Creating a Single View of Digital Forensics Data
INDUSTRY PERSPECTIVE Creating a Single View of Digital Forensics Data
1
Introduction
W
hen you think about forensic investigations, you might think more about prime-time crime shows and less about government. But across federal, state and local agencies, forensic investigations are a key component of achieving government’s mission of stopping crime and keeping communities safe.
Lowry offered a definition of forensic workflows in government: “It’s simply government entities using forensic tools to gather and collect information pursuant to their authority – whether that’s prosecuting a criminal case, a counterterrorism case or a counterintelligence case. It’s simply the act of gathering information.”
It’s not getting any easier, either. One study predicts that, by the year 2020, about 1.7 megabytes of new information will be created every second, for every human being on the planet. That’s the equivalent of roughly one Game of Thrones novel worth of text, every second, for every person in the world.
While the idea might sound simple, the execution of forensic investigations in government is not. The explosive increase in digital data, disparate file types, and variety of data repositories all conspire to make things more complicated.
Dr. Jim Kent, Global Head of Security and Intelligence for Nuix North America, and his colleague Keith Lowry, Senior Vice President of Nuix U.S. Government Services (USG) and Business Threat Intelligence and Analysis, described the challenges associated with modern investigatory work in a recent interview with GovLoop. They also explained how information technologies like those provided by Nuix can help investigators overcome those challenges to make the most of digital forensics evidence.
In this industry perspective, you will learn how a “single pane of glass” approach empowered by powerful data analytics technologies, can help government achieve better, faster and more robust investigations, even in a world that’s increasingly driven by digital information.
Forensic workflows in government are defined as “government entities using forensic tools to gather and collect information pursuant to their authority – whether that’s prosecuting a criminal case, a counterterrorism case or a counterintelligence case. It’s simply the act of gathering information.” - Keith Lowry, Nuix
1.7 megabytes every second per human in 2020 2
Industry Perspective
The State of Investigations Today
F
orensics and investigations have been in place as long as even the most rudimentary justice systems have existed. In the past, however, investigations primarily relied on physical evidence or traditional forensics to build cases and prosecute criminals. Today, we more often hear the term “digital forensics.” That refers to electronic probative information that is stored or transmitted in digital form. It comprises a large portion of evidence used in prosecution, simply due to the exponential growth in digital communication and interaction among the public. But Dr. Kent and Lowry explained that the new term doesn’t necessarily mean new evidence. “Digital forensics is still being able to relay the evidentiary trail and facts that you’d find in any investigation, and relay them to the person in a courtroom,” said Dr. Kent. “It’s basically the same old-fashioned criminal investigations but using digital and new methods of investigating those crimes.” Whether it’s a fingerprint lifted from a crime scene or scanned at a security checkpoint, Dr. Kent and Lowry agreed that the evidence could equally contribute to the same case. But while digital forensics achieves the same goals as traditional forensics, the digitization of evidence does present new challenges to investigators.
Specifically, the explosive increase in digital data can overwhelm investigators and the systems they use to sort through evidence. “Because the world has become so digitized, the data is almost immeasurable,” said Lowry. “The size and quantity of data that you have to cull makes it extremely difficult and time-consuming to figure out what’s pertinent to the case at hand.” So while digitization has created a wealth of new information that investigators can use to prosecute cases, it’s also presented significant challenges to managing that data, and – more importantly – turning it into digestible information. For resource-constrained agencies, providing the staff and computing power to sift through mountains of data can seem nearly impossible. Additionally, with so much data coming from so many different sources, in so many different formats, siloes of information are often created. Those disparate repositories prevent investigators from getting the full picture of a single case, and from drawing intelligence between cases.
“Digital forensics is still being able to relay the evidentiary trail and facts that you’d find in any investigation, and relay them to the person in a courtroom. It’s basically the same oldfashioned criminal investigations but using digital and new methods of investigating those crimes.” - Dr. Jim Kent, Nuix
Creating a Single View of Digital Forensics Data
3
A New Approach to Investigations
I
n order to make sense of the ever-expanding amount of digital forensics data, Lowry and Dr. Kent advocate for a different approach to investigations and have been hard at work to make that approach a reality. That methodology – called a “single pane of glass” approach – combines all relevant data into one cohesive view, so that any investigator can quickly pull out important case details and cross-reference it with other information. It’s this ability to cross-reference and understand separate pieces of data as a single story that is often left to investigators to figure out. Traditional tools don’t help; they depend on the investigator’s ability to piece together and remember different facts instead of empowering the investigator by displaying relevant facts and connections in one place. To achieve that single view, investigators have to focus on achieving three core attributes in their processes: access, scalability and collaboration.
