal matters, rank-and-file detectives do the ground work, such as identifying witnesses and evidence, before passing on their findings to senior officers and subject matter experts for review. However, it is rare for digital forensic investigators to follow this process when dealing with electronic evidence, often because traditional tools make it difficult to combine information from multiple sources and make it available to non-technical investigators or subject matter experts for review. Investigators have a great deal to learn from the way legal teams handle electronic discovery, which typically involves even larger volumes of digital evidence than investigations LESSONS FROM eDISCOVERY CASE STUDY: SERIOUS FRAUD OFFICE The collaborative investigation model and lab workflow discussed in this paper draws on the experience of Nuix’s Director of Forensic Solutions Paul Slater at the United Kingdom Serious Fraud Office (SFO). By adopting this model, the SFO increased the volume of data it could process each year 20-fold and made it possible to deliver timely responses to information requests from courts. As interim head of the Digital Forensics Unit from 2009 to the end of 2010, Slater helped to standardize and streamline the SFO’s digital investigative processes. The SFO reduced its focus on in-depth forensics; created and automated investigative workflows; and developed a more collaborative approach to investigations. This change in approach helped to transform the SFO’s capabilities. “While traditional computer forensics techniques dig deep into a handful of computers, [the SFO can now] quickly distil the huge volumes of data captured in our search operations and to focus on material likely to have greatest evidential yield,” wrote the SFO’s Chief Executive in its 2010-11 Annual Report and Accounts.i “We can now handle up to 100GB of new information each day—a 2,000% increase year on year. “It is also allowing us to respond quickly to court requirements—in one case we were able to identify and produce over 47,000 emails overnight to satisfy a judge’s order. Such speed of response would have been impossible before.”
WHITE PAPER THE INVESTIGATIVE LAB: A MODEL FOR EFFICIENT COLLABORATIVE DIGITAL INVESTIGATIONS PAGE 5 TIER 1 High volume of material, relevance unknown, for initial filtering and review TIER 2 Potentially relevant material for expert review TIER 3 Highly relevant material IMAGES AND VIDEOS EMAILS FINANCIAL RECORDS DOCUMENTS AND SPEADSHEETS POTENTIALLY RELEVANT IMAGES AND VIDEOS POTENTIALLY RELEVANT DOCUMENTS POTENTIALLY RELEVANT EMAILS RELEVANT IMAGES AND VIDEOS RELEVANT EMAILS AND DOCUMENTS The investigative lab model is a way for investigators to combine the efficiencies of the eDiscovery process with the forensic rigor and provenance of traditional digital investigation methodologies. It offers a more efficient way of utilizing available resources by making it possible to spread work between digital and non-digital investigators and subject matter experts, rather than being the sole responsibility of often a single person. It also ensures that digital forensic investigators handle each piece of evidence using an agreed set of repeatable processes. Although this workflow model is technology agnostic, it requires a number of capabilities that are not available in traditional forensic tools, such as: • Conducting a light metadata scan of data sources to rapidly assess their content and value to the investigation • Combining multiple evidence sources into a single data set for analysis • Processing multiple terabytes of evidence within a reasonable time • Supporting a wide range of file formats including forensic image formats from multiple competing technologies • Dividing a large data set into sub-cases based on criteria such as date, custodian, file format, location or language, then recombining the results into a single case. Share the workload—a production-line methodology A key shortcoming of the traditional approach is that digital forensic investigators examine each evidence source individually. However, cases often hinge on a particular type of evidence—such as documents, emails or text messages—and the connections between them across multiple sources. In addition, certain evidence types must be reviewed by people who have particular expertise. As a result, a necessary first step of this methodology is to assemble all available evidence—forensic images, email and mobile phone communications, loose files, documents and the rest—into a single location. Conducting a light metadata scan on all these evidence sources can quickly help investigators choose the items they want to process in greater depth. This forms part of the content-based forensic triage process Nuix has discussed in a previous white paper, Content-Based Forensic Triage: Managing Digital Investigations in the Age of Big Data.ii Once the investigative team has chosen the evidence sources most likely to be relevant, they can then process these devices following a set of previously agreed standards and settings. Investigative organizations can build a series of best practices or case-specific workflows which automate many of the time-consuming and error-prone tasks that are performed on each case. These include date range filtering, keyword searching and tagging, identification and optical character recognition (OCR) for non-text documents. The workflow can also include activities to filter out irrelevant information such as duplicate items or system files. This approach significantly reduces operator-level decisions and inconsistencies around which files are processed and how, leading to a consistent and repeatable outcome. By using this methodology, investigative teams can rapidly trim down large evidence sets into small numbers of highly relevant items for expert review (see Figure 3). Using the collaborative approach and tiered review methodology, investigators can quickly distil huge volumes of data into smaller, more manageable chunks Figure 3: A tiered approach to reviewing evidence. THE INVESTIGATIVE LAB WORKFLOW MODEL FOR DIGITAL INVESTIGATIONS
WHITE PAPER THE INVESTIGATIVE LAB: A MODEL FOR EFFICIENT COLLABORATIVE DIGITAL INVESTIGATIONS PAGE 6 Key evidence is more often found “hidden in plain sight”. As a result, in-depth forensic analysis must become the exception rather than the rule. Ensure the right data gets reviewed by the right people The next phase of this investigative workflow involves dividing the processed evidence into review sets. At its most basic, it can be a way of sharing the work between multiple investigators to complete the task faster. They may choose to divide up the evidence by date ranges, custodians, location, language or content. However, there are many other options. In a fraud case, for example, investigators could pass on financial records to forensic accountants and internet activity to technical specialists. In an inappropriate images investigation, detectives could package potentially relevant pictures and videos for specialist child protection teams, while leaving other file types for their digital forensic investigators. In multi-jurisdictional investigations, investigative teams can produce evidence or intelligence packages for third parties to review, comment on and return. Use advanced investigative techniques As we have discussed, this workflow borrows a number of ideas from eDiscovery. Investigators can also use a number of technology- assisted analysis techniques from the legal world to look at the evidence from different angles. For example, some investigative tools offer ways to visualize the data and metadata. Common visualizations include timelines of document or user histories; network maps of communications between people; and mapping locations of photos or phone calls. These allow investigators to quickly understand the who, what, where, when and why of the evidence. Another emerging technique is the ability to identify similar or near- duplicate documents within a data set. By extracting and comparing lists of overlapping phrases called “shingles,” investigative tools can identify documents with similar content, and gauge how similar they are. This can help investigators identify who created, received or sent key emails, documents or attachments; analyzes how documents have changed over time; or find related documents that use similar language. Near-duplicate technology can also speed up the process of identifying relevant evidence by connecting file fragments and recovered deleted data to similar content found within live files to build up the picture of events over time. The list of shingles used to make near-duplicate comparisons has another powerful use: increasing the relevance of keyword searches. For example, fraud analysts search for words and phrases that indicate an employee may have motivation, opportunity and rationalization to commit fraud. However, these keyword searches may also bring up many results that are not relevant. By instead searching the list of shingles that contain words such as “cover up,” “write off,” “grey area,” “not ethical” or “off the books,” investigators can quickly locate longer phrases that will deliver highly relevant search results. Perform deep forensics only when necessary Many digital forensic investigators have been reluctant to change their processes even as they struggle with masses of digital material. One reason is they believe the old-fashioned technique is the only way to achieve the forensic rigor and deep technical analysis that courts and other authorities require. In our experience, nowadays the key evidence is more often found “hidden in plain sight”—typically in email, documents, spreadsheets or images. The major impediment for digital forensic investigators is that they can’t get across the volume of evidence to find the facts that will prove or disprove the case, especially if they conducting time-consuming deep forensic analysis on every data source. As a result, in-depth forensic analysis must become the exception rather than the rule. Using the collaborative approach and tiered review methodology in the paper, investigators can quickly distil huge volumes of data into smaller, more manageable chunks. Once this technique identifies the smoking gun or the elephant in the room, investigators can pass this piece of data back to specialist digital forensic investigators for them to examine and provide provenance, validate authenticity and produce to the court or authorities. Alternatively, the review workflow may not locate the crucial evidence but may provide strong clues as to where digital forensic investigators should deep-dive to try and find it. i http://www.sfo.gov.uk/media/175084/resource-accounts-2010-11.pdf ii http://nuix.com/PDFDownload.aspx?f=images/resources/White_Paper_Nuix_ Content-Based_Triage_US_WEB.pdf
APAC North America EMEA Australia: +61 2 9280 0699 USA: +1 877 470 6849 UK: +44 207 877 0300 » Email: sales@nuix.com » Web: nuix.com » Twitter: @nuix Copyright © 2014 Nuix. All rights reserved. ABOUT NUIX Nuix enables people to make fact-based decisions from unstructured data. The patented Nuix Engine makes small work of large and complex human-generated data sets. Organizations around the world turn to Nuix software when they need fast, accurate answers for digital investigation, cybersecurity, eDiscovery, information governance, email migration, privacy and more. TO FIND OUT MORE ABOUT NUIX’S INVESTIGATIVE LAB VISIT nuix.com/investigator-lab

