Go Back
Blog

Key Strategies for Balancing Investigation Time and Quality

Read this blog post to learn about key strategies for conducting effective digital forensic investigations based on a recent conversation between Justin Tolman and Brett Shavers.

Digital Forensic Investigators face an ever increasing amount of cases, consisting of devices storing an increasing amount of data. Unfortunately, the number of hours in the day have remained the same. “Being busy” is no excuse for reducing the quality of work when performing digital examinations.

In a recent episode of FTK Over the Air Podcast , Brett Shavers—former investigator and author of the book DFIR Investigative Mindset: Placing the Suspect Behind the Keyboard Volume 2—shared tips on balancing quality of work and time. While the word “suspect” may imply a law enforcement perspective, it’s not just law enforcement that is carrying heavy caseloads.

Historically, corporate Incident Response teams primarily focused on stopping breaches and returning to “normal.” Updated CISA and NIST standards for Incident Response now include requirements for forensic investigations, which will likely increase workloads for corporate forensic teams. Balancing time during an investigation is a crucial skill across industries.

Prioritize Cases Based on Importance and Urgency

One of the first steps in managing investigation time and quality is prioritizing cases. Brett emphasizes using an internal priority matrix to determine urgency and importance.

“Importance” and “Urgency” are familiar concepts for corporate incident response teams and often define their workflows. While corporations typically document these processes, law enforcement teams without formal prioritization policies should consider creating them.

For example, a missing child case would take precedence over a less urgent matter such as a year-old harassment incident. This prioritization ensures that critical cases receive timely attention.

Focus on the Mission of the Case

Staying focused on the mission is essential. Whether the goal is locating a missing person, identifying a suspect, gathering evidence, or closing a breach, maintaining clarity helps avoid distractions.

“When you show everything, you show nothing.” — Brett Shavers

This highlights the importance of presenting only the most relevant evidence. Over-collection can dilute findings and reduce impact. Investigators must understand what qualifies as evidence, why it matters, how to verify it, and how it will stand up in court.

Be Open to Discovering Additional Relevant Information

While focus is critical, investigators should remain open to new information uncovered during analysis. This may include discovering additional crimes, identifying new breach indicators, or uncovering key evidence outside the original scope.

Being adaptable allows investigators to adjust their approach as new insights emerge. Over-focusing on a single objective can introduce bias or errors in judgment.

Peer review is an effective way to maintain objectivity. Having others review reports can uncover gaps, identify biases, and improve overall quality.

Conclusion

Balancing investigation time and quality is a major challenge for digital forensic investigators. Prioritizing cases, maintaining focus on objectives, and staying open to new information are key strategies for success.

Whether in law enforcement or corporate environments, these principles ensure investigations remain thorough, accurate, and timely—ultimately supporting the pursuit of truth and justice.

How Exterro FTK Can Help

While investigators must continuously refine their own skills, it is equally important to use tools that enhance efficiency without compromising quality. FTK 8.1  introduces Entity Management, which simplifies grouping chats by individual and makes analyzing conversations more efficient.

About the Author

Justin Tolman has worked in digital forensics for 12 years. He holds a bachelor’s degree in Computer Information Technology from BYU-Idaho and a master’s degree in Cyber Forensics from Purdue University. He previously worked as a Computer Forensic Specialist with the Ohio Bureau of Criminal Investigation and currently serves as a Forensic Subject Matter Expert and Evangelist at Exterro. He has written training manuals on computer and mobile device forensics, including SQLite database analysis, and regularly presents at conferences, webinars, and through the FTK Over the Air podcast.

Redefining how your business manages data risk.
Get Started
Mitigating enterprise data risk.
ResourcesBlogPodcastCase StudiesWhitepapers
ProductseDiscoveryDigital ForensicsData GovernancePlatform & Intelligence
IndustriesFinancial Services & InsuranceHealthcare & Life SciencesEnergy & UtilitiesGovernment & Public Sector
CompanyNews & PressCareersTrust CenterContact Us
© 2026 Exterro. All rights reserved
Trust CenterModern Slavery StatementPrivacy PolicyWebsite Terms of Use
Do Not Sell or Share My Personal Information