There are many tools available to support digital investigators, with new emerging technologies entering what has become a vibrant sector. Like all things technological, some perform to, or even exceed professional expectations, while others fail to meet what it says on the tin.
To help the fledgling professional through the tool jungle, we engaged with Professor John Walker who has 30+ years of experience in the area of investigations, as well as engagement with the world of Open-Source Intelligence (OSINT) over the last decade.
In this article, John talks about five essential tools for digital investigators and his thoughts about the most important skill to have if you want to be successful as a digital investigator.
The most important tool – the skills of the investigator
Before we get on to the aspects of tools and technologies, there is something far more important – that is the skills and underpinning of knowledge that the truly professional investigator needs to grasp.
John explains:
“The tools can help you become more efficient, they may assist the investigator to avoid anti-forensics traps, and they may even automatically write a report at the press of a key. In fact, technologies can do a lot of the leg work. However, it is the underpinning of professional knowledge, techniques, and applied investigative disciplines which hone and support the outcome of a robust conclusion to a case.”
“There are three essential elements to a robust investigation, and they are Process, Process, and yes, you guessed it, Process”
John continues to explain that if the required processes are not applied, such as the handling of evidence or acquiring and correctly bag-and-tack items of evidential interest, the lack of due diligence may create a situation that is not robust enough to reject the test of cross-examination. This could result in the inadmissibility and failure of the case under test.
“There are three essential elements to a robust investigation, and they are Process, Process, and yes, you guessed it, Process,” says John.
To outline the real-world fax, John provides an example of a case he recalls from his early years relating to the murder of two teenage girls in Leicestershire (UK), Lynda Mann and Dawn Ashworth. This was the first case ever to be tried in court using DNA.
The local police required every male at a certain age and within a radius of the crime scene to submit to a blood test. However, one male persuaded a friend to take a blood test for him by telling him he had an inherent fear of needles.
“Small details that people sometimes ignore can cause an unwelcome outcome to a case.”
“A person overheard in a pub commenting that he was taking a blood test for his friend because of the man’s fear of needles. This seemingly innocent comment was reported to the police, just in case this tiny piece of conversation had any real value. Turns out that the person who was looking to avoid taking the blood test was the actual murderer Colin Pitchfork who later was prosecuted for the murder on two counts,” says John.
Small details that people sometimes ignore can cause an unwelcome outcome to a case. Thus no matter how small or seemingly meaningless, every tiny element will count until it has been tested and subsequently discounted.
So, to become a successful digital investigator, you need to be good at paying attention to those tiny details.
Five examples of essential tools for digital investigators
With that being said – let’s talk about John Walker’s basic toolset. Some of them are free, others you need to pay for, but according to John, they are worth every penny.
Autopsy
The first tool in John’s toolbox is Autopsy. This tool allows you to forensic investigate acquired artifacts, such as an extracted image of a hard drive or USB key.
Let’s say you acquired a laptop, and you wish to investigate the internal hard drive. Then you’ll need to extract an image of the hard drive through write-protected apparatus to avoid cross-contamination or corruption of the best evidence (the hard drive).
“I always have three copies in all, one working copy and two backup copies just in case the working copy is damaged or corrupted. The great thing about Autopsy is that you are not tampering with the first prime evidence. You are looking at an image of the extracted evidence you have not actually altered,” says John.
Autopsy is for free, and even though it doesn’t have that graphical interface and the bells and whistles of the commercial toolsets, it does the job.
BreachAware for Threat Intelligence
The following tool is BreachAware. This GUI-based tool can provide the user with information relating to how many breaches a company has suffered or how many data leaks they’ve had.
“BreachAware is a powerful tool to help a company understand its digital footprint and security posture. For example, if you have any digital exposures or leaks,” says John.
The cost of BreachAware is £25 — a small investment for maintaining an awareness of your security posture.
Various lightweight EXIF applications for mobile phones
The third tool falls into the category of quick and dirty investigation of extracting EXIF intelligence from an image. It can, for example, provide the location where a photo was taken or the type of device used to capture that image.
We have this feature as an enhanced feature within the Paliscope platform as well, but John sees the value of having the tool both on your mobile phone as well as in the Paliscope platform.
“By using the extracted EXIF data, it is possible to track down people, and criminals’ locations, all the way to their front door,” says John.
These applications are free to download, and even though they aren’t giving you as much meaningful intelligence as you get from the Paliscope platform, they will be helpful while you are on the go and need to extract information quickly.
I-Intelligence for understanding Chinese elements
This might not be a tool in the essence of having an application on your computer or phone. However, it is an essential skill set for any investigator who needs to hone their ability to understand the Chinese aspect of an investigation further.
“In the past, I have been involved with investigations involving China, but it’s a real challenge. You read in the wrong direction, and it’s difficult to follow. So, with the course that I-intelligence runs, you can learn to interface into this closed world and extract meaningful data while investigating,” says John.
The courses are divided into five days and cost about 1000 euros. You will learn many useful things like the difference between the Chinese and “Western” internet, how to work with Chinese social media platforms, and much more.
This is something you ought to know if working with investigations regarding the Chinese internet – working within the regions where we are encountering the emergence of APT (Active Persistent Threats).
The Paliscope Platform
We can’t really tell you about investigation tools without mentioning Paliscope, right?
Well, we could, but John firmly believes this is one of the most valuable tools in his toolbox.
“The thing with the Paliscope platform is that it brings out meaningful intelligence while saving you a lot of time since it does many things for you robustly and automatically. It is a powerful tool that gets you through the investigation faster and safer while maintaining a contemporary audit trail of the investigator’s activities – adding in the automation of the most important element, which is Process,” says John.
With Paliscope’s product Discovry™ and with the power of YOSE™, you can confidently build up a case that will hold up in court.
“In my opinion, Discovry and YOSE as a team are essentials to have in the toolbox and are, in my humble opinion, best-in-class. The price is small when you consider what you get for a user license; you get a lot in the box for a very sensible price,” says John.
So that’s it—Johns’ five essentials in his digital investigations toolbox.
We hope this article has given you some new favorite tools to use in your daily work.
Get in touch!
Reach out to learn more or discuss how we can help you in your work.