Recommended

Case study nuix edrm enron data set
Case study nuix edrm enron data setCase study nuix edrm enron data set
Case study nuix edrm enron data set
Nuix
 
The Investigative Lab - Nuix
The Investigative Lab - NuixThe Investigative Lab - Nuix
The Investigative Lab - Nuix
Nuix
 
Bridging the gap between mobile and computer forensics
Bridging the gap between mobile and computer forensicsBridging the gap between mobile and computer forensics
Bridging the gap between mobile and computer forensics
Nina Ananiasvili
 
Interplay of Digital Forensics in eDiscovery
Interplay of Digital Forensics in eDiscoveryInterplay of Digital Forensics in eDiscovery
Interplay of Digital Forensics in eDiscovery
CSCJournals
 
Surviving Technology 2009 & The Paralegal
Surviving Technology 2009 & The ParalegalSurviving Technology 2009 & The Paralegal
Surviving Technology 2009 & The Paralegal
Aubrey Owens
 
Ediscovery 101
Ediscovery 101Ediscovery 101
Ediscovery 101Catherine A. Casey (CEDS)
 
Evidence and data
Evidence and dataEvidence and data
Evidence and data
Atul Rai
 
Electronic Document Management And Discovery
Electronic Document Management And DiscoveryElectronic Document Management And Discovery
Electronic Document Management And Discovery
Ronald Coleman
 

Recommended

Case study nuix edrm enron data set
Case study nuix edrm enron data setCase study nuix edrm enron data set
Case study nuix edrm enron data set
Nuix
 
The Investigative Lab - Nuix
The Investigative Lab - NuixThe Investigative Lab - Nuix
The Investigative Lab - Nuix
Nuix
 
Bridging the gap between mobile and computer forensics
Bridging the gap between mobile and computer forensicsBridging the gap between mobile and computer forensics
Bridging the gap between mobile and computer forensics
Nina Ananiasvili
 
Interplay of Digital Forensics in eDiscovery
Interplay of Digital Forensics in eDiscoveryInterplay of Digital Forensics in eDiscovery
Interplay of Digital Forensics in eDiscovery
CSCJournals
 
Surviving Technology 2009 & The Paralegal
Surviving Technology 2009 & The ParalegalSurviving Technology 2009 & The Paralegal
Surviving Technology 2009 & The Paralegal
Aubrey Owens
 
Ediscovery 101
Ediscovery 101Ediscovery 101
Ediscovery 101Catherine A. Casey (CEDS)
 
Evidence and data
Evidence and dataEvidence and data
Evidence and data
Atul Rai
 
Electronic Document Management And Discovery
Electronic Document Management And DiscoveryElectronic Document Management And Discovery
Electronic Document Management And Discovery
Ronald Coleman
 
The Concise Guide to E-Discovery
The Concise Guide to E-DiscoveryThe Concise Guide to E-Discovery
The Concise Guide to E-Discovery
Osterman Research, Inc.
 
AAR Investigation Of Electronic Evidence
AAR Investigation Of Electronic EvidenceAAR Investigation Of Electronic Evidence
AAR Investigation Of Electronic Evidence
John Jablonski
 
E discovery mallareddy 20160213
E discovery mallareddy 20160213E discovery mallareddy 20160213
E discovery mallareddy 20160213
nullowaspmumbai
 
Design for A Network Centric Enterprise Forensic System
Design for A Network Centric Enterprise Forensic SystemDesign for A Network Centric Enterprise Forensic System
Design for A Network Centric Enterprise Forensic System
CSCJournals
 
E Discovery General E Discovery Presentation
E Discovery General E Discovery PresentationE Discovery General E Discovery Presentation
E Discovery General E Discovery Presentation
jvanacour
 
Digital forensics ahmed emam
Digital forensics ahmed emamDigital forensics ahmed emam
Digital forensics ahmed emam
ahmad abdelhafeez
 
Electronic evidence
Electronic evidenceElectronic evidence
Electronic evidence
Ronak Karanpuria
 
Network and computer forensics
Network and computer forensicsNetwork and computer forensics
Network and computer forensics
Johnson Ubah
 
Electronic Discovery 101 - From ESI to the EDRM
Electronic Discovery 101 - From ESI to the EDRMElectronic Discovery 101 - From ESI to the EDRM
Electronic Discovery 101 - From ESI to the EDRM
Rob Robinson
 
Electronic Evidence Power Point V6 Final
Electronic Evidence Power Point V6 FinalElectronic Evidence Power Point V6 Final
Electronic Evidence Power Point V6 Final
William Hamilton
 
Computer and Cyber forensics, a case study of Ghana
Computer and Cyber forensics, a case study of GhanaComputer and Cyber forensics, a case study of Ghana
Computer and Cyber forensics, a case study of Ghana
Mohammed Mahfouz Alhassan
 
