CRIMINAL JOURNEY MAPPING



Similar documents
NUIX WHITE PAPER THE INVESTIGATIVE LAB: A MODEL FOR EFFICIENT COLLABORATIVE DIGITAL INVESTIGATIONS WHITE PAPER

Nuix Forensic Focus 2014 Webinar Accelerating investigations using advanced ediscovery techniques 6 th March 2014

WYNYARD ADVANCED CRIME ANALYTICS POWERFUL SOFTWARE TO PREVENT AND SOLVE CRIME

THE STRATEGIC POLICING REQUIREMENT. July 2012

white paper Modernizing the User Interface: a Smarter View with Rumba+

CAPABILITY STATEMENT LEGAL TECHNOLOGIES AND COMPUTER FORENSICS. DECEMBER 2013

Consultation on the Implementation of Direct Entry in the Police

LOG INTELLIGENCE FOR SECURITY AND COMPLIANCE

Make the right decisions with Distribution Intelligence

Forensic Triage in a Multi-TB Era Ady Cassidy, Nuix

The Business Case for ECA

AccessData Corporation. Divide & Conquer: Overcoming Computer Forensic Backlog through Distributed Processing and Division of Labor.

Disco reinvents ediscovery for lawyers. Introducing ediscovery software every lawyer can love.

Unlocking The Value of the Deep Web. Harvesting Big Data that Google Doesn t Reach

POWERFUL SOFTWARE. FIGHTING HIGH CONSEQUENCE CYBER CRIME. KEY SOLUTION HIGHLIGHTS

STATE OF WISCONSIN DEPARTMENT OF JUSTICE

IBM Unstructured Data Identification and Management

Digital Forensics Services

<no narration for this slide>

HOBS OVERVIEW INTRODUCTION

Threat intelligence visibility the way forward. Mike Adler, Senior Product Manager Assure Threat Intelligence

Making confident decisions with the full spectrum of analysis capabilities

counter fraud specialist (cacfs)

SIMPLIFYING THE COMPLEXITY OF MOBILE DATA FORENSICS

Hospitals without walls. Care without boundaries?

Case study on asset tracing

ediscovery WORKFLOW AUTOMATION IN SIX EASY STEPS

Intelligent document management for the legal industry

4net Technologies. Managed Services and Cloud Solutions

DOCUMATION S PURCHASE TO PAY (P2P) SUITE

GUIDANCE SOFTWARE EnCase Portable. EnCase Portable. A Data Collection and Triage Solution that Anyone can Use

Investigating the prevalence of unsecured financial, health and personally identifiable information in corporate data

Countering Fraud For Competitive Advantage

Analyzing Huge Data Sets in Forensic Investigations

GETTING REAL ABOUT SECURITY MANAGEMENT AND "BIG DATA"

Integrated business intelligence solutions for your organization

The criminal and civil justice systems in England and Wales

Winning with an Intuitive Business Intelligence Solution for Midsize Companies

The New SEO Imperative. A Guide to Your SEO with Google s Secure Search

A guide to reducing the cost of AML compliance with electronic identity verification

USING DATA DISCOVERY TO MANAGE AND MITIGATE RISK: INSIGHT IS EVERYONE S JOB

Softlink s online library and learning resource management solution, designed specifically for secondary schools, academies and sixth form colleges

Criminal appeals. Page 1 of 19 Criminal appeals version 3.0 Published for Home Office staff on 08 July 2015

LOG AND EVENT MANAGEMENT FOR SECURITY AND COMPLIANCE

Augmented Search for Web Applications. New frontier in big log data analysis and application intelligence

CYBER SECURITY TRAINING SAFE AND SECURE

CEOP Relationship Management Strategy

Addressing Cyber Risk Building robust cyber governance

Business Intelligence

How To Solve A Violent Home Invasion With A United Force

Moving from Sage 50 Accounts to Sage 200 Standard Online

In-house Counsel s Next Cost Savings Frontier: Cost Minimization by Centralizing Litigation Document Collections

SMALL BUSINESS REPUTATION & THE CYBER RISK

Build Stronger Cases with Mobile Device Link Analysis

CODE OF PRACTICE ON THE MANAGEMENT OF POLICE INFORMATION

Top 5 best practices for creating effective dashboards. and the 7 mistakes you don t want to make

Assessing the strength of your security operating model

POLICE. SmartContact. More accessible, consistent and joined up Public Contact Management in UK policing. Delivering Transformation. Together.

PIVOTAL CRM. CRM that does what you want it to do BROCHURE

Using Tableau Software with Hortonworks Data Platform

IBM Content Analytics: Rapid insight for crime investigation

WHITE PAPER SPLUNK SOFTWARE AS A SIEM

A critical or decisive time on which much depends; a crucial moment.

