Loading presentation...

Present Remotely

Send the link below via email or IM


Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.


Digital Forensics - Zurich

No description

Angela Zyborski

on 28 October 2013

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of Digital Forensics - Zurich

.........it's the bits and bytes that excite us
Look in here?
Today, investigators face a constant battle to find the truth in ever larger, more varied and increasingly complex stores of electronic evidence
..Hope I don't talk too fast!
As the growing volume of data has stretched traditional forensic tools to capacity, it has become impossible to examine them all.
Investigators may take arbitrary decisions as to which evidence sources they analyse first..
Nowadays, in many investigations,
the key evidence is more often found
‘hidden in plain sight’

In communications
Paul Slater
Director of Forensic Solutions
...rather than as a result of performing deep
forensic analysis
The typical Digital Forensic Investigation
What lessons can we learn from
the world of Electronic Discovery
(eDiscovery) ?
...which typically involves even larger volumes of digital evidence than found in forensic investigations
Analyze basic relationships between people and evidence
Step 3
Deeply index relevant data sources
Step 4
Search and investigate
Step 5
Cross-reference intelligence
Step 6
Forensically examine only the most relevant data sources
Step 7
Ingest all data into a single tool
Step 1
Perform a "light Metadata scan"
Step 2
Content-based forensic triage
Look in here?
Look in here?
Visual Analytics
Whats in your data?
traditional linear email review
visual email review
Email traffic event map
Shingles (near dupe)
What's a near-duplicate
and how does it help?
Consider two visually "identical" documents
Microsoft Word
Adobe PDF
MD5 match ?
Named Entities
So...can word shingles increase
search relevance?
Automation of Workflows
Email traffic gap analysis
See who was added to or removed from the conversation
..What about documents with similar content ?
Near-duplicate technology gets around this problem by extracting and hashing multiple overlapping phrases of around four or five words each.

This technolgy is called "shingles."

By comparing the number of matching shingles between items, we can tell if they contain the same text.
With "shingles" we can also identify items that contain similar text—and just how similar they are.
This has many practical applications for investigators

It can show us how a document has evolved over time .

In fact, the ability to find and group similar documents is a very powerful way to focus on the key items or evidence sources that may decide your case.
Once you have identified items that are very relevant (or definitely irrelevant) — you can use near-duplicate analysis to find similar items and group them as
"not relevant", "relevant" or "undecided"
Using these techniques improves the efficiency of keyword searches which on their own are a blunt investigative tool.
What if the key suspect was nicknamed "Mouse."
...Imagine all the irrelevant hits in a typical computer hard drive!
A basic keyword search is ineffective.
After you have extracted a list of shingles, you can search within that list for a particular keyword
....and avoid files containing non relevant phrases such as "how the mouse buttons work"
..or help link of documents recovered from unallocated with documents in the live data set
We often manually perform the same 'standard forensic' processes in each case
Date range filtering
Keyword searching, bookmarking/tagging
Identification of encrypted, corrupted data
Identification of non searchable documents for OCR
In e-discovery, these processes are automated
Signature Analysis/Hashing
Because Nuix indexes the relevant data sources, and can extract text and associated metadata
we can intelligently search for certain types of 'regular expressions' such as....
By using these e-discovery techniques in digital investigations
Nuix is able to increase the efficiency of the investigative process
allowing the digital forensic investigator to..
and automatically filter these for review
focus their
looking for the
elephant in the room
such as previous versions of a Word Document that are stored in System restore points
Joined Nuix as Director of Forensic Solutions in 2013.

Over 20 years of investigation experience as an advisor within the law enforcement, government, financial and commercial sectors

Involved in digital forensics for over 14 years. Originally a detective within the Greater Manchester Police, I spent seven years as a computer forensic investigator before leaving to 2003 to become a digital forensics adviser to legal, corporate and government clients.

Led both PwC’s and Deloitte’s regional UK Forensic Technology teams

Spent two years as Interim head of the Digital Forensics Unit to the UK’s Serious Fraud Office

A contributing author of the Association of Chief Police Officers (ACPO) Good practice Guide for Computer-based Electronic Evidence; a global reference manual for professional digital investigators

About Me
We need to improve the efficiency of our digital investigations. Crucially, investigators need to be able to more effectively zero-in on critical data and focus time-consuming data forensics analysis on only this data.

We need to improve the efficiency of our digital investigations.

Crucially, investigators need to be able to more effectively zero-in on critical data and focus time-consuming data forensics analysis on only this data.

..or if they examine them at all
We can even build our own 'RegEx' expressions
Swiss ID
This helps to reduce human error
In Summary
needle in the digital haystack
About Nuix
or locate related documents that don't come up in keyword searches
Full transcript