2014 Year-End E-Discovery Update
2014 Year-End E-Discovery Update2014 Year-End E-Discovery Update
2014 Year-End E-Discovery UpdateGareth Evans
 
Computer forencis
Computer forencisComputer forencis
Computer forencisTeja Bheemanapally
 
Trade Secret Theft in the Digital Age
Trade Secret Theft in the Digital AgeTrade Secret Theft in the Digital Age
Trade Secret Theft in the Digital Age
BoyarMiller
 
BoyarMiller - You Lost Me At Gigabyte: Working with Computer Forensic Examiners
BoyarMiller - You Lost Me At Gigabyte: Working with Computer Forensic ExaminersBoyarMiller - You Lost Me At Gigabyte: Working with Computer Forensic Examiners
BoyarMiller - You Lost Me At Gigabyte: Working with Computer Forensic Examiners
BoyarMiller
 
Electronic Forensic Protocols and Working with Computer Forensic Examiners
Electronic Forensic Protocols and Working with Computer Forensic ExaminersElectronic Forensic Protocols and Working with Computer Forensic Examiners
Electronic Forensic Protocols and Working with Computer Forensic Examiners
BoyarMiller
 
Digital Crime & Forensics - Presentation
Digital Crime & Forensics - PresentationDigital Crime & Forensics - Presentation
Digital Crime & Forensics - Presentation
prashant3535
 
DLD_SYNOPSIS
DLD_SYNOPSISDLD_SYNOPSIS
DLD_SYNOPSISNisha Jain
 
Blue Canopy Semantic Web Approach v25 brief
Blue Canopy Semantic Web Approach v25 briefBlue Canopy Semantic Web Approach v25 brief
Blue Canopy Semantic Web Approach v25 briefNick Savage
 
Privacy preserving detection of sensitive data exposure
Privacy preserving detection of sensitive data exposurePrivacy preserving detection of sensitive data exposure
Privacy preserving detection of sensitive data exposure
redpel dot com
 
Lima - Digital Forensic Case Management System
Lima - Digital Forensic Case Management SystemLima - Digital Forensic Case Management System
Lima - Digital Forensic Case Management System
IntaForensics
 
Top 10 Business Continuity Disasters
Top 10 Business Continuity DisastersTop 10 Business Continuity Disasters
Top 10 Business Continuity Disasters
Rentsys Recovery Services
 

More Related Content

What's hot

The Concise Guide to E-Discovery
The Concise Guide to E-DiscoveryThe Concise Guide to E-Discovery
The Concise Guide to E-Discovery
Osterman Research, Inc.
 
AAR Investigation Of Electronic Evidence
AAR Investigation Of Electronic EvidenceAAR Investigation Of Electronic Evidence
AAR Investigation Of Electronic Evidence
John Jablonski
 
E discovery mallareddy 20160213
E discovery mallareddy 20160213E discovery mallareddy 20160213
E discovery mallareddy 20160213
nullowaspmumbai
 
Design for A Network Centric Enterprise Forensic System
Design for A Network Centric Enterprise Forensic SystemDesign for A Network Centric Enterprise Forensic System
Design for A Network Centric Enterprise Forensic System
CSCJournals
 
E Discovery General E Discovery Presentation
E Discovery General E Discovery PresentationE Discovery General E Discovery Presentation
E Discovery General E Discovery Presentation
jvanacour
 
Digital forensics ahmed emam
Digital forensics ahmed emamDigital forensics ahmed emam
Digital forensics ahmed emam
ahmad abdelhafeez
 
Electronic evidence
Electronic evidenceElectronic evidence
Electronic evidence
Ronak Karanpuria
 
Network and computer forensics
Network and computer forensicsNetwork and computer forensics
Network and computer forensics
Johnson Ubah
 
Electronic Discovery 101 - From ESI to the EDRM
Electronic Discovery 101 - From ESI to the EDRMElectronic Discovery 101 - From ESI to the EDRM
Electronic Discovery 101 - From ESI to the EDRM
Rob Robinson
 
Electronic Evidence Power Point V6 Final
Electronic Evidence Power Point V6 FinalElectronic Evidence Power Point V6 Final
Electronic Evidence Power Point V6 Final
William Hamilton
 
Computer and Cyber forensics, a case study of Ghana
Computer and Cyber forensics, a case study of GhanaComputer and Cyber forensics, a case study of Ghana
Computer and Cyber forensics, a case study of Ghana
Mohammed Mahfouz Alhassan
 
2014 Year-End E-Discovery Update
2014 Year-End E-Discovery Update2014 Year-End E-Discovery Update
2014 Year-End E-Discovery UpdateGareth Evans
 
Trade Secret Theft in the Digital Age
Trade Secret Theft in the Digital AgeTrade Secret Theft in the Digital Age
Trade Secret Theft in the Digital Age
BoyarMiller
 
BoyarMiller - You Lost Me At Gigabyte: Working with Computer Forensic Examiners
BoyarMiller - You Lost Me At Gigabyte: Working with Computer Forensic ExaminersBoyarMiller - You Lost Me At Gigabyte: Working with Computer Forensic Examiners
BoyarMiller - You Lost Me At Gigabyte: Working with Computer Forensic Examiners
BoyarMiller
 
Electronic Forensic Protocols and Working with Computer Forensic Examiners
Electronic Forensic Protocols and Working with Computer Forensic ExaminersElectronic Forensic Protocols and Working with Computer Forensic Examiners
Electronic Forensic Protocols and Working with Computer Forensic Examiners
BoyarMiller
 
Digital Crime & Forensics - Presentation
Digital Crime & Forensics - PresentationDigital Crime & Forensics - Presentation
Digital Crime & Forensics - Presentation
prashant3535
 
Blue Canopy Semantic Web Approach v25 brief
Blue Canopy Semantic Web Approach v25 briefBlue Canopy Semantic Web Approach v25 brief
Blue Canopy Semantic Web Approach v25 briefNick Savage
 
Privacy preserving detection of sensitive data exposure
Privacy preserving detection of sensitive data exposurePrivacy preserving detection of sensitive data exposure
Privacy preserving detection of sensitive data exposure
redpel dot com
 

What's hot (20)

The Concise Guide to E-Discovery
The Concise Guide to E-DiscoveryThe Concise Guide to E-Discovery
The Concise Guide to E-Discovery
 
AAR Investigation Of Electronic Evidence
AAR Investigation Of Electronic EvidenceAAR Investigation Of Electronic Evidence
AAR Investigation Of Electronic Evidence
 
E discovery mallareddy 20160213
E discovery mallareddy 20160213E discovery mallareddy 20160213
E discovery mallareddy 20160213
 
Design for A Network Centric Enterprise Forensic System
Design for A Network Centric Enterprise Forensic SystemDesign for A Network Centric Enterprise Forensic System
Design for A Network Centric Enterprise Forensic System
 
