Digital Evidence Review and Collaboration: A Roundtable Discussion

Kim Bradley: Welcome to this panel discussion on digital evidence review and collaboration. I’m Kim Bradley and with me today is Jessica Hyde, John Pizzurro, and Joshua James. Thank you all for being here.

Jessica, John, and Joshua: Thanks again.

Kim: So let’s get our discussion going. Joshua, I want to ask you first. Tell me a bit about your thoughts on digital evidence review.

Joshua: Coming in, digital evidence review obviously is extremely important and from a digital forensics laboratory perspective, one thing that we use quite often are portable cases. So for example, from AXIOM, exporting a portable case from… for example, if we’ve been tagging something that’s responsive to whatever it is that we’re investigating and then using tags as a filter to just export things that are immediately relevant to that case, we found that extremely useful for exporting and then giving to whichever stakeholder actually needs that output and to be able to actually review.

So, we probably use portable cases more than anything else to provide, for example, to a prosecutor, for example, who’s asking for a little bit more than what you would get in a static report.


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.


Unsubscribe any time. We respect your privacy - read our privacy policy.

So definitely portable cases are beating out the static report in terms of what they can search for, how they can filter, how they can go deep into the data and actually conduct their own kind of search and a little bit of analysis in there. So for reviews, I would say we mostly use portable cases.

Kim: Okay. As opposed to your typical reporting type features?

Joshua: Yeah. We’ve been, like I said, it’s just so much better than a static 100-page PDF that they have to search through. And we tend to get a lot fewer questions afterwards because they can kind of answer their own questions with that portable case. So I’d say, yeah, overall it’s been a positive experience with using portable cases.

Kim: Jessica, tell me your thoughts.

Jessica: You know, I love something that Josh said there. I love that he stated that he filters and delivers a subset in a portable case. Because I personally have worked with portable cases, not just AXIOM portable cases, but a lot of tools have this concept where you can do an export and use that to share.

And I’ve done it under a variety of circumstances, everything from with analysts to subject matter expert stakeholders, like, I’ve given chemistry people things that I didn’t understand when I was working cases that had to do with bombs and such.

But I am very concerned sometimes with when the entire case is handed over. So sometimes I’ve seen examiners export the entire case instead of a subset. And that sometimes leads to some potential for misinterpretation because there might not be an understanding of nuanced artifacts, what timestamps mean, and that sometimes can lead to incorrect assumptions on the part of the investigator.

Because at the end of the day, they’re not the examiner and it really is our job as the digital forensics examiner to provide that technical context, whereas they might be providing the subject matter context. I don’t understand all the nuances of the investigation, they don’t necessarily understand all the nuances of the technical details. So personally I always prefer to be a little bit more collaborative with the stakeholders that I’m sharing such content with.

One of the things that might happen in a portable case is they can tag and write comments and then I can share and integrate that back in. But it differs on scale. It’s a one-to-one product, so it gets weird if you’re sending out a portable case to multiple people, things aren’t in real time.

And I prefer something where I can work in real time, but then my largest concern specifically with using the portable case format or exports from other tools is exactly that the format of each is unique.

So with a PDF or an HTML, and I actually really like the concept of working in a web interface because all of our stakeholders know how to do that. When they’re working on a specific product, they might not be familiar with how to find things, how to tag, what are the shortcut keys that we as folks who work in those tools use.

And also, if they’re getting resources from a variety of devices and they might be getting it from the mobile extraction tool, they might be getting a report from Axiom, they might be getting a report from another source.

Working with that data in all of these different contexts is sometimes difficult for people who don’t work in that day in, day out, right? It’s our job to know our forensics tools and to work in them. So sometimes I definitely see the value of the portable case so much better from a collaborative perspective and from being able to dig into the data and for us to see what they’ve tagged and looked at when they share back the case much more better in terms of that collaboration.

However, I think there are still quite a bit of difficulties with the format. Then there’s the more technical difficulties. So how do we share these things? So I know what happened in my labs, but I’d love to know how you folks share a portable case, cause I get worried sometimes about those methodologies about moving data.

