COMPUTER FORENSICS can create mountains of data, complicating and confusing the simplest of cases. When the number of exhibits containing electronic evidence multiplies, the challenge is analogous to finding a needle in a haystack.
Reports from forensic investigators can become over-burdened with data, often with very little real ‘information’ to substantiate the case arguments and determine when events occurred.
When you’re instructed by commercial or public-sector organisations you can often be presented with electronic evidence from a multiplicity of computers and networks along with the usual mobile phones, telephone records and desktop/laptop computers. All these ‘systems’ store increasingly high volumes of granular data. If you progress down the traditional forensic examination route, you can quickly receive a witness statement plus allied report detailing a list of exhibits that match particular search terms or dates of relevance for each individual item of evidence. The exhibits may be individual email messages, system log files, digital images and word processing documents.
While this can reveal quite compelling elements, there is still often a considerable amount of manual effort in correlating the exhibits, identifying temporal relationships and tying in with the case chronology.
Also, the software that aids the forensic examiner is often limited in the breadth of information it can extract. It will often be designed to focus on popular desktop software such as office productivity, email and basic common applications such as financial packages, but will be unable to extract data from larger databases or computer systems.
Is there an alternative? Is there a method to bring together all rich sources of data? Is there any way of focusing on real information that has a significant bearing on the case?
While most experts are trained to avoid multiple questions, in this case we must concede: yes, yes and yes!
By developing proven techniques used in the world of business intelligence, an alternative approach can rapidly progress the results obtained from a conventional computer forensics investigation. In this highly connected world, having a single window onto all electronic evidence enables lawyers to determine the next step.
The success factor is engaging experts that can forensically extract, time-base and link (FETL) together data in such a way that it can be searched, aggregated, parsed and statistically processed, producing a full four-dimensional model of the electronic evidence. We are not talking about the activities of a maverick expert going out on a limb, but a professional who can rapidly design a repository of electronic evidence on a case-by-case basis that is designed to be interrogated for the particular case in question.
That may include:
* The ability to add data from any computer system, whether it be a laptop, desktop, server or mainframe.
* To recognise the varying formats of email messages, financial transactions, electronic orders, telephone call records, security logs, system events.
* To open the different syntax of text files, spreadsheets and email messages.
* To access large relational databases, email stores and application servers, and source the underlying structured data.
Pulling together all these components into a single repository enables the expert to travel through time and follow a sequential chain of events that could start with a single telephone call or text message, followed by a flurry of online activity, conspicuous trading and ending up with an array of fraudulent financial transactions.
So when you are next presented with a potentially daunting list of electronic evidence, consider the alternative. Are you sending a forensic investigator on a wild goose chase (at your client’s expense) or are you looking for real answers?