FORENSIC ACCOUNTANT AND EXPERT WITNESS ACCREDITATION SCHEME Guidance from the assessors

the parties may request a review of the provisions of this MoU.

Best Practices: Cloud ediscovery Using On-Demand Technology and Workflows to Speed Discovery and Reduce Expenditure

Business Intelligence

Who's chatting to your kids?

JOINT STATEMENT BY HER MAJESTY S ATTORNEY GENERAL AND THE LORD ADVOCATE

Digital Forensics, ediscovery and Electronic Evidence

Transforming study start-up for optimal results

SharePoint Training DVD Videos

Visualization Starter Pack from SAP Overview Enabling Self-Service Data Exploration and Visualization

Crown Prosecution Service, London Business Plan

Win the race against time to stay ahead of cybercriminals

Voice and data recording Red Box makes it easier than you imagine

Transcription:

The Quarterly Magazine for Digital Forensics Practitioners Issue 23 May 2015 Digital ForensicS / magazine WIN! an ipod Nano CRIMINAL JOURNEY MAPPING How to use Cyber Criminal Journeys to support forensics investigation and response deployment Latest News, 360 Book Reviews, IRQ & much more inside! PLUS! Honeynets Bioinformatics Focus on the SOC Embracing ediscovery 23 9 772042 061004 Issue 23 / 14.99 TR Media

/ FEATURE EMBRACING EDISCOVERY Paul Slater on meeting the demands of today s digital investigations with the budget of 10 years ago. / ADVANCED Digital forensic investigators are dealing with large and growing volumes of evidence across an increasing number and variety of sources. This has stretched traditional forensic tools and processes to capacity. All the while, budgets are tightening and backlogs increasing. According to the 2014 State of Policing report from Sir Thomas Winsor, Her Majesty s Chief Inspector of Constabulary [1], although performing well in many respects, the police are falling behind the curve of rapidly changing criminality, policing the crimes of today with the methods of yesterday and insufficiently prepared for the crimes of the future. Looking at technology specifically, it says: forces need urgently to match their digital forensic capability to the reality of modern crime. Technology is an integral part of policing today. However, many police forces ability to gather and analyse digital evidence are underdeveloped. Forensic analysis simply takes too long. Officers told of significant delays in receiving evidence from digital devices, the report says. The absence of this evidence can cause unacceptable delays in investigations and prosecutions. This problem has an adverse effect on police officers ability to investigate the crimes that affect the public every day. It is not acceptable that evidential material that happens to be stored digitally cannot be made available to investigating officers for weeks, and sometimes months, after the crime. If I were a police chief or forensic investigator reading this, I d be tempted to answer back, That s all very well, but you try policing the crimes of today with a smaller budget than I had a decade ago. Especially in light of recent comments by the Chief Inspector of Constabulary that, police cuts are here to stay [2]. While there s little police forces can do about their budgets, there is a lot they can do about working more efficiently with the resources they have. For digital forensic capabilities to match the realities of modern crime, investigators must work smarter not harder. / Adapting To Meet Changing Demands I have worked with quite a few investigative organisations that have streamlined their processes for handling digital evidence. Often this has required letting go of the my way or the highway attitude and taking lessons from other disciplines. Specifically, investigators can learn a lot from the way legal teams handle electronic discovery, which typically involves even larger volumes of digital evidence than investigations. Findings from the recently released report ediscovery in Digital Forensic Investigations [3] published by the United Kingdom Home Office, shed additional light on the benefits of this approach. The report details the results of a review into the use of ediscovery software and workflows in the context of digital forensic investigation, conducted 8 Digital ForensicS / MAGAZINE

by the London Metropolitan Police Service and the UK Centre for Applied Science and Technology. After examining a number of commercial ediscovery applications, they determined that: there are clear benefits to investigators if they can access the data relevant to their case faster and see all the relevant data in one common format rather than separate reports or platforms for data from different sources. If the investigators can be enabled to conduct their own searching of digital information then the technical staff can also benefit through having more time available to focus on the technical issues which will continue to emerge as technology progresses. This is an approach my colleagues and I have been advocating for several years. We have seen the benefits of digital investigators embracing legal discovery workflows and technologies to complement their existing tools in criminal investigations first hand. / Lessons From ediscovery Case investigators, such as police detectives, often view digital evidence as a way of joining the dots in a broader investigation. As a result, digital forensic investigators tend to examine evidence sources individually, often without knowing the broader details of the case. They must make critical decisions about particular evidence sources and extract the information they believe is relevant from each device. This lack of collaboration means non-technical investigators and subject matter experts must rely on an incomplete and subjective slice of the evidence. Because cases often hinge on the connections between multiple evidence sources, the context of evidence as well as its content, investigators can lose sight of the bigger picture. Similarly, legal teams often use a tiered review system, assigning junior staff to perform a first cut review of the material to eliminate documents and evidence sources that are clearly not relevant. However, rather than allowing these reviewers to 9