And then I’ve definitely worked with folks who have trouble opening a portable case because their admin privileges don’t allow them to receive or to utilize the portable case format because they don’t have admin privileges or some other reason on their box. So I’d love to know how folks deal with that.

Joshua: Do you mind if I follow up real quick? So there was one thing I absolutely 100% agree with, Jessica, and that is the full case export for a portable case just doesn’t make any sense. So, I mean, I didn’t even think about that because I’ve never thought about doing that. You know what I mean? So…

Jessica: I’ve seen it.

Joshua: So absolutely, full case export is not what portable case is for. In terms of how we share the data, yeah, it’s disks and DVDs and then we hand it over. And that’s definitely problematic.

But in terms of people having issues with it, at least from my experience, like, I can totally see where it would come from, especially admin privileges on somebody’s system, we specifically bring in the stakeholders if we can and then try to provide a little bit of training. And so far we haven’t had any issues too much with that.

Of course, the interfaces, you’re exactly right. Like, depending on which tool you’re providing the portable case from, it could be a different interface and then how do you tag and things? So I totally understand that there is a training aspect absolutely to portable cases.

And I think John might actually have something to say about that too, cause I’m pretty sure I know where he’s going to go with this. So thank you so much for that.

Kim:So  John, can you tell me a little bit about that collaboration?

John: So you mentioned scale, right? So, what’s our big challenge today, is the amount of investigations, right? And I throw this up here, like, everyone has one, right? So there is not one investigation today that does not have digital evidence. It’s almost impossible to find, right?

So I know when we’re talking about thumb drives and we’re talking about CDs and DVDs and do you know the amount of prosecutors that have lost DVDs in evidence that I’ve had to actually then re redo it and then sit down with them? So, when you’re talking about collaboration, you know, that’s part of it, right? So, the ease of access.

So, what I like, you know, from me running a task force, let’s say 200 people or having running an organization where I had homicide detectives, gang detectives, narcotic detectives, is the ability for people to really look at their evidence and take, how do you put ownership of their case rather than going to Jessica or Joshua or Kim saying here, just give me everything, right?

So you give them everything and then they come and they ask you, you stop whatever examination and forensic stuff you’re doing now and have to sit down. So what’s more efficient, when all I really need for me as an investigator, is really just to look at the chats or just look at the photos because they’re going to mean something, or really look at the email.

So I think from that collaboration standpoint, that’s what reviewing digital evidence is all about. And from a web-based portion, it makes it easier.

And when you talk about tagging, you go to audit logs too, at least with the portable case. I don’t know who’s looking at it, I don’t know granted, how many people are having it, but at least an audit log, I can have everyone who had access to it, what they tagged or let’s say from a prosecutor’s standpoint where you have attorneys in the cases like instead of having a taint team, I can actually mark things as privilege.

So I think the ease of it is where we have to go because of the amount of data. So I think that’s really in essence, what we kind of need to do just from an investigation standpoint, even, you know, you’re the forensic experts, but you know, from me just looking at it, how do I review the evidence, all the digital evidence, how do I get what I need to prosecute to actually find additional victims, the ease of it and lessen the burden off the forensic folks who have to spend so much time burning, you know, extra media in order to talk to them? So…

Jessica: Can we talk about some advantages of web review as a concept, as opposed to portable case exports can?

Kim: Absolutely.

Jessica: Because John brought up some great points. And one of the things that I love about web review actually goes to John’s original point, and that’s scale. I’ve worked cases with hundreds of pieces of evidence on one case. You know, you have a big cache collection on scene and you have 120, 200 pieces of evidence from one case. Some of these collectors, they’ve got a lot of content.

And when you’re talking about looking at all of that content, if you are working with multiple investigators who have that contextual analysis or working the case, it is much preferred if everyone’s working on a platform where in real time you can see who’s working on what, different people can get segmented different portions, but also as the digital forensics examiner, as things get tagged for you to provide more collaboration and context to, you can then work that in that real-time environment.

And that goes a bit to what Josh was saying in terms of the importance of that collaboration and training. Being in a web platform reduces a little bit of that barrier to entry because everyone is used to working within their browsers and is pretty familiar with that context.