E Discovery General E Discovery Presentation
E Discovery General E Discovery PresentationE Discovery General E Discovery Presentation
E Discovery General E Discovery Presentation
 
Digital forensics ahmed emam
Digital forensics ahmed emamDigital forensics ahmed emam
Digital forensics ahmed emam
 
Electronic evidence
Electronic evidenceElectronic evidence
Electronic evidence
 
Network and computer forensics
Network and computer forensicsNetwork and computer forensics
Network and computer forensics
 
Electronic Discovery 101 - From ESI to the EDRM
Electronic Discovery 101 - From ESI to the EDRMElectronic Discovery 101 - From ESI to the EDRM
Electronic Discovery 101 - From ESI to the EDRM
 
Electronic Evidence Power Point V6 Final
Electronic Evidence Power Point V6 FinalElectronic Evidence Power Point V6 Final
Electronic Evidence Power Point V6 Final
 
Computer and Cyber forensics, a case study of Ghana
Computer and Cyber forensics, a case study of GhanaComputer and Cyber forensics, a case study of Ghana
Computer and Cyber forensics, a case study of Ghana
 
2014 Year-End E-Discovery Update
2014 Year-End E-Discovery Update2014 Year-End E-Discovery Update
2014 Year-End E-Discovery Update
 
Computer forencis
Computer forencisComputer forencis
Computer forencis
 
Trade Secret Theft in the Digital Age
Trade Secret Theft in the Digital AgeTrade Secret Theft in the Digital Age
Trade Secret Theft in the Digital Age
 
BoyarMiller - You Lost Me At Gigabyte: Working with Computer Forensic Examiners
BoyarMiller - You Lost Me At Gigabyte: Working with Computer Forensic ExaminersBoyarMiller - You Lost Me At Gigabyte: Working with Computer Forensic Examiners
BoyarMiller - You Lost Me At Gigabyte: Working with Computer Forensic Examiners
 
Electronic Forensic Protocols and Working with Computer Forensic Examiners
Electronic Forensic Protocols and Working with Computer Forensic ExaminersElectronic Forensic Protocols and Working with Computer Forensic Examiners
Electronic Forensic Protocols and Working with Computer Forensic Examiners
 
Digital Crime & Forensics - Presentation
Digital Crime & Forensics - PresentationDigital Crime & Forensics - Presentation
Digital Crime & Forensics - Presentation
 
DLD_SYNOPSIS
DLD_SYNOPSISDLD_SYNOPSIS
DLD_SYNOPSIS
 
Blue Canopy Semantic Web Approach v25 brief
Blue Canopy Semantic Web Approach v25 briefBlue Canopy Semantic Web Approach v25 brief
Blue Canopy Semantic Web Approach v25 brief
 
Privacy preserving detection of sensitive data exposure
Privacy preserving detection of sensitive data exposurePrivacy preserving detection of sensitive data exposure
Privacy preserving detection of sensitive data exposure
 

Viewers also liked

Lima - Digital Forensic Case Management System
Lima - Digital Forensic Case Management SystemLima - Digital Forensic Case Management System
Lima - Digital Forensic Case Management System
IntaForensics
 
Top 10 Business Continuity Disasters
Top 10 Business Continuity DisastersTop 10 Business Continuity Disasters
Top 10 Business Continuity Disasters
Rentsys Recovery Services
 
Why Consider #FlashStorage in your #DataCenter
Why Consider #FlashStorage in your #DataCenterWhy Consider #FlashStorage in your #DataCenter
Why Consider #FlashStorage in your #DataCenter
Tegile Systems
 
Wedia Social Media presentation at DigitalDays
Wedia Social Media presentation at DigitalDaysWedia Social Media presentation at DigitalDays
Wedia Social Media presentation at DigitalDays
Panos Kontopoulos
 
Pramata Tech Dinosaurs ePaper - Social Sharing
Pramata Tech Dinosaurs ePaper - Social SharingPramata Tech Dinosaurs ePaper - Social Sharing
Pramata Tech Dinosaurs ePaper - Social SharingTidemark Systems Inc.
 
TXT Next Presentation
TXT Next Presentation TXT Next Presentation
TXT Next Presentation
TXT e-solutions
 
New Research: Cloud, Cost & Complexity Impact IAM & IT
New Research: Cloud, Cost & Complexity Impact IAM & ITNew Research: Cloud, Cost & Complexity Impact IAM & IT
New Research: Cloud, Cost & Complexity Impact IAM & ITSymplified
 
Running SagePFW in a Private Cloud
Running SagePFW in a Private CloudRunning SagePFW in a Private Cloud
Running SagePFW in a Private CloudVertical Solutions
 
Innovation In The Workplace Andrew James
Innovation In The Workplace Andrew JamesInnovation In The Workplace Andrew James
Innovation In The Workplace Andrew James
Konica Minolta
 
Getting started with performance testing
Getting started with performance testingGetting started with performance testing
Getting started with performance testing
Testplant
 
Perceptive Software Scope
Perceptive Software ScopePerceptive Software Scope
Perceptive Software Scope
Perceptive Software Pty Ltd
 
Dr Ravi Gupta
Dr Ravi GuptaDr Ravi Gupta
Dr Ravi Gupta
Elets Technomedia Pvt. Ltd.
 
Visual Studio 2013 - Recursos da IDE
Visual Studio 2013 - Recursos da IDEVisual Studio 2013 - Recursos da IDE
Visual Studio 2013 - Recursos da IDEStefanini
 
Rsa2012 下一代安全的战略思考-绿盟科技赵粮
Rsa2012 下一代安全的战略思考-绿盟科技赵粮Rsa2012 下一代安全的战略思考-绿盟科技赵粮
Rsa2012 下一代安全的战略思考-绿盟科技赵粮
NSFOCUS
 
5 Reasons to Recycle in the D.C. Metro Area
5 Reasons to Recycle in the D.C. Metro Area5 Reasons to Recycle in the D.C. Metro Area
5 Reasons to Recycle in the D.C. Metro Area
Sims Recycling Solutions
 
Presence Agent y Presence Scripting para personas con limitaciones visuales
Presence Agent y Presence Scripting para personas con limitaciones visualesPresence Agent y Presence Scripting para personas con limitaciones visuales
Presence Agent y Presence Scripting para personas con limitaciones visuales
Presence Technology
 
IT Trends 2016: Taking Windows Applications Beyond Hardware Limits
IT Trends 2016: Taking Windows Applications Beyond Hardware Limits IT Trends 2016: Taking Windows Applications Beyond Hardware Limits
IT Trends 2016: Taking Windows Applications Beyond Hardware Limits
Parallels Inc
 

Viewers also liked (17)

Lima - Digital Forensic Case Management System
Lima - Digital Forensic Case Management SystemLima - Digital Forensic Case Management System
Lima - Digital Forensic Case Management System
 
Top 10 Business Continuity Disasters
Top 10 Business Continuity DisastersTop 10 Business Continuity Disasters
Top 10 Business Continuity Disasters
 
