Data Collection and Early Case Assessment for Investigations

Data Collection and Early Case Assessment for Investigations

  • Blog Post
  • Posted on 1 September 2020

by David Kerstjens, Digital Forensics Lead Consultant

Data collection and analysis for investigations is very different to collection for discovery or review. This article discusses the differences; how Early Case Assessment (ECA) can assist and the benefits of using review technology.

Data Collection and Analysis for an Investigation

Collecting for investigation often involves overcoming many barriers and analysis faces the added difficulty of having to reconstruct past events as they occurred.

An example of a hidden complexity within an investigation is information about user activities in specific locations or timeframes. Video files or recordings may be otherwise overlooked but can contain some complex hidden information. It’s possible to look into the metadata (data about the data) such as who created the video and the time it was created, as well as the GPS location of the videos and/or images. This information could be used to indicate when or where the item was recorded. This could prove to be some very pertinent information.

Mobile phone data is another great source of a data which may create some difficulties should the forensic investigator not be well versed. One example of how a Digital Forensics expert could add value to an investigation is if the person being investigated doesn’t want the forensic investigator to see something on their device and refuses to surrender their mobile phone. One would think that there is no way for the data to be collected. In reality, if the person ever connected their mobile phone to their work device and created a back-up, the forensic investigator doesn’t need the phone, they can simply access the user-generated back-up. It is possible to easily recover a large amount of data from the phone using the back-up, including deleted data. This will likely include (but not be limited to) communications, documents and photos.

When it comes to data, it is ideal to do recovery as soon as possible. The longer the period of time between an incident and investigation, the higher the risk that the data will not be recovered.

One of the things that our clients are particularly interested in is a timeline of events to understand what occurred and allow for the development of the story. This involves being able to report on the significant dates and relates back to when activity was recorded on a particular day. This includes activities such as when documents were created, what has been deleted, when something was copied from C: drive to a USB, etc. The aim is to reconstruct these events and understand exactly what happened on a particular day or timeframe.

Early Case Assessment (ECA)

Once all the data is collected, the net has been cast and a bunch of fish has been caught, metaphorically speaking. Now we need to start taking out what is irrelevant to us.

Firstly, we check the level of duplication among the documents. The legal team does not want to review the same emails over and over, so the duplicates must be removed. This involves running some initial searches to filter out the rubbish, eg. emails from Yahoo Sport or Google News. It is also possible to sort by custodian, eg. only emails going from the company to an external receiver.

This process assists with the planning and how the data will be reviewed. It is important to examine the kind of metrics that will be used to cut out the irrelevant data and capture what is potentially relevant. The point is to prioritise and find evidence. Prioritising what is potentially relevant will move the review faster, saving time and money for all parties.

One of the other benefits of ECA is the ability to look at the communications between two individuals and the events that happened, and better form an opinion about whether there is a chance in winning the case.

Using the Review Platform

Once the data is in the review platform and on a timeline, it is possible to click into the timeline using a real-time filter on the data and see all the custodians of the data. Search terms are provided so the data can be searched.

There are two ways to review, by reviewing for what is relevant and by reviewing for what is irrelevant so it can be removed. In other words, are they responsive or not responsive? Or is it a hot document? The document then needs to be tagged. The tags are completely customisable. If the tags have already been decided on, it makes things much easier, particularly if working with a review team or multiple teams.

The review platform allows teams to work together without doubling up over each other, so the review is much faster. Everything is tracked and properly recorded and it can also be used remotely. Users can log in with Google Chrome or Internet Explorer.

From here, you can use analytics and technology to help refine the review further.

For more information, please contact our team.

 


Share this post