And also reduces a little bit of that interruption point that John was mentioning where you’re already in the flow in another case, because I can go into that at my leisure and work collaboratively in the same case.

One of the things that you do currently with a portable case is the investigator tags, doesn’t export, sends it back, you merge it in, accept the differences, and then you start looking at what they tagged and providing back that nuance. A lot of times as an examiner, the nuance I might be providing back might be attribution.

So maybe they looked at pictures and video and chat messages. And now I have to provide attribution, did the user who was logged in at the time actually look at the picture? And I’m going to be using other artifacts to do that.

Working in a collaborative platform allows me to now tag and share those things and make those elements apparent and then provide my comments as to the context.

And one of the things I really like that winds up being a problem is I know before we spoke about how, in a portable case, you give the subset, so you don’t provide this problem with data that is nuanced, et cetera. If I’m in a web review platform and I do have a link file or a shellbag or a jump list, which the investigator might not be familiar with, but I’m now using it for attribution, I can now tag that comment and put that in its right context so that when they now produce their report or their next step, it includes that artifact without them having to find it.

And that collaboration being done in a platform where the folks can work asynchronously, but in a synchronous contextual environment I think just allows for better collaboration and communication between the examiner and the investigator.

Joshua: I was thinking about how would you do that with portable cases, for example. And I think the only way you can get those kind of comments is from an external report along with the portable case. So yeah, I totally agree that’s a limitation. Do you want to add something?

I have a question for both of you actually, and I think it’s going to be a good one. So you were talking about auditing specifically and the issue that is absolutely going to come up, like, everything you’ve said about the specifically web-based collaboration platforms, right?

People can come in real time, there is an audit log within whatever system you’re using. But in our lab, for example, right now for our entire county, we have one full-time digital forensic investigator in the lab, okay? And then they have like one person in the IT.

So for a system like online collaboration, how do you develop it in a way where you can make sure that not only the system, but the platform that you’re running out on is secure that way you can ensure that that auditing for your entire system is actually secure?

Because you talked about scale. Well, putting things on the internet is great for scale, but it’s also great for attacks. We know that. So you have the security issue coming up with portable cases on a DVD. If one prosecutor unfortunately loses it, you know, one person maybe sees it. It’s hard to say. If you get a leak out of your entire system, that could be a problem.

So you guys are obviously using some type of collaboration system, we’ve thought about it at least internally first, so that way we can actually completely secure all of our systems, but then what you’re talking about actually is starting to open that up to external stakeholders, as well. So do you have anything to say about that? Because that would be my major concern, I think.

Jessica: So I’m going to start with the comment of, “It depends.” It depends who your stakeholders are, it depends on your environment. There is more than one way or more than one limitation as to where you can put content in a web-based review platform.

Now, when we say web-based review, it does not mean that it is necessarily on the public-facing internet. Web-based review means that it’s working in a browser, and there’s a big distinction there. So it could still be an on-prem server solution for a lab that…

Joshua: And that’s what we were looking at. So yeah, okay.

Jessica: But it could also be gov cloud, right? So, and different states have their own gov clouds, different organizations have their own gov clouds. And oftentimes folks who are part of the analyst team or the investigator team are maybe also employees of that same greater organization, be it at state, the federal government, et cetera, who may still also have access to that same private cloud infrastructure. And I think the important thing is this is private cloud infrastructure.

John: And a matter of fact, just to add to that, Jessica, it’s like if a procedure is compliant…

Jessica: Exactly.

John: I mean, there are all those parameters that are put in place by governments. So, in those instances, you’re talking that it’s already being used in a secure fashion. So I think that’s important to realize as, well.

Jessiva: And to be honest, it’s going to be on the same network where your case data and your notes already are, right? You’ve already got those things digitized. It’s just, in what way are people sharing?

Now we are talking about sometimes sharing things with external folks. Now you do have multiple choices. You had mentioned bringing folks into your lab. There are definitely sensitive content areas. And I’ve been in labs where you have viewing stations that are meant for sharing sensitive content.