Why Consider #FlashStorage in your #DataCenter
Why Consider #FlashStorage in your #DataCenterWhy Consider #FlashStorage in your #DataCenter
Why Consider #FlashStorage in your #DataCenter
 
Wedia Social Media presentation at DigitalDays
Wedia Social Media presentation at DigitalDaysWedia Social Media presentation at DigitalDays
Wedia Social Media presentation at DigitalDays
 
Pramata Tech Dinosaurs ePaper - Social Sharing
Pramata Tech Dinosaurs ePaper - Social SharingPramata Tech Dinosaurs ePaper - Social Sharing
Pramata Tech Dinosaurs ePaper - Social Sharing
 
TXT Next Presentation
TXT Next Presentation TXT Next Presentation
TXT Next Presentation
 
New Research: Cloud, Cost & Complexity Impact IAM & IT
New Research: Cloud, Cost & Complexity Impact IAM & ITNew Research: Cloud, Cost & Complexity Impact IAM & IT
New Research: Cloud, Cost & Complexity Impact IAM & IT
 
Running SagePFW in a Private Cloud
Running SagePFW in a Private CloudRunning SagePFW in a Private Cloud
Running SagePFW in a Private Cloud
 
Innovation In The Workplace Andrew James
Innovation In The Workplace Andrew JamesInnovation In The Workplace Andrew James
Innovation In The Workplace Andrew James
 
Getting started with performance testing
Getting started with performance testingGetting started with performance testing
Getting started with performance testing
 
Perceptive Software Scope
Perceptive Software ScopePerceptive Software Scope
Perceptive Software Scope
 
Dr Ravi Gupta
Dr Ravi GuptaDr Ravi Gupta
Dr Ravi Gupta
 
Visual Studio 2013 - Recursos da IDE
Visual Studio 2013 - Recursos da IDEVisual Studio 2013 - Recursos da IDE
Visual Studio 2013 - Recursos da IDE
 
Rsa2012 下一代安全的战略思考-绿盟科技赵粮
Rsa2012 下一代安全的战略思考-绿盟科技赵粮Rsa2012 下一代安全的战略思考-绿盟科技赵粮
Rsa2012 下一代安全的战略思考-绿盟科技赵粮
 
5 Reasons to Recycle in the D.C. Metro Area
5 Reasons to Recycle in the D.C. Metro Area5 Reasons to Recycle in the D.C. Metro Area
5 Reasons to Recycle in the D.C. Metro Area
 
Presence Agent y Presence Scripting para personas con limitaciones visuales
Presence Agent y Presence Scripting para personas con limitaciones visualesPresence Agent y Presence Scripting para personas con limitaciones visuales
Presence Agent y Presence Scripting para personas con limitaciones visuales
 
IT Trends 2016: Taking Windows Applications Beyond Hardware Limits
IT Trends 2016: Taking Windows Applications Beyond Hardware Limits IT Trends 2016: Taking Windows Applications Beyond Hardware Limits
IT Trends 2016: Taking Windows Applications Beyond Hardware Limits
 

Similar to The Investigative Lab - White Paper

Social Issues in Computing : Forensics
Social Issues in Computing : ForensicsSocial Issues in Computing : Forensics
Social Issues in Computing : Forensics
Karuna Kak
 
Josh Moulin: Designing a Mobile Digital Forensic Lab on a Budget
Josh Moulin: Designing a Mobile Digital Forensic Lab on a BudgetJosh Moulin: Designing a Mobile Digital Forensic Lab on a Budget
Josh Moulin: Designing a Mobile Digital Forensic Lab on a Budget
Josh Moulin, MSISA,CISSP
 
Lecture2 Introduction to Digital Forensics.ppt
Lecture2 Introduction to Digital Forensics.pptLecture2 Introduction to Digital Forensics.ppt
Lecture2 Introduction to Digital Forensics.ppt
Surajgroupsvideo
 
A Formal Two Stage Triage Process Model (FTSTPM) for Digital Forensic Practice
A Formal Two Stage Triage Process Model (FTSTPM) for Digital Forensic PracticeA Formal Two Stage Triage Process Model (FTSTPM) for Digital Forensic Practice
A Formal Two Stage Triage Process Model (FTSTPM) for Digital Forensic Practice
CSCJournals
 
A Review on Recovering and Examining Computer Forensic Evidences
A Review on Recovering and Examining Computer Forensic EvidencesA Review on Recovering and Examining Computer Forensic Evidences
A Review on Recovering and Examining Computer Forensic Evidences
BRNSSPublicationHubI
 
Predict Conference: Data Analytics for Digital Forensics and Cybersecurity
Predict Conference: Data Analytics for Digital Forensics and CybersecurityPredict Conference: Data Analytics for Digital Forensics and Cybersecurity
Predict Conference: Data Analytics for Digital Forensics and Cybersecurity
Mark Scanlon
 
The final section of the Digital Forensics journal article by Ga.pdf
The final section of the Digital Forensics journal article by Ga.pdfThe final section of the Digital Forensics journal article by Ga.pdf
The final section of the Digital Forensics journal article by Ga.pdf
jyothimuppasani1
 
Applying Data Mining Principles in the Extraction of Digital Evidence
Applying Data Mining Principles in the Extraction of Digital EvidenceApplying Data Mining Principles in the Extraction of Digital Evidence
Applying Data Mining Principles in the Extraction of Digital Evidence
Dr. Richard Otieno
 
Cyber
CyberCyber
Cyber
PuttaRahul
 
Digital forensics research: The next 10 years
Digital forensics research: The next 10 yearsDigital forensics research: The next 10 years
Digital forensics research: The next 10 years
Mehedi Hasan
 
Evidence Collection Process
Evidence Collection ProcessEvidence Collection Process
Evidence Collection Process
Michelle Singh
 
To get round to the heart of fortress
To get round to the heart of fortressTo get round to the heart of fortress
To get round to the heart of fortressSTO STRATEGY
 
1Forensic Science and CriminalisticsAssociated Press.docx
1Forensic Science and CriminalisticsAssociated Press.docx1Forensic Science and CriminalisticsAssociated Press.docx
1Forensic Science and CriminalisticsAssociated Press.docx
aulasnilda
 
Text mining on criminal documents
Text mining on criminal documentsText mining on criminal documents
Text mining on criminal documents
ZhongLI28
 
Evidence Integrity And Evidence Continuity Essay
Evidence Integrity And Evidence Continuity EssayEvidence Integrity And Evidence Continuity Essay
Evidence Integrity And Evidence Continuity Essay
Jessica Howard
 
Digital forensics Steps
Digital forensics StepsDigital forensics Steps
Digital forensics Steps
gamemaker762
 
Digital Evidence by Raghu Khimani
Digital Evidence by Raghu KhimaniDigital Evidence by Raghu Khimani
Digital Evidence by Raghu Khimani
Dr Raghu Khimani
 
