Sharing Intelligence beyond boundaries

By Paul Slater, Executive Director of EMEA, Nuix

Investigators face many challenges when dealing with digital evidence. Digital communication technology enables criminals to operate across jurisdictional and national borders, hide their activities and evade detection and prosecution. Large-scale investigations into counterterrorism and organised crime, for example, can involve data from multiple suspects, each with numerous potential evidence sources that hold ever increasing volumes and complexities of digital evidence.

The traditional forensic investigation methodology of examining each data source individually can never hope to keep up. The combination of slow forensic tools and case backlogs mean that by the time investigators examine an evidence source, it may be months old. By this stage much of its intelligence value may be lost.

In search of the truth, forensic investigators know just how important it is to identify, extract and share intelligence. However, it is not uncommon for crucial information to reside outside the evidence gathered for a specific investigation. It may be in a previous or concurrent investigation conducted by the same personnel or someone else. It may be from a different agency, office, location or country. Unfortunately the ever growing volumes of digital evidence, coupled with small budgets and a lack of resources can make the time and cost of sharing intelligence prohibitively high.

If we’re to have any hope of putting together the pieces of the puzzle to understand all the facts, we must be able to identify and share intelligence quickly and easily – both internally and with other stakeholders. Connections between people, locations and events can be crucial to the facts of a case, but aren’t always immediately obvious. It would take superhuman brainpower to correlate connections from a single suspect’s hard drives, mobile devices, instant messages, cloud storage and so on. Multiply this by the number of suspects in an investigation and it becomes impossible
Investigators can use effective investigation technology to work smarter, not harder. Advanced technology gives investigators a shortcut to find hidden connections across large volumes of evidence and multiple jurisdictions, by extracting and correlating intelligence, and visually representing and analysing data. Investigators can then implement workflows to effectively share actionable intelligence with other agencies or investigations.

Here’s how technology can be applied in the right places to make this happen.

Using the traditional digital investigation model, investigators must take time to manually compare intelligence items across each evidence source. Advanced investigative tools use a “named entities” model to extract intelligence items that follow a particular pattern of letters and numbers. Such items may include names, countries, sums of money or credit card or passport numbers. Using technology intelligently allows investigators to see instantly which suspects have those items in common across all the evidence sources in the case. Using techniques such as timelines and network diagrams they can also identify who shared what, with whom and when.
Investigators can easily compile lists of relevant names, email addresses, phone numbers and bank account numbers, and search any available evidence sources for those intelligence items. These can also be securely shared with other agencies, who can then enrich their investigation by quickly searching their case files for the same items to see if any connections emerge.

Visually representing large volumes of data is a highly efficient way to locate the key facts and connections within the case. It also gives people a way to follow a hunch or idea down to very specific details in seconds – even if they have limited technical knowledge.
For example, an investigator could filter an entire evidence set to just display email messages within a relevant date range that contain credit card numbers. If that returns too many results, they could use other techniques such as keyword searches to further filter the evidence. These results can then be quickly visualised using a network diagram to see who is emailing sensitive material to whom.

By setting up an investigative lab, and changing investigation workflows, investigative teams can easily share evidence with those who need to see it – irrespective of where they are.
The first stage of this process involves the investigative team assembling all available evidence – including forensic images, email and mobile phone communications – into a single location. Once processed, the team can then divide up the task of reviewing the evidence between multiple investigators to complete the task faster. It can also be a way to distribute different types of evidence to the people most quali?ed to understand it and its context. For example, investigators could pass on financial records to forensic accountants, Internet activity to technical specialists or suspect images to specialist child protection teams.
Larger law enforcement agencies, advisory ?rms and businesses are already using this model to set up centralised evidence processing facilities that can provide access to the results to any desktop across the organisation.

What about forensics?
The above techniques allow investigators to apply technology where it is most suited, free themselves from tiresome menial work, make the best use of their brainpower and intuition and effectively share relevant and actionable intelligence.
These techniques don’t eliminate the need for forensic analysis, particularly in the areas of provenance and authenticity. But because the volume of evidence in most cases makes it too time-consuming to conduct deep forensic analysis on every data source, in-depth forensic analysis must become the exception, not the rule.
Using these techniques is a faster and more efficient way of identifying the evidence sources that contain the data required to prove or disprove the case. The investigative team can then pass a small number of evidence sources back to digital forensics specialists who now have more time to undertake the deeply technical and in-depth analysis needed to satisfy courts and authorities.

About the author:
Paul Slater, Executive Director of EMEA, Nuix
Paul Slater has over 20 years of experience in investigations, digital forensics and eDiscovery as a police officer and consultant. Slater has an MSc in Computer Forensics and started his career in forensic technology as a computer forensic investigator in the UK’s Greater Manchester Police. Slater has been a senior manager within PwC’s and Deloitte’s regional UK Forensic Technology teams and has served as interim head of the Digital Forensics Unit in the UK’s Serious Fraud Office where he implemented workflows that enabled them to process 20 times more electronic evidence each year. Slater was also a member of the review board for the 2012 update of the UK Association of Chief Police Officers’ Good Practice Guide for Digital Evidence.