Interview: How to find crucial digital evidence in the big data haystack

[sincity]

Across businesses today, a range of departments are faced with the challenge of finding crucial evidence amongst the ever-growing volume of digital data that is produced. From investigators, information security officers, auditors, records managers, HR to in-house counsel, they all need to find evidence – whether it be an inappropriate email, an important contract or a data breach trail – amongst the organisation's unstructured data.

One way to deal with the volume of data efficiently and get to the facts faster, is to share the workload amongst or between departments by dividing up the data for review and collaborating on the results. Paul Slater, Director of Forensic Solutions at Nuix, reveals how Nuix's Web Review and Analytics tool allows organisations to do just that.

TechRadar Pro: What are the three biggest challenges facing investigators, internal auditors, or in-house lawyers in finding crucial evidence in large data sets?

Paul Slater: The first big challenge is the volume of data. Today, we use multiple devices to generate huge amounts of content. That means sorting through a lot of data, including a lot that's irrelevant, whenever they're conducting an investigation or responding to litigation or regulators.

The second is that it's hard to share data between forensic IT teams and investigators, less tech-savvy people, subject matter experts and lawyers. That's a worrying disconnect in the investigation process.

The third challenge is that forensic investigators still follow the traditional process of examining each evidence source individually. Often they really need to find the meaningful connections between multiple sources.

TRP: How can companies go about solving these challenges?

PS: Information governance policies applied through technology can help prevent build-up of data in the first place.

With the right technology and workflows, companies can also make investigations more efficient by dividing up digital evidence and spreading the review workload between multiple people. Also putting evidence in front of the people most qualified to understand its context, such as case investigators, lawyers or external subject matter experts.

They also need to move away from traditional linear forensic investigation methods towards workflows that will let them see all the evidence holistically and quickly locate the key facts.

TRP: Earlier this year, Nuix launched a Web Review and Analytics tool that makes it possible to search case data for evidence from any browser. Could you tell us a little more about how it works and who can use it?

PS: Nuix Web Review and Analytics provides access to case data from just about any web browser. It can scale to hundreds of cases and thousands of reviewers, with role-based access to control who sees what. Because Nuix Web Review and Analytics sits on top of a standard Nuix case file, it provides an incredibly simple workflow from data capture and processing to review and reporting.

Just about anyone can use Nuix Web Review and Analytics, including non-technical investigators, subject matter experts and external parties.

TRP: What industry needs/pain-points did Nuix observe which led your organisation to develop this tool?

PS: We wanted to build a tool that the industry really needed, so we looked to our own experiences as forensic investigators and also canvassed industry experts from our customer base around the world.

We found that traditional review tools are too focused on the flat, textual content of emails and documents. Investigators also need to consider photos, videos, content from social media sites, mobile devices and more. And they want analytics capabilities to identify patterns and trends, and find hidden connections between people, objects, locations and events. So that's what we gave them.

TRP: What advantages are there in an application that makes reviewing evidence possible online? How can Nuix ensure that sensitive information can be kept secure over the web?

PS: I would say the main advantage is collaboration – sharing evidence and intelligence online. Nuix Web Review and Analytics doesn't require any third-party plugins, which means it can be used on almost any web-enabled device. This allows the right person to see the right data, wherever they are.

We take security very seriously, at both platform and access control levels. We built the platform using Java SSL, so it's not vulnerable to Heartbleed, and the Nuix Engine and RESTful API have passed third-party static code evaluation.

We've built in the ability for administrators to assign individual or group-level access to entire cases, folders of items within cases and even features of the application such as downloading files or using visualisations.

TRP: What are the benefits for teams in dividing up and collaborating on large data sets, and how can teams ensure that no crucial evidence is overlooked?

PS: We advocate an investigative lab workflow which is a way for investigators to combine the efficiencies of the eDiscovery process with the forensic rigour of investigation methodologies.

It ensures digital forensic investigators handle each piece of evidence using an agreed set of repeatable processes and makes it possible to spread work between digital and non-digital investigators and subject matter experts.

By using a tiered review system, investigators can quickly discount irrelevant items and pass potentially relevant material to those who need to see it. They can employ a tagging system as well as human and machine quality control processes at each stage of the process to ensure they don't miss any data. And of course the Nuix Engine has fault tolerance and reporting built in to ensure it never misses a file.

We also provide ways to locate items that keyword searches might have missed, such as near-duplicate functionality that can identify documents with similar content and gauge how similar they are. This can help investigators identify who created, received or sent key emails, documents or attachments, or analyse how documents have changed over time, or indeed find related documents that use similar language.

TRP: How can network maps and visualisations help users find crucial and relevant information in large data sets?

PS: Network maps allow investigators to quickly see connections between people, objects, locations and events based on email, social media and mobile communications. The commonality visualisation in Nuix Web Review and Analytics extracts names, email addresses, IP addresses and metadata, including geospatial information, from hundreds of file formats to show the hidden connections within the evidence. It's a powerful way to correlate intelligence, relationships and modus operandi.

TRP: Where do you see the future of digital investigations going from here?

PS: Data is only going to get bigger and more complex with the growth of technologies including virtualisation, cloud and the Bring Your Own Device trend. The only way to respond is by building your capabilities around three major themes I've already discussed: collaboration, intelligence and analytics. And tools that rely on workflows and processes that were designed before this mass explosion of data and devices will no longer be relevant.

Many see the explosion of big data as a bad thing. I disagree. Big data allows investigators to gain intelligence and evidence faster than ever before.

Our personal devices are now capable of pinpointing our every movement: our phones store where we've been, who we talked to and when, our pictures contain geotagging information. Our fridges can record when we've been inside our houses – although they can also be hacked to send out phishing emails and who knows what else.

Social media sites can provide valuable intelligence about what happened surrounding an incident – who was nearby, what they were talking about and what they took pictures of. All these things can be forensically examined.