Skip to content

Digital Forensics

Key Strategies for Balancing Investigation Time and Quality

By Justin Tolman Forensic Subject Matter Expert and Evangelist | August 9, 2024

Digital Forensic Investigators face an ever increasing amount of cases, consisting of devices storing an increasing amount of data. Unfortunately, the number of hours in the day have remained the same. ‘Being busy’ is no excuse for reducing the quality of work when performing digital examinations. 

In a recent episode of FTK Over the Air Podcast, Brett Shavers  former investigator and author of the book, DFIR Investigative Mindset, Placing the Suspect Behind the Keyboard Volume 2 shared some tips with me on balancing quality of work and time. While the word “suspect” may imply a law enforcement perspective to investigations, it is not just law enforcement that is carrying heavy caseloads. 

Historically, corporate Incident Response teams primary focus has been to stop the breach and return to “normal”. Updated CISA and NIST standards for Incident Response playbooks and frameworks are now including requirements for forensic investigations to be conducted. This will likely increase the workload on corporate forensic teams. Balancing time during an investigation is a crucial skill regardless of industry. 

Prioritize Cases Based on Importance and Urgency

One of the first steps in managing investigation time and quality is prioritizing cases. Brett emphasizes the importance of using an internal priority matrix to determine the urgency and importance of each case.

“Importance” and “Urgency” are two words that corporate incident response teams are very familiar with, and might be the two words that define their whole workflow paradigm. Corporations are typically good at documenting these types of policies and procedures. However, if you as the reader are in the Law Enforcement space and do not have a written policy dictating case priority, this is a great time to create one. 

For example, a missing child case would naturally take precedence over a less urgent matter, such as a harassment incident that occurred a year ago. This prioritization helps investigators allocate their time and resources effectively, ensuring that the most critical cases receive the attention they need promptly.

Focus on the Mission of the Case

Staying focused on the mission of the case is the next key strategy. The mission might involve locating a missing person, identifying a suspect, gathering evidence for litigation, or closing a breach. By keeping the primary objective in mind, investigators can avoid being sidetracked by less relevant details and ensure they gather the necessary evidence to achieve the case's goal efficiently.

“When you show everything, you show nothing.” - Brett Shavers

This insight underscores the importance of being selective and precise in presenting evidence, ensuring that the most relevant information is highlighted. Avoid the pitfall of over-collecting evidence, which can dilute the impact of the findings. By focusing on the mission and not getting bogged down by extraneous details, investigators can maintain the quality and integrity of their work.

To effectively focus on the mission, Shavers says examiners must “...know what is evidence, why it is evidence, and how do we verify its evidence. How is it going to be admissible in court, and how could it be argued against in court.” 

Be Open to Discovering Additional Relevant Information

While it's essential to focus on the primary mission, investigators should also remain open to discovering additional relevant information that may emerge during the investigation. This openness can lead to discovering new crimes, identifying key characteristics of a breach, or uncovering other critical pieces of evidence that were not initially part of the investigation's scope.

By being open to new findings, investigators can adapt their strategies to address emerging issues or evidence. This adaptability ensures that they are not solely focused on their initial hypothesis but are also considering other possibilities that could significantly alter the direction of the investigation.

Conversely, being closed off and over focused on a single mission objective may lead to errors related to perception or bias. Peer review is an effective resource for keeping you open to new information. Having another read your report may help find gaps in your thinking, identify unrecognized biases or perceptions, and increase the overall quality of the investigation. 

Conclusion

Balancing investigation time and quality is a critical challenge faced by digital forensic investigators across various industries. Maintaining a clear focus on the mission, prioritizing cases effectively, and staying open to additional information are essential strategies for managing this balance. 

Whether in law enforcement or corporate incident response, these principles help ensure that investigations are thorough, accurate, and timely. Ultimately, the goal is to uphold the integrity of the investigation process, ensuring that justice and truth are served efficiently and effectively.

How Exterro FTK Can Help

While it is important that an investigator invests in their own abilities to work as quickly as possible without sacrificing quality, it is just as important that the software used to analyze data is doing as much work for the examiner as possible. FTK 8.1 has introduced Entity Management, which minimizes the work necessary for grouping chats per individual, making it easier to investigate conversations between individuals.  

About the Author

Justin Tolman has been working in digital forensics for 12 years. He has a bachelor’s degree in Computer Information Technology from BYU-Idaho and a master’s degree in Cyber Forensics from Purdue University. After graduating he worked as a Computer Forensic Specialist with the Ohio Bureau of Criminal Investigation and currently works as the Forensic Subject Matter Expert and Evangelist at Exterro. Justin has written training manuals on computer and mobile device forensics, as well as (his personal favorite) SQLite database analysis. He frequently presents at conferences, on webinars, produces YouTube content, and hosts the FTK Over the Air podcast. 

Sign Up for Alerts

Get notified when new content for specific topics is available.

Sign Up