Send the link below via email or IMCopy
Present to your audienceStart remote presentation
- Invited audience members will follow you as you navigate and present
- People invited to a presentation do not need a Prezi account
- This link expires 10 minutes after you close the presentation
- A maximum of 30 users can follow your presentation
- Learn more about this feature in our knowledge base article
Do you really want to delete this prezi?
Neither you, nor the coeditors you shared it with will be able to recover it again.
Make your likes visible on Facebook?
You can change this under Settings & Account at any time.
Digital Forensics - Zurich
Transcript of Digital Forensics - Zurich
Look in here?
Today, investigators face a constant battle to find the truth in ever larger, more varied and increasingly complex stores of electronic evidence
..Hope I don't talk too fast!
As the growing volume of data has stretched traditional forensic tools to capacity, it has become impossible to examine them all.
Investigators may take arbitrary decisions as to which evidence sources they analyse first..
Nowadays, in many investigations,
the key evidence is more often found
‘hidden in plain sight’
Director of Forensic Solutions
...rather than as a result of performing deep
The typical Digital Forensic Investigation
What lessons can we learn from
the world of Electronic Discovery
...which typically involves even larger volumes of digital evidence than found in forensic investigations
Analyze basic relationships between people and evidence
Deeply index relevant data sources
Search and investigate
Forensically examine only the most relevant data sources
Ingest all data into a single tool
Perform a "light Metadata scan"
Content-based forensic triage
Look in here?
Look in here?
Whats in your data?
traditional linear email review
visual email review
Email traffic event map
Shingles (near dupe)
What's a near-duplicate
and how does it help?
Consider two visually "identical" documents
MD5 match ?
So...can word shingles increase
Automation of Workflows
Email traffic gap analysis
See who was added to or removed from the conversation
..What about documents with similar content ?
Near-duplicate technology gets around this problem by extracting and hashing multiple overlapping phrases of around four or five words each.
This technolgy is called "shingles."
By comparing the number of matching shingles between items, we can tell if they contain the same text.
With "shingles" we can also identify items that contain similar text—and just how similar they are.
This has many practical applications for investigators
It can show us how a document has evolved over time .
In fact, the ability to find and group similar documents is a very powerful way to focus on the key items or evidence sources that may decide your case.
Once you have identified items that are very relevant (or definitely irrelevant) — you can use near-duplicate analysis to find similar items and group them as
"not relevant", "relevant" or "undecided"
Using these techniques improves the efficiency of keyword searches which on their own are a blunt investigative tool.
What if the key suspect was nicknamed "Mouse."
...Imagine all the irrelevant hits in a typical computer hard drive!
A basic keyword search is ineffective.
After you have extracted a list of shingles, you can search within that list for a particular keyword
....and avoid files containing non relevant phrases such as "how the mouse buttons work"
..or help link of documents recovered from unallocated with documents in the live data set
We often manually perform the same 'standard forensic' processes in each case
Date range filtering
Keyword searching, bookmarking/tagging
Identification of encrypted, corrupted data
Identification of non searchable documents for OCR
In e-discovery, these processes are automated
Because Nuix indexes the relevant data sources, and can extract text and associated metadata
we can intelligently search for certain types of 'regular expressions' such as....
By using these e-discovery techniques in digital investigations
Nuix is able to increase the efficiency of the investigative process
allowing the digital forensic investigator to..
and automatically filter these for review
looking for the
elephant in the room
such as previous versions of a Word Document that are stored in System restore points
Joined Nuix as Director of Forensic Solutions in 2013.
Over 20 years of investigation experience as an advisor within the law enforcement, government, financial and commercial sectors
Involved in digital forensics for over 14 years. Originally a detective within the Greater Manchester Police, I spent seven years as a computer forensic investigator before leaving to 2003 to become a digital forensics adviser to legal, corporate and government clients.
Led both PwC’s and Deloitte’s regional UK Forensic Technology teams
Spent two years as Interim head of the Digital Forensics Unit to the UK’s Serious Fraud Office
A contributing author of the Association of Chief Police Officers (ACPO) Good practice Guide for Computer-based Electronic Evidence; a global reference manual for professional digital investigators
We need to improve the efficiency of our digital investigations. Crucially, investigators need to be able to more effectively zero-in on critical data and focus time-consuming data forensics analysis on only this data.
We need to improve the efficiency of our digital investigations.
Crucially, investigators need to be able to more effectively zero-in on critical data and focus time-consuming data forensics analysis on only this data.
..or if they examine them at all
We can even build our own 'RegEx' expressions
This helps to reduce human error
needle in the digital haystack
or locate related documents that don't come up in keyword searches