Determining location requires a variety of forensic investigation techniques
5W1H Part 4: Where
So far, in our 5W1H series of articles, we’ve explored how eDiscovery tools and techniques can be used to answer the questions of who, what and when.
Today, we’re taking a look at the question of where – a multifaceted concept that encompasses a variety of data types, and requires the use of various forensic investigation techniques.
The many facets of where
Place names
Unsurprisingly, place names (countries, towns, addresses, etc.) mentioned in text can play an important role in answering the question of where.
In Reveal, place names can be extracted using the entity extraction tools that are part of the Advanced Search functionality. Cluster visualisations are an alternative forensic investigation technique that can then be used to explore groups of documents relating to these places, shedding light on any associated themes, and enabling investigators to focus in on those most likely to bear relevance to the investigation.
Geolocation data
Where may also refer to the geographic location of a person or a device. Answers can be found in data stored on devices like mobile phones, fitness trackers and smart watches that can be extrapolated to pinpoint the geolocation of the device. Examples include GPS data, IP addresses, local Wi-Fi connections and connections made to cellular communication masts.
Extracting this data from users’ devices typically requires specialist cellular harvesting tools like MOBILedit. These tools enable forensic investigators to analyse data from both the devices themselves and the cloud-based repositories they gatekeep, offering important insight into a wealth of potential evidence.
Data/evidence locations
The location in which evidence is found may also be important. As such, it’s critical that robust processes are used during data collection and/or device imaging to preserve information like where on a device any relevant files/documents were found, and who the device belongs to.
“Where else”
Using a wide variety of forensic investigation techniques can also bring to light additional useful information. Additional locations in which the same (or similar) data is found, may be relevant to an investigation. For example, an email found in both the sender and recipient’s mailboxes is evidence that that email was received. Documents found duplicated across several locations could indicate the path or timeline of information spread. Near-duplicate documents, on the other hand, may reveal a deliberate intention to mislead depending on the nature (and source) of their changes.
Using tools and analytics to answer the
5Ws and 1H in a forensic investigation
1. Who
The best starting point for answering the question of “who” is involved in a matter usually centres on communications.
2. What
eDiscovery tools are invaluable to uncover the concepts, context and content under investigation.
3. When
Understanding when a digital footprint was left can be extremely valuable when aligning events in an investigation.
4. Where
“Where” is a multi-faceted concept that encompasses a variety of data types and requires the use of various eDiscovery tools and methodologies.
5. Why
Why can be one of the trickiest questions to answer in an investigation and requires reading between the lines to analyse context/sentiment.
6. How
Understanding how typically requires sifting through vast bodies of potential evidence to find the “trail of crumbs” and follow it to its conclusion.
We use our skills and advanced technology to help you find all the pieces in the puzzle faster and more efficiently. Find out how Salient Discovery could accelerate your next digital forensic investigation.