By Tim Rollins
Law enforcement agencies face a growing wave of digital evidence that they must investigate. Cybercrime remains a concern, but the ubiquity of smartphones and other digital devices means that even routine criminal cases will likely have digital evidence. With almost every case having a digital component, digital forensic investigators and analysts need to move quickly to keep up with caseloads, bring criminals to justice, and provide closure for victims.
Technology is of course essential to these investigations, but nothing trumps investigators' ability to interpret the data they uncover quickly. We've assembled several expert tips and tricks that can help save time and get to the key evidence faster by identifying key places to look for data and ways to interpret it. In this article, we'll look at a few types of investigations, where to start in them, and how experts suggest you use technology to power the investigations.
Investigating White Collar Crimes
Disgruntled or departing employees may steal IP, clients, or even money. Resources may be misused or misallocated. When the misconduct in question rises to meet criminal standards, it’s critical to ensure that you identify and preserve evidence of wrongdoing. Start your investigation by considering some of these ideas:
- Examine event logs, registry files, and system summaries. Look for changes in patterns of behavior, especially over the two weeks, month, and two months leading up to the incident(s) in question.
- Look for large uploads or downloads or emails to personal accounts, cloud drives, or USB devices.
- Changing file names or file extensions may be evidence of an employee trying to hide what they are doing. Atypical file compression or encryption is another potential red flag to examine.
Use a feature like FTK 8.0 SuperTimeline to compare a "normal day" for the subject against a day during the period of time being investigated to help pinpoint anomalies or out of character behavior.
Investigating Fraud or Theft
While many fraud and theft investigations will be a subset of white-collar crime investigations, they needn't be. They may include things like embezzlement of funds, misappropriation or misallocation of resources, fraudulent reimbursements, or even crimes that exploit the elderly or non-tech savvy in con schemes. Make sure that you look early in your investigation for insight by:
- Examining emails, documents, and spreadsheets
- Looking for attempts to login to bank accounts, credit cards, or other sorts of financial services, such as brokerages or IRAs
- Investigating attempts, successful or not, to log into sensitive data or applications
FTK 8.0's Smart Grid can make efforts to filter data to find specific file types (like .DOCX or .XLSX), file creators, and date ranges to narrowly target files that may be evidence in the case. Also look for evidence of external devices, such as USB drives, were connected to the machine or if large amounts of data were transferred via the internet, AirDrop, or other transfer protocols.
For even more expert insight and tips, download the new Exterro whitepaper Jumpstarting Digital Forensics Investigations: Expert Tips for Law Enforcement Professionals.