7 Time-Saving Strategies for Digital Investigators
While the amounts of data in typical digital forensic cases today are a lot different than they were several years ago, the amount of time most investigators have to do analyses has not changed.
Below are seven strategies that will help investigators save time and be the most effective in their analyses.
- Make a Plan
When an investigator first gets a case, there are a few questions they should ask themselves:
- What are the case objectives?
- What information do I know about the evidence?
- What are the OS’s and filesystems?
- What are the constraints?
Most of these questions can be determined while the digital evidence is being processed. By knowing the background of the case and the type of filesystem upfront, once processing is complete the investigator can go straight to the areas of interest.
- Know Your Tools
There are a lot of digital forensic analytics tools on the market today and they all perform very differently. Knowing how long certain functions take to process in your tool of choice, as well as what the minimum requirements are to process a case, can go a long way toward prioritizing what gets done first. Some investigators are against using checklists because they feel it doesn’t allow them to think outside of the box.
However, having a list of go-to artifacts and knowing where they are located can help speed up the analysis. If the tool allows, save templates for different case types so you don’t have to recreate the wheel every time you start a new case.
Also, never be afraid to reach out to the tool developers. If something isn’t working as well or as fast as you think it should, definitely let them know. Most developers love to prioritize user-specific requirements over nice-to-haves.
Cellebrite Inspector has a lot of processing options, as seen in the picture below. Most of the items do not have to be selected at the start of a case. Some processes, such as “Calculate File Entropy” take a long time to run. When processing cases where no encryption is expected, you can uncheck it. If signs of encryption are encountered during the analysis, go back, and run that function again at that time.
Another time-saving advantage of Cellebrite Inspector is that most of the areas needing review can be reviewed in the tool. Data can be processed one time with Cellebrite Inspector providing disk view, memory analysis, registry analysis, plist viewing, and database viewing.
- Limit Scope Where Appropriate
While making the analysis plan based on case information, the investigator should already have an idea of areas to target first. The analysis may focus on specific locations (user directories, applications, etc.), files altered during a specific time range, or possibly files by file size.
Filtering and hash sets can also help narrow the scope by removing files that wouldn’t be of interest. Operating system files are a good example. Once the investigator has the scope narrowed down, the use of tags/bookmarks can help keep things organized from the start and limit the time needed to go back to files that have already been reviewed.
- Decrease The Number of Pictures and Videos to Review
Starting with Cellebrite Inspector 2019 R1, Image Analyzer has been integrated to help narrow down images based on threat categories. There are several categories built into the program that can be used in filters. Categories to date include Porn, Drugs, Extremism, Gore, Alcohol, Swimwear/Underwear, and Weapons.
- Use Search Strategies
There are three main types of searches in Cellebrite Inspector. “Raw searching” can do string searches against the image as a whole or selected portion of the image. There is no up-front processing needed but individual searches can take a long time depending on the size of the image. “Regular expressions” look for specific patterns of data, such as phone numbers or email addresses.
Like a raw search, regular expressions can be run as needed. Pre-configured regular expressions can be run against memory files at any point during analysis. Lastly, “smart indexing” has been added to Cellebrite Inspector since release 2019 R1.
Indexing looks for whole words or terms, while smart indexing focuses on the files containing words and metadata. As of this writing, indexing is currently being done against allocated files. Building the index takes time, but once complete, searching the index is really quick.
- Access and Assess High-Level Information Quickly
Cellebrite Inspector’s reporting capability makes it easy to quickly export reports. As soon as the data is processed a report can be generated based on what has been processed. Communication, Actionable Intel, Locations, etc. can be readily exported to hand off critical information to other analysts that may need it. This can be especially useful when examing mobile devices.
Another way to see high-level information quickly is the Summary tab within Cellebrite Inspector. Once data has been processed, this screen will show what operating system is installed, how many files there are, and file counts based on the type of file (movies, graphics, email, etc.).
- Prioritize Analysis
Many cases have multiple devices. The processing of each item has to be prioritized. Cellebrite Inspector’s ability to provide high-level information quickly can then be used to determine which device(s) to examine first.
“Account Usage” in Cellebrite Inspector helps prioritize items by showing who the current users of the system are as well as showing any deleted users that may have previously used the device.
Data sets aren’t getting any smaller. Investigators need to use the information to strategize prior to loading and processing everything in a case. Know your tool and how it handles a large number of devices. Where possible, use the tool to help you discover where the best places to start are for specific types of investigations.
Cellebrite Inspector provides investigative leads and actionable intelligence. Use filtering, tagging, searching techniques, and extracted data sets to narrow your focus. Finally, make a plan of approach for each type of case, but remain flexible.
Learn more about Cellebrite Inspector.