But you may also have other content where you can, through permissions, allow somebody and, you know, many of the cloud architectures are excellent for this, where you can give a specific person a time-based and credential-based access to a specific case and then each case then additionally can have different restrictions.

The same case in some web review platforms will even allow you to have privileged and non-privileged content. And to be honest, this is being done in the e-discovery realm today with how data is shared in TAR platforms, [technology] assisted review platforms to span multiple attorneys who are then reviewing content for what is a part of and not part of responsive and non-responsive to a specific proceeding or scenario.

So those challenges in the legal world, I think, are currently being mitigated by existing technologies and processes and procedures that already exist. We’re just applying them to a new…

John: And I think to that point, there’s a lot of people, this is kind of funny. It’s like, I’ll talk to some individuals and they’ll say, “Well, we don’t use the cloud.” And I’m like, and I look at their body cameras and they’re like, “Oh,” and then I’m like, “Well, what happens to the data there, right? Well, it gets uploaded.”

I’m like, so what happens is with evidence, because especially in law enforcement, we’re so used to how we keep everything in a file cabinet, in a locked cabinet. And that is our, how do you put it? That’s what our thought process was, because that’s how it was.

But we don’t realize that we are actually the amount of data, it’s just a different container, right? So it’s not necessarily your locked evidence room, but it’s just secured in a different way.

And I think part of the challenge is that a lot of like, law enforcement agencies don’t understand security, they don’t understand the cloud and they don’t understand that secure aspect of it.

So I think that’s something some people really need to understand, because again, it comes down to scale. If we’re going to scale, we need efficiency and we need to leverage what technology we have because of the amount of data we have.

Kim: So if I’m understanding what you all are talking about, scaling in a way from the amount of data that needs to be reviewed, one, right? But then also scaling with the access that you’re actually going to give to folks and how you’re going to leverage that, as well.

So not only are you looking at these review platforms to assist, but also to just to get the data to folks, but also maybe even give those limitations so that it’s a little bit easier for you to feel comfortable maybe with them being able to get access, like you said, the time limits, or maybe it’s a matter of credentialing.

Or John, you mentioned about audit logs. Maybe having all of those things in place in order for you to be able to do your checks and balances, or be a bit more comfortable from a system standpoint. Is that right?

Jessica: I would say yes, but I would say one of the other things here that John brought up that I really like is there’s this essence of ensuring that the IT departments are getting smarter, that they’re understanding that this should be in an environment that’s compliant with CJIS, right? That’s the standard for the criminal justice system for sharing information, the same way they would share your DMV records.

But having those controls in, if you are just going out and going, “You know what? I’m going to spin up this AWS instance or this Azure instance, what have you, and I’m going to throw my evidence in there.” Well, do you understand the settings? Do you understand the credentialing? Do you understand, and so that’s the big difference between going out into the public cloud or using your own private cloud, especially if you’re in a jurisdiction that already has one.

Now you may be in a jurisdiction that does not already have a private cloud, and now you might be talking about how, do I use the public cloud and make it more secure? And this really comes down to IT departments within organizations getting smart on security of data in the cloud.

But the other point is this can grow over time. We’re talking about scaling. When we’re talking about scaling, we talk about starting at one step and then growing incrementally to other steps. So initially you may start your organization on an on-prem solution, and then you may go, “You know what? We want to give access outside of our internal intranet and to everybody who has access to our localities network, but we want to limit those controls to only certain users.”

So then you might go into your private cloud, and then you might be thinking about now, how do I share with my external stakeholders who are outside of that?

And those can all be steps to that scaling process, as you are not only your forensics department thinks about how it’s interacting within the organization, within its greater locality, and then with the community at large, but how your entire organization, your law enforcement organization, your private corporation, even, right? Like, how organizations are approaching that scalability.

And that just has to do with the maturity of the security knowledge and information and decisions that are happening within your organization’s IT department.

John: And, you know, you mentioned that, Jessica, one of the challenges is that law enforcement has like, each agency has their IT department, they have the investigations department, and they’re siloed and they don’t talk or collaborate whatsoever.