4
Industry Perspective
Access First and foremost, investigators must be able to access evidence in order to incorporate it into their cases. That means that whether they are working in the field or in an office, investigators must be able to obtain the most up-todate digital forensics data from a wide variety of sources. Additionally, investigators should be able to understand the information presented to them. The types of data available today make it impossible for a human being to understand, just by looking at the information, exactly what is housed inside of the file or set of files. Both Dr. Kent and Lowry referenced the fact that Nuix’s core solutions are built to ingest and make sense of thousands of disparate file types. Investigators need a solution that not only gives them access to the data, but makes the data accessible as well. Finally, investigators should be able to not only draw data from the case at hand, but also from other cases that might contain relevant evidence or be used to identify trends. While staff resource limitations and data siloes often prevent investigators from using cross-case intelligence today, the ability to correlate different datasets is crucial for enforcement and prosecution agencies.
Scalability Once data access is achieved, it must be maintained – even as the volume, variety and velocity of digital forensics data increases at rapid speed. That requires scalability, both on a computational and a storage level. For many agencies, this attribute is a struggle to achieve because data is often stored in various locations, in diverse formats. As a result, individual resources are strained while others go underutilized. Adding more storage capacity becomes costly, while using the wide array of current devices and siloes is inefficient. When it comes to investigations, this non-scalable data makeup is untenable. “If I took 500 hard drives, and used traditional technologies and methodologies, it would take years to complete an investigation,” Dr. Kent said. “That doesn’t help when there’s a life-or-death situation, such as child abuse or a terrorist situation. In those cases, you need to execute your investigation as quickly as possible.” Lowry agreed: “When you get into the multiple petabytes of data, that traditional investigation method is an impossible way to do it.“ To speed up investigations without straining resources, agencies should seek solutions that can quickly and effectively pull from multiple data sources. Those solutions should also be able to leverage that data, no matter what format it comes in, and then scale to process new datasets.
Collaboration Once you’re able to scale your data technology, Dr. Kent explained that investigative teams run into a new scalability issue. “You have all this new data for your investigation, but then what happens?” he said. “You put it in front of one person to try and investigate heaps and heaps of data. Now, you aren’t scalable again.” To avoid that problem, investigators must create workflows that allow for multiple employees to collaborate on a single case, using overlapping evidence and datasets. Today, this collaborative mechanism is especially critical given the broad reach that one criminal investigation might take. In U.S. government settings, collaboration often needs to exist between agencies, and that adds another layer of complexity on top of an already burdensome process. Concerns like who can access what, what can be locked down, and who ultimately controls the process are all factors that must be considered. Compounding the issue with multiple case files or multiple tools creates a veritable nightmare for government investigators. “Because we’re in this digital world, criminal aspects can now take on multinational status with the click of a mouse. It’s not just data but crime itself that is spreading across multiple jurisdictions. That creates even more complexity, and you can’t tackle that alone,” Lowry said. Instead, investigators must have tools and processes that facilitate collaboration.
A Single Pane of Glass In order to achieve the accessibility, scalability and collaboration required for an effective investigation, Dr. Kent and Lowry recommended deploying a “single pane of glass” approach. How does this differ from traditional solutions? In a “multiple panes of glass” setup, different applications and solutions, each of which excels in one or a few functional areas, are employed to conduct a single investigation. This, in turn, creates the additional burden of transferring case evidence and files between applications and sometimes even bridging systems or networks to get data where it needs to be. A single pane of glass, alternatively, involves creating a single portal or view of any materials potentially relevant to a case. Through that portal, any stakeholder can easily investigate any evidence, make connections between data, draw conclusions and then share them with other investigators.
Transportable Data While a single pane of glass approach is the ideal state for government agencies, it’s often necessary to move evidence between platforms. That makes creating easily transportable data – in Nuix’s case by way of load files – equally important to answer government agency needs. “We understand that investigative teams have preferred or best in breed review and prosecution tools,” said Lowry. “It’s very unlikely that we will replace those anytime soon, but at the same time we have to face the reality that these agencies are spread thin in terms of money and time. It’s incumbent on us to make it easy for evidence processed by Nuix to be easily transportable for use in our customers’ tools of choice.”