What is Digital Forensics.docx
What is Digital Forensics.docxWhat is Digital Forensics.docx
What is Digital Forensics.docx
AliAshraf68199
 
The Emergence of Digital Forensic Bangalore
The Emergence of Digital Forensic BangaloreThe Emergence of Digital Forensic Bangalore
The Emergence of Digital Forensic Bangalore
ehackacademy
 

Similar to The Investigative Lab - White Paper (20)

Social Issues in Computing : Forensics
Social Issues in Computing : ForensicsSocial Issues in Computing : Forensics
Social Issues in Computing : Forensics
 
Josh Moulin: Designing a Mobile Digital Forensic Lab on a Budget
Josh Moulin: Designing a Mobile Digital Forensic Lab on a BudgetJosh Moulin: Designing a Mobile Digital Forensic Lab on a Budget
Josh Moulin: Designing a Mobile Digital Forensic Lab on a Budget
 
Lecture2 Introduction to Digital Forensics.ppt
Lecture2 Introduction to Digital Forensics.pptLecture2 Introduction to Digital Forensics.ppt
Lecture2 Introduction to Digital Forensics.ppt
 
A Formal Two Stage Triage Process Model (FTSTPM) for Digital Forensic Practice
A Formal Two Stage Triage Process Model (FTSTPM) for Digital Forensic PracticeA Formal Two Stage Triage Process Model (FTSTPM) for Digital Forensic Practice
A Formal Two Stage Triage Process Model (FTSTPM) for Digital Forensic Practice
 
A Review on Recovering and Examining Computer Forensic Evidences
A Review on Recovering and Examining Computer Forensic EvidencesA Review on Recovering and Examining Computer Forensic Evidences
A Review on Recovering and Examining Computer Forensic Evidences
 
Predict Conference: Data Analytics for Digital Forensics and Cybersecurity
Predict Conference: Data Analytics for Digital Forensics and CybersecurityPredict Conference: Data Analytics for Digital Forensics and Cybersecurity
Predict Conference: Data Analytics for Digital Forensics and Cybersecurity
 
The final section of the Digital Forensics journal article by Ga.pdf
The final section of the Digital Forensics journal article by Ga.pdfThe final section of the Digital Forensics journal article by Ga.pdf
The final section of the Digital Forensics journal article by Ga.pdf
 
Applying Data Mining Principles in the Extraction of Digital Evidence
Applying Data Mining Principles in the Extraction of Digital EvidenceApplying Data Mining Principles in the Extraction of Digital Evidence
Applying Data Mining Principles in the Extraction of Digital Evidence
 
Cyber
CyberCyber
Cyber
 
Digital forensics research: The next 10 years
Digital forensics research: The next 10 yearsDigital forensics research: The next 10 years
Digital forensics research: The next 10 years
 
Evidence Collection Process
Evidence Collection ProcessEvidence Collection Process
Evidence Collection Process
 
DOJ
DOJDOJ
DOJ
 
To get round to the heart of fortress
To get round to the heart of fortressTo get round to the heart of fortress
To get round to the heart of fortress
 
1Forensic Science and CriminalisticsAssociated Press.docx
1Forensic Science and CriminalisticsAssociated Press.docx1Forensic Science and CriminalisticsAssociated Press.docx
1Forensic Science and CriminalisticsAssociated Press.docx
 
Text mining on criminal documents
Text mining on criminal documentsText mining on criminal documents
Text mining on criminal documents
 
Evidence Integrity And Evidence Continuity Essay
Evidence Integrity And Evidence Continuity EssayEvidence Integrity And Evidence Continuity Essay
Evidence Integrity And Evidence Continuity Essay
 
Digital forensics Steps
Digital forensics StepsDigital forensics Steps
Digital forensics Steps
 
Digital Evidence by Raghu Khimani
Digital Evidence by Raghu KhimaniDigital Evidence by Raghu Khimani
Digital Evidence by Raghu Khimani
 
What is Digital Forensics.docx
What is Digital Forensics.docxWhat is Digital Forensics.docx
What is Digital Forensics.docx
 
The Emergence of Digital Forensic Bangalore
The Emergence of Digital Forensic BangaloreThe Emergence of Digital Forensic Bangalore
The Emergence of Digital Forensic Bangalore
 

Recently uploaded

Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Jeffrey Haguewood
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
Thijs Feryn
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
Paul Groth
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Product School
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
Product School
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
Elena Simperl
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
RTTS
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
DianaGray10
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
91mobiles
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
Sri Ambati
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Product School
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
Ana-Maria Mihalceanu
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
Alison B. Lowndes
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
DianaGray10
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
Jemma Hussein Allen
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance
 

Recently uploaded (20)

Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
 

The Investigative Lab - White Paper

  • 1. NUIX WHITE PAPER THE INVESTIGATIVE LAB: A MODEL FOR EFFICIENT COLLABORATIVE DIGITAL INVESTIGATIONS
  • 2. WHITE PAPER THE INVESTIGATIVE LAB: A MODEL FOR EFFICIENT COLLABORATIVE DIGITAL INVESTIGATIONS PAGE 2 CONTENTS Executive summary...............................................2 The digital forensic investigation impasse............3 Lessons from eDiscovery.......................................4 Case study: Serious Fraud Office...........................4 The investigative lab workflow model for digital investigations.......................................5 Share the workload —a production-line methodology.........................5 Ensure the right data gets reviewed by the right people................................................6 Use advanced investigative techniques................6 Perform deep forensics only when necessary........6 EXECUTIVE SUMMARY In this paper, we will discuss a model for setting up an investigative lab that allows digital forensic specialists, non-technical investigators and subject matter experts to collaborate on digital evidence. The end result is a dramatic increase in the volume and quality of digital evidence an investigative team can analyze within a fixed time. For many years, digital forensic investigators have used specialist forensic tools to “dig deep” into a handful of computers and other evidence sources. Typically, investigations rely on a single digital forensic specialist to examine these evidence sources one by one. This approach relies on the digital forensic investigator, who is usually not familiar with all the details or context of the case, to extract the information he or she thinks is relevant from each device. As a result, non-technical investigators and subject matter experts must rely on an incomplete and subjective slice of the evidence. By contrast, the model discussed in this paper enables investigative teams to divide up digital evidence and spread the review workload between many people. They can distribute different types of evidence to the people most qualified to understand it and its context. This methodology also provides opportunities to apply advanced investigative techniques such as data visualization and near-duplicate analysis, helping investigators look at the evidence from different angles. While in-depth forensic analysis remains an essential tool, this workflow limits its use to specific circumstances when it can deliver the most value. By adopting a collaborative investigation model like the one in this paper, the United Kingdom’s Serious Fraud Office (SFO) increased the volume of data it could process each year 20-fold. This methodology also enabled the SFO’s investigation teams to respond much faster to information requests from courts. The end result is a dramatic increase in the volume and quality of digital evidence an investigation team can analyze within a fixed time
  • 3. WHITE PAPER THE INVESTIGATIVE LAB: A MODEL FOR EFFICIENT COLLABORATIVE DIGITAL INVESTIGATIONS PAGE 3 Digital investigators face a constant battle to find the truth in ever larger, more varied and increasingly complex stores of electronic evidence. At the same time they must balance business demands such as reduced budgets and resources, spiraling case backlogs and ever decreasing timescales. These demands are made all the more challenging because many digital investigations rely on workflows, processes and tools that were designed before this mass explosion of data and devices—in fact, they often hark back to a pre-digital age. As the growing volume of data has stretched traditional forensic tools to capacity, it becomes impossible to examine them all. Digital forensic investigators may take arbitrary decisions as to which evidence sources they analyze first—or at all. Many investigative organizations do not follow standard processes for each stage of this investigative workflow. For example, digital forensic investigators may not handle all data sources consistently during processing and analysis. They might deliver the relevant information in different ways, such as printing it out, copying it to a CD or flash drive, or placing it on a computer where other stakeholders can search it. A traditional investigation relies on two very different groups of people: • Case investigators—such as police detectives and corporate fraud analysts—understand the wider context of the investigation and examine crimes or investigative matters from all angles. If an investigation has a digital component, such as a computer recovered at a crime scene, an investigator would call on the support of one or more digital forensic investigators who would examine the computer and they report their findings back to them • Digital forensic investigators collect, image, process and examine the collected data. They typically identify and evidence digital material that they consider potentially relevant to the case. This division of roles (see Figure 1) is a major source of inefficiency. More worryingly, it highlights a disconnection in the investigation process. Very often case investigators view digital forensic investigators as providing a supporting service, rather than working with them collaboratively. For example, it is common for a single digital forensic investigator to handle all devices involved in an investigation. This solo digital forensic investigator will typically examine each storage device in turn, extracting the information he or she thinks is relevant then preparing a report for the less technical investigative team. This piecemeal approach is very inefficient, especially in larger cases. Digital forensic investigators must make critical decisions about the relevance of particular documents, email messages or images—or even entire evidence sources— often without knowing the broader details of the case. This is something like the ancient parable about six blindfolded men trying to describe an elephant. One is touching the elephant’s trunk and thinks the elephant is like a snake. Another is holding the elephant’s leg and thinks it is like a tree, and so on. While they are all correct about the individual parts, none of them can see the bigger picture (see Figure 2). The inability to understand the evidence in its broader context can have knock-on effects when digital forensic investigators must provide their findings to larger teams or other stakeholders such as prosecutors or human resources, legal or internal audit departments. These stakeholders must often rely on the pieces of the puzzle that the forensic investigator decided were most relevant. THE DIGITAL FORENSIC INVESTIGATION IMPASSE Focusing on one part at a time makes it hard to see the elephant in the room Figure 1: Typical division of roles in investigations with very little overlap between those performing technical and non-technical tasks. Figure 2: Focusing on one part at a time makes it hard to see the elephant in the room. Digital forensic investigators often working behind closed doors Case investigators managing the entire investigation and relying on digital evidence to help join the dots
  • 4. WHITE PAPER THE INVESTIGATIVE LAB: A MODEL FOR EFFICIENT COLLABORATIVE DIGITAL INVESTIGATIONS PAGE 4 Some investigative organizations have streamlined their processes for handling digital evidence (see for example, the United Kingdom Serious Fraud Office case study). In this area, investigators have a great deal to learn from the way legal teams handle electronic discovery, which typically involves even larger volumes of digital evidence than investigations. In many jurisdictions, courts require litigants to collaborate and consider eDiscovery at the earliest opportunity. Doing so can help keep the costs of the case proportionate to the amount at dispute. To achieve this, discovery practitioners must quickly identify potentially relevant material among massive volumes of digital evidence. They must then place this potentially relevant material into the hands of the experts such as senior lawyers, financial investigators or subject matter experts. Legal teams often use a tiered review system, assigning junior staff to perform a “first cut” review of the material to eliminate the material that is clearly not relevant. Rather than allowing these reviewers to make arbitrary decisions, someone who has in-depth knowledge of the case would create a pre-defined set of guidelines for them to follow. This person may also review, validate or amend these decisions. In this way, smaller and smaller volumes of more and more relevant material are passed up the chain. The highly knowledgeable—and usually highly paid—experts need only see the “hot” documents, safe in the knowledge that someone has reviewed and classified all other material. This process is a very efficient way of classifying huge volumes of material into relevant or not relevant bundles. For it to work, legal teams must be able to: • Divide up the available evidence into parcels for multiple people to review • Ensure each reviewer understands the ground rules for deciding what is relevant • Make the most relevant documents available for experts to analyze and examine. This approach is not new, even in investigative circles. For example, in many complex criminal matters, rank-and-file detectives do the ground work, such as identifying witnesses and evidence, before passing on their findings to senior officers and subject matter experts for review. However, it is rare for digital forensic investigators to follow this process when dealing with electronic evidence, often because traditional tools make it difficult to combine information from multiple sources and make it available to non-technical investigators or subject matter experts for review. Investigators have a great deal to learn from the way legal teams handle electronic discovery, which typically involves even larger volumes of digital evidence than investigations LESSONS FROM eDISCOVERY CASE STUDY: SERIOUS FRAUD OFFICE The collaborative investigation model and lab workflow discussed in this paper draws on the experience of Nuix’s Director of Forensic Solutions Paul Slater at the United Kingdom Serious Fraud Office (SFO). By adopting this model, the SFO increased the volume of data it could process each year 20-fold and made it possible to deliver timely responses to information requests from courts. As interim head of the Digital Forensics Unit from 2009 to the end of 2010, Slater helped to standardize and streamline the SFO’s digital investigative processes. The SFO reduced its focus on in-depth forensics; created and automated investigative workflows; and developed a more collaborative approach to investigations. This change in approach helped to transform the SFO’s capabilities. “While traditional computer forensics techniques dig deep into a handful of computers, [the SFO can now] quickly distil the huge volumes of data captured in our search operations and to focus on material likely to have greatest evidential yield,” wrote the SFO’s Chief Executive in its 2010-11 Annual Report and Accounts.i “We can now handle up to 100GB of new information each day—a 2,000% increase year on year. “It is also allowing us to respond quickly to court requirements—in one case we were able to identify and produce over 47,000 emails overnight to satisfy a judge’s order. Such speed of response would have been impossible before.”