Because the, it is just looking at it from an IT perspective, law enforcement or the investigation forensics are looking at it from a different perspective. So I think that’s a challenge as organizations grow. There has to be a lot more communication between the IT department and the investigations in order to in essence come up with a real viable solution.

Kim: You’re exactly right. Joshua, I want to hear what you have to say, but also John, just curious on if you’ve heard from folks who have found that maybe when they start talking to the IT department that then maybe they might be a little more comfortable with some of these cloud solutions, since like you said, the data’s already out there in the cloud, right?

John: Yeah, and I think that’s part of it. I think the IT people really don’t understand the investigation evidence aspect. And so no one has that conversation between them.

So I’ve seen that in a lot of different organizations, the organizations that usually thrive are the people that went from like that investigation section who actually was there and did the forensics who ended up in their IT department and normally you already have that cross collaboration because they were on both sides of the fence or vice versa.

Kim: Joshua?

Joshua: I was just going to add that you know, we’re coming from the lab side, it’s coming from a culture of nothing gets connected to the internet. You’re very lucky if you get connected to a network, an internet, right? So it’s really a culture change that needs to happen within the forensic lab, as well as the discussion with IT. So, yeah. I’d say it’s culture, as well.

Jessica: So, there are technological things here, right? I’ve worked on what’s referred to as “dirty” networks before, right? Because we knew that our evidence was full of contraband, our evidence was full of malware, et cetera. And we worked as forensics examiners on a journey network.

Now, there is this concept of you can move the contents that you would normally put into a portable case via your review platform and have that content move from a so-called dirty network, disconnected from the internet, completely isolated just for your forensics department, to another network where people have this ability to review the evidence that they should have access to.

So, I’m not saying you bring the whole world to your dirty network. I’m saying you take out the specific elements of your dirty network and put them out to the appropriate people who should be reviewing your evidence.

And I think you’re right; it’s a culture shift for both. And I remember in my labs, sometimes there was a little bit of separation, because we kept this whole, we don’t want anything connected to the network.

We sometimes avoided our IT departments. Sometimes it was because of the levels of permissions we needed on boxes that we wouldn’t get on our organization’s network, but we could have on independent machines, or then we’d be setting up little impromptu networks just for the forensics examiners that were outside of maybe the purview of the IT department.

All of these things in the real world, they happen. And sometimes it’s, we in our minds as labs already created an adversary relationship, even if it didn’t actually exist with our IT departments.

And likewise, our IT departments with us, “Oh, there’s those forensics people. They think they know computers better than we do. And we’re trying to protect the organization and they go and do their own thing.” Right?

So I think sometimes we get that in our head that those relationships exist when really what we need, ironically, we’re talking about collaboration. What we really need is collaboration and understanding between those departments.

Some of the best success I’ve had is when I worked in organizations where the forensics team grew to a point, and what I’m saying is that it doesn’t necessarily need to be a forensics team that grows to this point, that they wound up needing their own IT just for the forensics team, cause they were working isolated from the other IT infrastructure. What I’ve seen in those instances is a quicker adoption of technology.

Joshua: Other than just growing so much that you need your own IT team, what, like, I’m thinking about how like the labs I’ve seen, how the forensic investigators worked and everything you said, like, I’ve seen several times over, how do you start that conversation? How do you start that culture shift?

Jessica: That’s a fantastic question. To be honest, I think this is one of those moments where you need to look at the culture in your organization and say, in this organization, and I think this differs in every organization based on structure and to be honest personalities, is this something that works better if we have an examiner talk to a, you know, a systems admin? Is this something better where in our organization, the two chiefs talk to each other?

And that’s going to be different in every organization. Is it better in our organization that the team lead of the forensics team talks to the team lead? It’s going to depend on existing relationships, it’s going to change on culture, it’s going to really vary and depend.

But the important thing is to get those conversations going, and probably the best thing to do if you’re on the forensics team is start having that conversation within your leadership:

“Hey, we think that maybe we should be collaborating and coordinating with IT more because we would like to do some more advanced things that will save us time, allow us to get through our backlog quicker, by collaborating better with investigators, and what is our best game plan in our unit in order to be able to start that collaboration with IT so we can get to that point?”