Creating a Single View of Digital Forensics Data
5
Using Technology to Create a Single Pane of Glass
I
n the past, investigators achieved a semblance of this single-pane approach through an arduous and complex process. Investigators would work on individual cases, in individual computing environments, using costly, segregated storage solutions. Once those case files were compiled, another investigator would take each document’s findings and attempt to assimilate them into one cohesive story. “That is what people have done over time, and it’s not particularly efficient,” Dr. Kent said. “Plus, each stage brings in elements of human error and human interpretation, which is a big issue.” Ultimately, that manual process doesn’t meet the demands of investigators today. So how do you apply the single pane of glass approach to investigations in the age of digital forensics? Agencies must seek new technologies that support new ways of thinking. “In order to prosecute a case, you have to put all this information together in a cogent, story-like manner,” Lowry said. “You need tools that can bring out all of these disparate pieces of evidence, cull through it and present what is pertinent to the case.” Those tools are combined into a single platform, called the Lab Environment at Nuix, which creates a virtual pane of glass into the wide array of potential case evidence. That platform allows any stakeholder to access expansive amounts of data, either as an individual or in concert with other parties. Dr. Kent offered a scenario where that capability would be especially applicable. “Say you look at the data and realize there is a big, organized crime tak-
6
Industry Perspective
ing place,” he said. “You’ll need a couple of people from the fraud squad to look at that data from a fraud perspective. You’ll also need to bring in people with drug investigation experience, if you think drugs may be involved. And then on top of that subject matter expertise, you’ll need deep-dive forensics experts who can recover more data.” “Suddenly you’re getting five or six disciplines collaborating on gathering evidence for a single case,” Dr. Kent continued. “That’s unique. You work together, talk together and all interact with the same evidence.” What’s more, that evidence can be drawn from multiple cases. Dr. Kent said that in many cases, the sheer variety and volume of case data limits investigators from cross-referencing cases for intelligence. The single pane of glass approach, however, allows investigators to automatically pull from multiple banks of evidence to increase intelligence. And agencies can do so without adding new storage to their IT infrastructures or manually consolidating separate data siloes. Once that data is collected in a single view, the platform can also help investigators identify trends and other relevant information across datasets, through the use of visual analytics. These can be as simple as highlighting negative indicators in red and positive indicators in green. The platform can also create visual illustrations of processes, tools and other pieces of evidence to make an investigation’s picture clear at a glance. Applying analysis techniques such as network diagrams and timelines to the
entire dataset lets investigators see connections and flows of information between suspects or custodians. This can help quickly narrow down dates, data sources and people to examine in greater depth. Alternatively, it may reveal information gaps that warrant further investigation. It is not uncommon for data sets to be reduced from millions of possible sources down to mere thousands. In one example that Nuix shared, a federal agency investigated a file server and pulled 11 million records including documents, emails, and databases from it. Using advanced search techniques in Nuix to cull the evidence, the agency reduced the relevant data to 12,000 items. Moreover, this visualization and enhanced ability to manage case evidence can foster greater collaboration between investigators, subject matter experts and even personnel without data analytics skills. That eases the burden on investigators who are trying to sift through mountains of information, and it ensures that every case can receive relevant insights from a wide variety of experts. At Nuix, they call that process “humanizing the data.” “We make it accessible to a wider audience so they can address problems faster, to drive efficiency into investigations, and to get them to look at the most important evidence first,” said Dr. Kent. That’s the goal of a single pane of glass approach to investigations, but today that approach is impossible to achieve without a platform capable of creating holistic pictures from disparate data.
Conclusion
B
y combining the tools for access, scalability and collaboration into one platform, Nuix enables investigators to truly get the most from digital forensic evidence. Their “single pane of glass approach” provides a single view into what is most important to any case, while pulling from a variety of cases and data repositories. “The technology that Nuix has brought forward is high-speed, able to reach across multiple platforms and devices and discover, pull out and bring back in a reportable way all of the relevant pieces of information you might need,” said Lowry. At a time when more evidence is being processed digitally and the amount of forensic data is exponentially growing in volume, variety and velocity, this sort of support is necessary for any investigator.
About Nuix USG
About GovLoop
Nuix USG protects, informs, and empowers the U.S. Government in the knowledge age. Leading local, state, and federal civilian, defense, and intelligence agencies turn to Nuix when they need fast, accurate answers for investigation, eDiscovery, cybersecurity incident response, insider threats, litigation, regulation, privacy, risk management, and other essential challenges. Nuix makes small work out of big data volumes and complex file formats. Our solutions combine advanced technology with the extensive knowledge of our global team of industry experts. We bring data to life with clarity and intelligence to solve critical data problems, reduce crime, and secure and manage information.
GovLoop’s mission is to “connect government to improve government.” We aim to inspire public-sector professionals by serving as the knowledge network for government. GovLoop connects more than 250,000 members, fostering cross-government collaboration, solving common problems and advancing government careers. GovLoop is headquartered in Washington, D.C., with a team of dedicated professionals who share a commitment to connect and improve government. For more information about this report, please reach out to info@govloop.com.
To learn more about Nuix USG, visit www.nuixusg.com.
Government agencies are increasingly strapped for resources and feel the force of many priorities and mandates on them. A traditional approach to investigations complicates the matter even further, adding inefficiency and avoidable waste at every step. A single platform that can quickly identify the most relevant information is key not only to mission success, but also to reducing the time needed to conduct investigations and enabling much-needed collaboration and support for the entire process.
Creating a Single View of Digital Forensics Data
7
1152 15th St. NW, Suite 800 Washington, DC 20005 (202) 407-7421 F: (202) 407-7501 www.govloop.com @govloop
8
Industry Perspective