Key Strategies for Balancing Investigation Time and Quality
Digital Forensic Investigators face an ever-increasing amount of cases, consisting of devices storing an increasing amount of data. Unfortunately, the number of hours in the day have remained the same. ‘Being busy’ is no excuse for reducing the quality of work when performing digital examinations.?
In a recent episode of FTK Over the Air Podcast, Brett Shavers?former investigator and author of the book, DFIR Investigative Mindset, Placing the Suspect Behind the Keyboard Volume 2 shared some tips with me on balancing the quality of work and time. While the word “suspect” may imply a law enforcement perspective to investigations, it is not just law enforcement that is carrying heavy caseloads.?
Historically, corporate Incident Response teams primary focus has been to stop the breach and return to “normal”. Updated CISA and NIST standards for Incident Response playbooks and frameworks now include requirements for forensic investigations to be conducted. This will likely increase the workload on corporate forensic teams. Balancing time during an investigation
Prioritize Cases Based on Importance and Urgency
One of the first steps in managing investigation time and quality is prioritizing cases. Brett emphasizes the importance of using an internal priority matrix to determine the urgency and importance of each case.
“Importance” and “Urgency” are two words that corporate incident response teams are very familiar with, and might be the two words that define their whole workflow paradigm. Corporations are typically good at documenting these types of policies and procedures. However, if you as the reader are in the Law Enforcement space and do not have a written policy dictating case priority, this is a great time to create one.?
For example, a missing child case would naturally take precedence over a less urgent matter, such as a harassment incident that occurred a year ago. This prioritization helps investigators allocate their time and resources effectively, ensuring that the most critical cases receive the attention they need promptly.
Focus on the Mission of the Case
Staying focused on the mission of the case is the next key strategy. The mission might involve locating a missing person, identifying a suspect, gathering evidence for litigation
“When you show everything, you show nothing.” - Brett Shavers
This insight underscores the importance of being selective and precise in presenting evidence, ensuring that the most relevant information is highlighted. Avoid the pitfall of over-collecting evidence, which can dilute the impact of the findings. By focusing on the mission and not getting bogged down by extraneous details, investigators can maintain the quality and integrity of their work.
To effectively focus on the mission, Shavers says examiners must “...know what is evidence, why it is evidence, and how do we verify its evidence. How is it going to be admissible in court, and how could it be argued against in court.”?
领英推荐
Be Open to Discovering Additional Relevant Information
While it's essential to focus on the primary mission, investigators should also remain open to discovering additional relevant information that may emerge during the investigation. This openness can lead to discovering new crimes, identifying key characteristics of a breach, or uncovering other critical pieces of evidence that were not initially part of the investigation's scope.
By being open to new findings, investigators can adapt their strategies to address emerging issues or evidence. This adaptability ensures that they are not solely focused on their initial hypothesis but are also considering other possibilities that could significantly alter the direction of the investigation.
Conversely, being closed off and over-focused on a single mission objective may lead to errors related to perception or bias. Peer review
Conclusion
Balancing investigation time and quality is a critical challenge faced by digital forensic investigators across various industries. Maintaining a clear focus on the mission, prioritizing cases effectively
Whether in law enforcement or corporate incident response, these principles help ensure that investigations are thorough, accurate, and timely. Ultimately, the goal is to uphold the integrity of the investigation process, ensuring that justice and truth are served efficiently and effectively.
How Exterro FTK Can Help
While it is important that an investigator invest in their own abilities to work as quickly as possible without sacrificing quality, it is just as important that the software used to analyze data is doing as much work for the examiner as possible. FTK 8.1 has introduced Entity Management, which minimizes the work necessary for grouping chats per individual, making it easier to investigate conversations between individuals.??
About the Author
Justin Tolman has been working in digital forensics for 12 years. He has a bachelor’s degree in Computer Information Technology from BYU-Idaho and a master’s degree in Cyber Forensics from Purdue University. After graduating he worked as a Computer Forensic Specialist with the Ohio Bureau of Criminal Investigation and currently works as the Forensic Subject Matter Expert and Evangelist at Exterro. Justin has written training manuals on computer and mobile device forensics, as well as (his personal favorite) SQLite database analysis. He frequently presents at conferences, on webinars, produces YouTube content, and hosts the FTK Over the Air podcast.?