The final piece in the puzzle in a digital forensic investigation
5W1H Part 6: How
So far, our 5W1H series has explored the use of AI-powered tools and techniques (on structured and unstructured data) in digital forensic investigations to build a well-substantiated picture of who is involved in what, when, where and why.
Today, we’re moving on to the final piece of the investigatory puzzle – the all-important how – answering questions like:
- How did the perpetrators communicate with each other?
- How were the internal controls circumvented or overridden?
- How were the documents altered or falsified?
- How were the transactions recorded and reported?
- How were the funds transferred and who authorised them?
- How were the contracts awarded and executed?
- How were the invoices issued and paid?
Finding the trail
Understanding how typically requires sifting through vast bodies of potential evidence (a large-scale document review) to find the right “trail of crumbs” and follow it to its conclusion. This is where the AI tools come into their own to accelerate the digital forensic investigation.
That means collecting, processing and analysing volumes of electronically stored information (ESI) that leaves digital fingerprints (such as emails, chat messages, phone recordings, CCTV and geolocation data) as well as documentary evidence (such as contracts, invoices, receipts, reports, bank statements and other relevant records).
Separating the signal from the noise in a digital forensic investigation
In order to surface all potentially relevant information, it’s necessary to cast your initial search net fairly wide when looking for the answer to how. The skill then comes in separating the “signal” from the “noise” – a task in which technology, technique and experience all play a role.
Technique and experience
At Salient, our preferred approach for a digital forensic investigation is to first use AI for inclusion and then apply its capabilities to intelligently cull any unnecessary and/or irrelevant data that slips through.
Additionally, we overlay the results of Forensic Data Analytics on relevant structured data to identify key individuals, time periods, locations, entities, and more. Experience has shown this can significantly improve the ability of advanced technology in a large-scale document review to reveal patterns, anomalies, inconsistencies, and discrepancies that may indicate fraud or other misconduct.
Technology
We use Reveal as our eDiscovery platform of choice because it uses advanced analytics – including concept clustering, email threading, near duplicate detection and sentiment analysis – to group and organise documents based on their content, structure and tone.
Reveal also uses Continuous Active Learning (CAL) – a technique that trains the software based on reviewer interactions – to help classify documents that are more likely to be relevant to the investigation. This can significantly reduce the time and cost of manual review, moving away from the traditional linear approach to improve the speed, accuracy and consistency of results.
With Reveal, we can quickly identify and prioritize the most important documents for further investigation. Those showing how the issue under investigation was carried out, the methods, motives, and outcomes, and any irregularities or red flags uncovered by Forensic Data Analytics (FDA), for example.
The platform also makes it easy to search, filter, tag, annotate, and export documents, and generate reports and visualisations summarising the findings and trends. This enables us to build a rapid – and comprehensive – answer to the question of how, concluding our 5W1H digital forensic investigation.
Remember: As with any digital forensic investigation, it’s crucial to preserve the metadata associated with documents and files to ensure the evidence collected is defensible and can be used in court.
What’s next?
Once all the aspects of a digital forensic investigation have been covered (and the five Ws and one H answered satisfactorily), it’s time to prepare all relevant documents for review by legal counsel.
In this, our eDiscovery platform, Reveal, once again offers critical capabilities, enabling us to:
- create custom document sets as required by the court in question
- apply redactions
- generate privilege logs
- produce documents in various formats, such as PDF, TIFF or native
Importantly, Reveal also enables us to ensure that the chain of custody and audit trails are fully maintained throughout the entire process from collection to production.
Using tools and analytics to answer the
5Ws and 1H in a forensic investigation
1. Who
The best starting point for answering the question of “who” is involved in a matter usually centres on communications.
2. What
eDiscovery tools are invaluable to uncover the concepts, context and content under investigation.
3. When
Understanding when a digital footprint was left can be extremely valuable when aligning events in an investigation.
4. Where
“Where” is a multi-faceted concept that encompasses a variety of data types and requires the use of various eDiscovery tools and methodologies.
5. Why
Why can be one of the trickiest questions to answer in an investigation and requires reading between the lines to analyse context/sentiment.
6. How
Understanding how typically requires sifting through vast bodies of potential evidence to find the “trail of crumbs” and follow it to its conclusion.
We use our skills and advanced technology to help you find all the pieces in the puzzle faster and more efficiently. Find out how Salient Discovery could accelerate your next digital forensic investigation.