John: And part of it is kind of lowering your ego on both sides from the IT and the forensic department. I think that’s where that has to really start from.

But you brought up something I just wanted to add. So contraband, right? So CSAM, like, CSAM is a big thing and that’s what freaks people out, you know, as far as the cloud. But if I am, let’s say, sending a submission to NCMEC, it’s not like I am physically bringing that picture with me and driving there, right?

So when we’re talking about those images, everything right now in that data, so from a security standpoint, I think that’s part of the challenge too, because people are really worried about, you know, storing CSAM in the cloud.

But as far as my definition and what I look at things, if you are in a compliant system and you have additional evidence there and you have all the safeguards in place, what are your thoughts on that?

Jessica: John, I think that you bring up a great point and we really should start drafting, maybe a combined brain list of all of the different ways in which we already are doing this, right?

We mentioned, you know, you’ve got your body cameras that data’s already going to the cloud. You’ve got your cyber tips that you are already sending directly to NCMEC. And I think as we talk about these, what, where is your evidence already being stored? How are you sending off your gold copies of your evidence?

As we start to talk about these other examples, it may make people realize that these are technologies that they’re already using and that precedent is already there. And how do we follow those same steps and procedures to ensure the same level of security? And maybe we should start brainstorming on that cause I think it might help people.

John: Yeah, cause I think that’s the biggest challenge in coming from that world, people can’t go on the cloud. And it amazes me that we all do this, right? We come up with something where it works here, but we keep that thought years later.

You know, like in the state police, we still have laws against horses turning right or turning left or whichever arm you’re going to have to write, right? We’re not using horses anymore, but the point is that I think as we progress as data progresses, I think that it’s not just having the culture shift, the conversations, but the thought process, look, we’re already doing that. So how can we make sure and ensure that it continues to happen in the right way, right?

Jessica: Absolutely.

Kim: John, I wanted to ask you a bit about maybe some strategies for budgeting such systems like this and if you have anything that you might be able to share with us.

John: So here’s the interesting thing. The state grants, for example, which amazes me is that there’s $1 billion last year in state grants for narcotics, right? And I think there’s $29.5 million for child exploitation. But because of that money, no matter what you do and what crime you investigate, it still has a nexus on digital evidence.

So, when you’re talking about budgeting and getting additional money, those are the things that you need to kind of look at. Because even when you’re talking about, let’s say fentanyl, that’s a big challenge, but who’s actually processing everyone’s phone of the overdose of the victims of the suspects, right? It’s the forensic folks, right? And where’s that data?

Now, let’s go on hot points. Let’s go on shootings. Let’s go to Chicago or New York or wherever and we’re looking to find where actual shootings are. Again, that’s cold-case homicide money or violent crime money or UASI which is the Urban Security Initiative.

So I think in anything that we actually do, there’s a nexus to digital evidence. So no matter what the grant program is, there is a carve-out really for this type of software because it’s needed. It’s the only way we’re going to be able to investigate and solve cases.

Jessica: I think John brings up a really good point because a lot of times, it’s one forensics team is supporting all these different types of investigations and the forensics team might be getting stressed to spend their time and their investigation hours and time on homicides.

But the fentanyl department may have money and actually aren’t getting serviced properly by the forensics department because of the amount of evidence. If they bring in a web review platform, they may be able to do more self-service on their cases and hence be able to work their cases faster.

So it really does, I never really put that together, John, until you mention these specific buckets of money for these cases, but for the folks who are doing fentanyl cases, if you’re in a situation where your cases are just being deprioritized, introducing a web review platform might help get your cases where you are functioning on them.

Especially if you’re able to introduce automation on top of that, so the processing is going directly to you in a web review, you might be able to do more self-service and then only go back to the forensics team when you have that attribution question or that technical question, because you’ve already done the contextual investigation. And flipping that order on its head of who starts the analysis can help different teams get serviced quickly.