  • 5. WHITE PAPER THE INVESTIGATIVE LAB: A MODEL FOR EFFICIENT COLLABORATIVE DIGITAL INVESTIGATIONS PAGE 5 TIER 1 High volume of material, relevance unknown, for initial filtering and review TIER 2 Potentially relevant material for expert review TIER 3 Highly relevant material IMAGES AND VIDEOS EMAILS FINANCIAL RECORDS DOCUMENTS AND SPEADSHEETS POTENTIALLY RELEVANT IMAGES AND VIDEOS POTENTIALLY RELEVANT DOCUMENTS POTENTIALLY RELEVANT EMAILS RELEVANT IMAGES AND VIDEOS RELEVANT EMAILS AND DOCUMENTS The investigative lab model is a way for investigators to combine the efficiencies of the eDiscovery process with the forensic rigor and provenance of traditional digital investigation methodologies. It offers a more efficient way of utilizing available resources by making it possible to spread work between digital and non-digital investigators and subject matter experts, rather than being the sole responsibility of often a single person. It also ensures that digital forensic investigators handle each piece of evidence using an agreed set of repeatable processes. Although this workflow model is technology agnostic, it requires a number of capabilities that are not available in traditional forensic tools, such as: • Conducting a light metadata scan of data sources to rapidly assess their content and value to the investigation • Combining multiple evidence sources into a single data set for analysis • Processing multiple terabytes of evidence within a reasonable time • Supporting a wide range of file formats including forensic image formats from multiple competing technologies • Dividing a large data set into sub-cases based on criteria such as date, custodian, file format, location or language, then recombining the results into a single case. Share the workload—a production-line methodology A key shortcoming of the traditional approach is that digital forensic investigators examine each evidence source individually. However, cases often hinge on a particular type of evidence—such as documents, emails or text messages—and the connections between them across multiple sources. In addition, certain evidence types must be reviewed by people who have particular expertise. As a result, a necessary first step of this methodology is to assemble all available evidence—forensic images, email and mobile phone communications, loose files, documents and the rest—into a single location. Conducting a light metadata scan on all these evidence sources can quickly help investigators choose the items they want to process in greater depth. This forms part of the content-based forensic triage process Nuix has discussed in a previous white paper, Content-Based Forensic Triage: Managing Digital Investigations in the Age of Big Data.ii Once the investigative team has chosen the evidence sources most likely to be relevant, they can then process these devices following a set of previously agreed standards and settings. Investigative organizations can build a series of best practices or case-specific workflows which automate many of the time-consuming and error-prone tasks that are performed on each case. These include date range filtering, keyword searching and tagging, identification and optical character recognition (OCR) for non-text documents. The workflow can also include activities to filter out irrelevant information such as duplicate items or system files. This approach significantly reduces operator-level decisions and inconsistencies around which files are processed and how, leading to a consistent and repeatable outcome. By using this methodology, investigative teams can rapidly trim down large evidence sets into small numbers of highly relevant items for expert review (see Figure 3). Using the collaborative approach and tiered review methodology, investigators can quickly distil huge volumes of data into smaller, more manageable chunks Figure 3: A tiered approach to reviewing evidence. THE INVESTIGATIVE LAB WORKFLOW MODEL FOR DIGITAL INVESTIGATIONS
  • 6. WHITE PAPER THE INVESTIGATIVE LAB: A MODEL FOR EFFICIENT COLLABORATIVE DIGITAL INVESTIGATIONS PAGE 6 Key evidence is more often found “hidden in plain sight”. As a result, in-depth forensic analysis must become the exception rather than the rule. Ensure the right data gets reviewed by the right people The next phase of this investigative workflow involves dividing the processed evidence into review sets. At its most basic, it can be a way of sharing the work between multiple investigators to complete the task faster. They may choose to divide up the evidence by date ranges, custodians, location, language or content. However, there are many other options. In a fraud case, for example, investigators could pass on financial records to forensic accountants and internet activity to technical specialists. In an inappropriate images investigation, detectives could package potentially relevant pictures and videos for specialist child protection teams, while leaving other file types for their digital forensic investigators. In multi-jurisdictional investigations, investigative teams can produce evidence or intelligence packages for third parties to review, comment on and return. Use advanced investigative techniques As we have discussed, this workflow borrows a number of ideas from eDiscovery. Investigators can also use a number of technology- assisted analysis techniques from the legal world to look at the evidence from different angles. For example, some investigative tools offer ways to visualize the data and metadata. Common visualizations include timelines of document or user histories; network maps of communications between people; and mapping locations of photos or phone calls. These allow investigators to quickly understand the who, what, where, when and why of the evidence. Another emerging technique is the ability to identify similar or near- duplicate documents within a data set. By extracting and comparing lists of overlapping phrases called “shingles,” investigative tools can identify documents with similar content, and gauge how similar they are. This can help investigators identify who created, received or sent key emails, documents or attachments; analyzes how documents have changed over time; or find related documents that use similar language. Near-duplicate technology can also speed up the process of identifying relevant evidence by connecting file fragments and recovered deleted data to similar content found within live files to build up the picture of events over time. The list of shingles used to make near-duplicate comparisons has another powerful use: increasing the relevance of keyword searches. For example, fraud analysts search for words and phrases that indicate an employee may have motivation, opportunity and rationalization to commit fraud. However, these keyword searches may also bring up many results that are not relevant. By instead searching the list of shingles that contain words such as “cover up,” “write off,” “grey area,” “not ethical” or “off the books,” investigators can quickly locate longer phrases that will deliver highly relevant search results. Perform deep forensics only when necessary Many digital forensic investigators have been reluctant to change their processes even as they struggle with masses of digital material. One reason is they believe the old-fashioned technique is the only way to achieve the forensic rigor and deep technical analysis that courts and other authorities require. In our experience, nowadays the key evidence is more often found “hidden in plain sight”—typically in email, documents, spreadsheets or images. The major impediment for digital forensic investigators is that they can’t get across the volume of evidence to find the facts that will prove or disprove the case, especially if they conducting time-consuming deep forensic analysis on every data source. As a result, in-depth forensic analysis must become the exception rather than the rule. Using the collaborative approach and tiered review methodology in the paper, investigators can quickly distil huge volumes of data into smaller, more manageable chunks. Once this technique identifies the smoking gun or the elephant in the room, investigators can pass this piece of data back to specialist digital forensic investigators for them to examine and provide provenance, validate authenticity and produce to the court or authorities. Alternatively, the review workflow may not locate the crucial evidence but may provide strong clues as to where digital forensic investigators should deep-dive to try and find it. i http://www.sfo.gov.uk/media/175084/resource-accounts-2010-11.pdf ii http://nuix.com/PDFDownload.aspx?f=images/resources/White_Paper_Nuix_ Content-Based_Triage_US_WEB.pdf
  • 7. APAC North America EMEA Australia: +61 2 9280 0699 USA: +1 877 470 6849 UK: +44 207 877 0300 » Email: sales@nuix.com » Web: nuix.com » Twitter: @nuix Copyright © 2014 Nuix. All rights reserved. ABOUT NUIX Nuix enables people to make fact-based decisions from unstructured data. The patented Nuix Engine makes small work of large and complex human-generated data sets. Organizations around the world turn to Nuix software when they need fast, accurate answers for digital investigation, cybersecurity, eDiscovery, information governance, email migration, privacy and more. TO FIND OUT MORE ABOUT NUIX’S INVESTIGATIVE LAB VISIT nuix.com/investigator-lab