Salient Logo
Salient Logo
forensic-analytics

Forensic analytics is the key to unlock time-related data – ‘when’

In our latest series of articles, we’ve been working through the stages of 5W1H – a widely established information-gathering methodology centred on five Ws (who, what, when, where and why) and one H (how). 

So far, we’ve covered the way eDiscovery tools and techniques can be used to answer – and elaborate on – the questions of who and what. Today, we’re diving into the question of when and looking at the part that forensic analytics can play. 

Forensic analytics: how to use Reveal to support investigations

5W1H Part 3: When?

Timeline 

Reveal’s Timeline graph is a powerful tool for forensic analysis of data relating to when events occurred or when digital records were created. It enables investigators to: 

  • Analyse document volumes over the entire project timeframe, or for a specific date range selected using the metadata date field. 
  • Identify time gaps to determine whether any timeframes were missed (or intentionally excluded) during data collection. 
  • Identify digital communications happening outside of standard hours e.g. nights/weekends. 
  • Identify digital communication volume spikes that occurred after specific corporate events e.g. announcements of impending legal action, product launches, etc.

 

Heatmap 

Fully understanding the relevance of when often requires forensic analytics in conjunction with questions like who, what and/or where. In this, Reveal’s Heatmap can offer invaluable insights, using colour intensity to visualise the strength of relationships/overlaps between different types of metadata values (presented in a grid format).  

If we return to our previous example of a bank robbery investigation, this could be used to quickly visualise who (custodian) was experiencing what (elevated heart rate via biometric data) when (time/date of the bank robbery).  

A more traditional use case might be visualising who (custodian) was talking the most about what (search term) when (date range relevant to the investigation). 

Preserving Metadata 

Metadata can be a crucial component of an investigation, shedding light on much more than just when specific actions/events occurred. As such, it’s critical that metadata is preserved using forensically sound processes – standard practice in every Salient investigation. 

If not using sound processes, it is very easy to corrupt date fields and lose crucial insights as to the chronology. Discovering that the evidence now reflects the date the item was investigated, can hugely impact the case!  

Using tools and analytics to answer the
5Ws and 1H in a forensic investigation

forensic-investigation

1. Who

The best starting point for answering the question of who is involved in a matter usually centres on communications.

Read the article >>

forensic-investigation-tools

2. What

eDiscovery tools are invaluable to uncover the concepts, context and content under investigation.

Read the article >>

forensic-analytics

3. When

Understanding when a digital footprint was left can be extremely valuable when aligning events in an investigation.

Read the article >>

forensic investigation techniques

4. Where

“Where” is a multi-faceted concept that encompasses a variety of data types and requires the use of various eDiscovery tools and methodologies.

Read the article >>

forensic-investigator-toolkit

5. Why

Why can be one of the trickiest questions to answer in an investigation and requires reading between the lines to analyse context/sentiment.

Read the article >>

digital forensic investigations

6. How

Understanding how typically requires sifting through vast bodies of potential evidence to find the “trail of crumbs” and follow it to its conclusion.

Read the article >>

We use our skills and advanced technology to help you find all the pieces in the puzzle faster and more efficiently. Find out how Salient Discovery could accelerate your next digital forensic investigation.