/ FEATURE make arbitrary decisions, someone who has in-depth knowledge of the case would create a pre-defined set of guidelines for them to follow. This person may also review, validate or amend these decisions. In this way, smaller and smaller volumes of more and more relevant material are passed up the chain. The highly knowledgeable, and usually highly paid, experts need only see the hot documents, safe in the knowledge that someone has reviewed and classified all other material. This process is a very efficient way of classifying huge volumes of material into relevant or not relevant bundles. For it to work, legal teams must be able to: Divide up the available evidence into parcels for multiple people to review. Ensure each reviewer understands the ground rules for deciding what is relevant. Make the most relevant documents available for experts to analyse and examine. This approach is not new, even in investigative circles. For example, in many complex criminal matters, rank-and-file detectives do the groundwork, such as identifying witnesses and evidence, before passing on their findings to senior officers and subject matter experts for review. It is however rare for digital forensic investigators to follow this process when dealing with electronic evidence, often because traditional tools make it difficult to combine information from multiple sources and make it available to nontechnical investigators or subject matter experts for review. / The Investigative Lab Model for Collaboration An investigative lab workflow can dramatically increase the volume and quality of digital evidence a team of investigators can analyse. This collaborative approach offers investigators a more efficient way of utilising available resources. The investigative lab model couples the rigour of traditional digital investigation methodologies with a tiered review system similar to the way legal teams handle electronic discovery. The first stage of this process involves the investigative team assembling all available evidence, including forensic images, email and mobile phone communications, into a single location. Conducting a light metadata scan of these sources then helps quickly establish which items are likely to be relevant. Digital forensic investigators can then process these likely evidence sources in greater depth, following a set of previously agreed standards and settings. Over time, investigative organisations can build a series of best practices or case-specific workflows. By reducing operator-level decisions and inconsistencies around many time-consuming and error-prone tasks, investigative teams can deliver more consistent and repeatable outcomes. They can quickly condense large evidence sets into smaller highly relevant items for expert review. / Collaboration & Review To complete the task faster, investigative teams now divide up the digital evidence between many people. They may choose to divide the evidence by date ranges, custodians, location, language or content. This eliminates the reliance on a single digital forensic specialist to examine each evidence sources one by one, and means different types of evidence can be distributed to the people most qualified to understand it and its context. For example, in an inappropriate images investigation, detectives could package potentially relevant pictures and videos for specialist child protection teams, while leaving other file types for their digital forensic investigators. Or in a fraud case, investigators could pass on financial records to forensic accountants and Internet activity to technical specialists. In multi-jurisdictional investigations, investigative teams can produce evidence or intelligence packages for other agencies to review, comment on and return. LINK ANALYSIS USES TECHNOLOGY TO REPLACE THE MANUAL PROCESS OF FINDING CONNECTIONS BETWEEN SUSPECTS AND EVIDENCE SOURCES. / Digital evidence Digital evidence or electronic evidence is any probative information stored or transmitted in digital form that a party to a court case may use at trial. Before accepting digital evidence a court will determine if the evidence is relevant, whether it is authentic, if it is hearsay and whether a copy is acceptable or the original is required. Source: Wikipedia / Link Analysis In network theory, link analysis is a data-analysis technique used to evaluate relationships (connections) between nodes. Relationships may be identified among various types of nodes (objects), including organizations, people and transactions. Link analysis has been used for investigation of criminal activity (fraud detection, counterterrorism, and intelligence), computer security analysis, search engine optimization, market research and medical research. Source: Wikipedia 10 Digital ForensicS / MAGAZINE

Perhaps one of the most significant costs that many law enforcement agencies face in investigating digital evidence is the need to travel to the data in order to review it. For some larger or national agencies it is not uncommon for investigators to spend days or weeks out of the office reviewing evidence. Not only is this incredibly inefficient, it can also be incredibly costly. So why isn t the data brought to the reviewer and not the other way around? When it comes to ediscovery, lawyers can access data 24 hours a day, anywhere in the world. This is another area where law enforcement can take a lesson from ediscovery to save valuable resources. This approach should become the rule and not the exception. / Intelligence & Analytics Often, solving crimes requires finding the connections across multiple individuals, places, events and evidence sources. Human intuition has its place in the process, but much of the effort involves the time consuming task of picking out and matching specific pieces of information from massive volumes of data. Computers, when applied judiciously, have a natural advantage in intelligence sharing, collaboration and data visualisation. As digital evidence becomes larger and more complex, investigators greatest struggle is not a lack of information, but having too much to make sense of. One example of how technology can make this easier is by extracting, highlighting and cross-referencing intelligence items such as: Names Email addresses IP addresses Company names Credit card numbers Bank account numbers Identity numbers Amounts of money Comparing and connecting this intelligence across all available evidence can rapidly reveal relationships between people, objects, locations and events. Over time, investigators can build a library of intelligence that they can query across multiple cases. 11