John: And putting my leader hat on, it makes my people more efficient, right? Because especially automation, we are handling more cases. And I think that, you know, it’s, how do you put it? Working smarter, not harder, so to speak.

So, and I think from that funding perspective, like, people look at the covered grant, oh, that’s the only thing for our labs, but you look at all this other money out there. And just to me, I can’t find anything from an investigation standpoint that doesn’t touch digital evidence, so…

Joshua: Anyone, do you have experience for example, training a narcotics investigator on doing the web review before the digital investigator actually touches it like that kind of scenario? Like what does the training look like for that?

John: Well, and that’s part of it, part of it is there is really limited training in that aspect. So if I’m a narcotics detective, right? You’re just assuming that someone goes out and has the knowledge of what to look for. But again, they don’t know terms like from metadata to anything like that.

Joshua: That’s exactly what I was thinking, yeah.

John: Yeah. They don’t know, but they should know as an investigator that I can get maybe geolocation off of something. I mean, there’s just rudimentary forensics and I think what we need to do, you know, just from an investigator standpoint, if I was starting today and even though I wasn’t a forensic person, I would have to understand rudimentary forensics because that’s where my evidence is coming from

Jessica: And to be honest, I’ve taught forensics for first responders courses within my agencies that I’ve worked at, I’ve had the pleasure of teaching translators how to be able to find the content that they need that needs to be translated before stuff came to an examiner, because we couldn’t necessarily look at everything.

And those were in labs that had automation procedures in place so that they were already getting contextual elements. I’m not saying that they’re going to understand every little piece of metadata, I’m not saying that they need to understand every file type, that that’s our job. I’m not saying they’re going to be able to recover data off of a broken hard drive with bad sectors.

I’m saying, for the things that we can get the data from quickly, get the extraction, and get the data processed and into a review platform, letting them start the review from a contextual perspective also saves the examiner time, because how many times in my life have I gotten to find everything or find bad, which is almost impossible, but at least if they’re already tagging and telling me what’s important, then I know where to go from there.

Because I don’t know what your bad is, I don’t understand your actor, I don’t understand their group. You’ve spent years studying your area of responsibility, studying your type of crime, studying this particular nefarious actor’s group. I don’t have that knowledge.

John: You know the funny part, Jessica, it’s like this: if I’m investigating, let’s say a homicide and I’m looking for certain photos, I might say, “Okay, you know what? These are the photos I need. Is there any way you can find where this photo was taken place?” That is in essence, the collaboration that we’re looking at.

Jessica: I would love that. And I think that’s what you get when you start talking about collaborating in that way. And so, you know, Josh, to your point from the beginning, with working with portable click cases, we’re flipping the order in I think what we’re describing now.

Instead of the examiner going out, tagging what they think is relevant and producing a portable case, now we’re saying, start the exam with the contextual elements already parsed that we know about, and of course there’s stuff we don’t know about, that’s what the examiner’s going to do. Let them tell you what’s important and then let the examiner dig in from there. Flipping the collaboration, the other direction, I think just gives us all better starting points and saves time.

Joshua: My concern is we also talked about a full case export into portable cases. And I didn’t want to get into that again, just on a web platform. Do you know what I mean?

Jessica: Ah, but we can make our web platforms smart. Let’s have our web platforms instead of surfacing everything, like our forensics tools intentionally do that’s parsed; let’s have our web platforms surface pictures, video, chat, audio files; and let’s also have our web platforms, let’s be smart, we’ve got great technology, let’s utilize AI and machine learning to do probable tagging based on concept.

Joshua: Okay, so it’s kind of like triage, actually. And then hand that triage package over to them and then, I see, yeah.

Jessica: Yes, yeah, that would be the concept, right, of things that they can work with.

Kim: Joshua, could we talk for just a moment? I know that we’ve had conversations in the past about backlog and that there are a lot of laboratories out there that are just having a lot of work.

And can we just talk a bit about how reviews of this nature and also coupling that with AI as Jessica mentioned, but then also with automation, how we could maybe help with that workload? And we’ve talked a bit about this collaboration, but if you could just expand and bring that together.

