In our latest series of articles, we’ve been working through the stages of 5W1H – a widely established information-gathering methodology centred on five Ws (who, what, when, where and why) and one H (how).
So far, we’ve covered the way eDiscovery tools and techniques can be used to answer – and elaborate on – the questions of who and what. Today, we’re diving into the question of when and looking at the part that forensic analytics can play.
Forensic analytics: how to use Reveal to support investigations
5W1H Part 3: When?
Timeline
Reveal’s Timeline graph is a powerful tool for forensic analysis of data relating to when events occurred or when digital records were created. It enables investigators to:
- Analyse document volumes over the entire project timeframe, or for a specific date range selected using the metadata date field.
- Identify time gaps to determine whether any timeframes were missed (or intentionally excluded) during data collection.
- Identify digital communications happening outside of standard hours e.g. nights/weekends.
- Identify digital communication volume spikes that occurred after specific corporate events e.g. announcements of impending legal action, product launches, etc.
Heatmap
Fully understanding the relevance of when often requires forensic analytics in conjunction with questions like who, what and/or where. In this, Reveal’s Heatmap can offer invaluable insights, using colour intensity to visualise the strength of relationships/overlaps between different types of metadata values (presented in a grid format).
If we return to our previous example of a bank robbery investigation, this could be used to quickly visualise who (custodian) was experiencing what (elevated heart rate via biometric data) when (time/date of the bank robbery).
A more traditional use case might be visualising who (custodian) was talking the most about what (search term) when (date range relevant to the investigation).
Preserving Metadata
Metadata can be a crucial component of an investigation, shedding light on much more than just when specific actions/events occurred. As such, it’s critical that metadata is preserved using forensically sound processes – standard practice in every Salient investigation.
If not using sound processes, it is very easy to corrupt date fields and lose crucial insights as to the chronology. Discovering that the evidence now reflects the date the item was investigated, can hugely impact the case!
Using tools and analytics to answer the
5Ws and 1H in a forensic investigation
1. Who
The best starting point for answering the question of “who” is involved in a matter usually centres on communications.
2. What
eDiscovery tools are invaluable to uncover the concepts, context and content under investigation.
3. When
Understanding when a digital footprint was left can be extremely valuable when aligning events in an investigation.
4. Where
“Where” is a multi-faceted concept that encompasses a variety of data types and requires the use of various eDiscovery tools and methodologies.
5. Why
Why can be one of the trickiest questions to answer in an investigation and requires reading between the lines to analyse context/sentiment.
6. How
Understanding how typically requires sifting through vast bodies of potential evidence to find the “trail of crumbs” and follow it to its conclusion.
We use our skills and advanced technology to help you find all the pieces in the puzzle faster and more efficiently. Find out how Salient Discovery could accelerate your next digital forensic investigation.