/ FEATURE Visually representing these large volumes of data can be a fast way to locate the key facts and connections within a case. It enables people, even with limited technical knowledge, to follow a hunch or idea down to very specific details in a matter of seconds. Common analytical techniques include: Top types. Quickly understanding the makeup of data sets by showing the most common file types as bar or pie charts. Pivot. Analysing the relationship between any two elements in a data set including custodians, file extensions, file types, languages, named entities, tags and word lists. Date trending. Visualising the frequency of data over the entire case or any filtered subset, then drilling down to year, month or day views. Timeline. Reviewing the content of emails, documents, phone calls or other communications from multiple sources or custodians in the order they happened. Communication network. Showing the interactions between persons of interest with an interactive network diagram that shows the number of connections for each link. Link analysis. Understanding the connections between people and intelligence items such as credit card numbers, IP addresses, organisations and sums of money. Intersection. Rapidly understanding how key elements in the data overlap and pinpointing the critical intersections between multiple result sets and data types. Shingle and word lists. Rapidly understanding the key words and phrases, and their context, in the case. Combining analytical techniques can help investigators progress from a bewildering array of information to highly relevant details very quickly. For example, you could filter an entire evidence set to just email messages within a relevant date range that contain credit card numbers. If that still returns too many results, you could use other techniques such as suspect names or keyword searches to further filter the evidence. Now you can use a network diagram to see who is emailing credit card numbers to whom. Link analysis uses technology to replace the manual process of finding connections between suspects and evidence sources. It automatically tallies and displays connections between people and named entities such as credit card or phone numbers. When applied across a compound case containing multiple case files, link analysis has proven particularly effective in finding connections between seemingly unrelated people and events. A timeline view, traditionally used for email messages, is also useful for SMS messages, mobile device call logs, instant messages, Skype chats and social media messages. In my experience, many people say things in instant messages that they would avoid in email. This may stem from the belief that these formats are not as rigorously logged as email. But from the investigator s perspective, advanced technologies make these communication formats just as permanent and searchable as email. / What About Forensics? Investigators and forensic technicians may be asking themselves, But what about forensics, will any of this stand up in court? The techniques I have discussed do not eliminate the need for forensic analysis, particularly in the areas of provenance and authenticity. However, the volume of evidence in most cases makes it too time-consuming to conduct deep forensic analysis on every data source. As a result, in-depth forensic analysis must become the exception rather than the rule. Budget issues are an inevitable part of law enforcement, and they make it especially hard to solve the issues the Chief Inspector of Constabulary identified in relation to the speed of digital forensic analysis. However, the recent Home Office findings about the benefits of using ediscovery workflows in digital forensic investigation are part of the answer. By re-examining how they handle, process and review digital evidence, how they utilise their human and technological resources within the investigative workflow, and maximising the value of information and intelligence within a case, law enforcement agencies can start to fight back and start to address the challenges of policing the digital crimes of today, even with the budget of 10 years ago. / REFERENCES 1. State of policing: the annual assessment of policing in England and Wales 2013/14. The 2014 State of Policing report from Sir Thomas Winsor, Her Majesty s Chief Inspector of Constabulary. http://www.justiceinspectorates.gov.uk/hmic/ publication/state-of-policing-13-14/ 2. Police cuts are here to stay, says head of watchdog. http://www.bbc.com/news/uk-30671127 3. ediscovery in Digital Forensic Investigations https://www.gov.uk/government/uploads/ system/uploads/attachment_data/ file/394779/ediscovery-digital-forensicinvestigations-3214.pdf / Author BioGRAPHY Paul Slater has over 20 years experience in investigations, digital forensics and ediscovery as a police officer and consultant. He has an MSc in Computer Forensics and started his career in forensic technology as a computer forensic investigator in the UK s Greater Manchester Police. Slater has been a senior manager within PwC s and Deloitte s regional UK Forensic Technology teams and has served as interim head of the Digital Forensics Unit in the UK s Serious Fraud Office. He was also a member of the review board for the 2012 update of the UK Association of Chief Police Officers Good Practice Guide for Digital Evidence. 12 Digital ForensicS / MAGAZINE

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information