Joshua: Yeah. I mean, by far, I mean, even without talking about AI and advanced technologies, I think the most compelling thing about this for me, the collaboration platform is the ability to do real-time commenting to actually fit those pieces of evidence together. That’s like, as soon as Jessica said that, I was just like, “Yeah, okay. Like, totally makes sense.”

Even without the sharing, just that bit to give that context, we could implement that internally without having the security concerns as much and it would still be extremely helpful.

Now with John’s idea of potentially funding and working with basically other units, flipping that, being able to do a lot of automated processing, which is what we call triage, we’re basically doing kind of like a triage chain and then what this unit typically needs for their investigations, providing that package to them and then getting that in some way, obviously we’re talking about some sort of collaborative web platform.

But that could even be, I hate to say it, but you could also automate it and then make a portable case and then give it down to them, as well.  That would still be extremely useful because then they would be able to review. Now, you’d still miss out on the commenting and that commenting, I think, is going to be the most important thing.

So, as everyone’s saying all of this stuff, like I’m thinking about, okay, here’s the ideal, we can implement all this stuff and it works perfectly. And then I’m like, but my lab isn’t the ideal, you know what I mean? Like, how am I going to implement this and convince people and actually get all of this in place including with working with IT and all these things?

So what I can do in the lab potentially is set up those automation workflows, if we did have whether it’s a web platform or even just an easier way to share files internally essentially, and then provide, for example, different departments the ability to be able to actually do their own initial analysis.

That would already be extremely useful because like, like John and Jessica said, like, they’re going to come back with much better questions than just “Find everything,” which is the problem with most of our backlog. Like, it’s just, “Here’s a computer, we think something’s on it.” And I’m like, “Okay, we have a murder over here. I’m going to go take care of that.” You know what I mean?

So in terms of implementing AI and everything, I still see that as it could be part of IT, but it is essentially in our forensic process anyway.

So implementing advanced AI and automation workflows within the forensics lab, no problem. Like, we can totally implement that and that would help me in my investigations. I’m not just talking about other groups, as well.

But then if we can actually use those chains, use those tools that we could implement to get better results out, customized for the external units, and then they can come back with better questions, I think that would be amazing.

And like, I see much more clearly where web collaboration actually makes sense other than just sharing, because in my mind, I was thinking, “Okay, we can share this out to the prosecutors. Well, I can do that with a link or I can just like, I can do it lots of different ways. Why do I need this web collaboration platform?” but really that real-time commenting and then tagging multiple items and actually giving the context that’s not in a PDF report. I’m just coming back to like, that’s where a lot of value is, actually.

John: I saw a review and I was like, “Oh my God, where’s this been for my entire career,” right? Because running that organization and, you know, from that evidence, and I’m thinking about the DVDs and I’m thinking about sitting with them, I’m thinking about efficiency.

So, you know, from my perspective, when I saw a review, I think it’s a perfect fit. And for someone who’s non-technical like myself who actually went and used it for the first time without no one teaching him how to do it, right?

So I think it’s important, like, and when I look at the dashboard and the interface, like from an AXIOM standpoint to that, I’m like, “Oh my God, here I go. They’re the pictures I’m looking for. There are the texts I’m looking for.” So I think from my standpoint, that’s what I see when I see a review. So I’ll let Jessica and Josh just…

Jessica: I must say, I think Josh very succinctly just tied together the entire process.

John: Yeah, I agree.

Kim: Well, thank you all for joining us here today. This has been a fantastic discussion and thank you all for your in-depth knowledge and your willingness to come on and share with us.

Joshua: Thanks everyone for sharing.

John: Awesome. Thank you so much.

Kim: Have a great day.

Jessica: Thanks all.

Joshua: Thanks. Bye.

Leave a Comment

Latest Videos

Digital Forensics News Round Up, March 27 2024 #dfir #digitalforensics

Forensic Focus 27th March 2024 6:06 pm

Digital Forensics News Round-Up, March 21 2024 #digitalforensics #dfir

Forensic Focus 21st March 2024 6:15 pm

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feeds settings page to add an API key after following these instructions.

Latest Articles