Digital Forensic Ca...
 
Notifications
Clear all

Digital Forensic Case Management

10 Posts
8 Users
0 Likes
1,878 Views
(@matt91)
Posts: 2
New Member
Topic starter
 

Hi All,

I would be interested to understand the different types of Case Management software systems everyone is using for their Digital Forensic Practices?

 
Posted : 02/08/2017 5:23 pm
jpickens
(@jpickens)
Posts: 130
Estimable Member
 

I think it depends on the size of your team and number of cases you need to manage. Larger groups can have role-based access to a larger case-management tool like Remedy, Service Now, Archer, and the like, but those come with lots of overhead and maintenance. They do, however, offer metrics, alerting, SLA assistance, etc… all very helpful when reporting and priorities are necessary.

I've been looking at Jira Service Desk, but find it doesn't have as good data security yet (other than SSL).

I know there are many others for smaller/individual teams or non-enterprise shops, but haven't looked at those in a while.

 
Posted : 02/08/2017 6:17 pm
(@merriora)
Posts: 44
Eminent Member
 

In the past, we (< 8 Examiners / LEO) were using an excel spreadsheet, but that had a lot of issues and fixing 'mistakes' had become a common task.

We looked at a few different commercial options but complexity, cost and having to change the way we operate was not the preferred route. Instead, I had some time to develop our own which has worked out well. It was developed as a Web Application (C#, ASP.Net) so that it could be pulled up from any computer within the office. This allows the examiner to move around the office (lab) and track progress and enter notes as required.

You can always use more features (they were planned and some implemented), but in the end, the core product should have the following features

- Ability to add file requests which goes into the Intake Queue
- Ability to assign one or more exhibits from the Intake Queue to one or more examiners (split large investigations up if required)
- Ability to send back exhibits to the queue or another examiner if required (holidays or examiner leaves section)
- Ability to track progress (current stage, time to complete) <– perfect to keep manager updated without him/her asking!
- Ability to keep Contemporaneous Notes of the investigation <– perfect for other examiners to see updates on the exhibit if you are away
- Track continuity of the exhibit <– who currently has it and where did it come from)
- Stats *

* Statistics are not necessary from the Examiners or Managers point of view since you can't compare one examiner to another (need to make this clear to managers). But essential from the departments perspective to request additional resources and have detailed statistics to show how long examinations actually take and what type of devices you are examining.

I hope this helps. Let me know if you have any questions about our particular setup.

 
Posted : 03/08/2017 2:00 am
minime2k9
(@minime2k9)
Posts: 481
Honorable Member
 

If your based in the UK, remember any system you get will have to be "ISO 17025" compliant.
You can make excel spreadsheets and the like "compliant" but the man power required often causes too many issues.
This may mean that the "best" system isn't the one you end up using as it doesn't fill some random requirement.

 
Posted : 03/08/2017 5:44 pm
(@unicron)
Posts: 36
Eminent Member
 

If your based in the UK, remember any system you get will have to be "ISO 17025" compliant.
You can make excel spreadsheets and the like "compliant" but the man power required often causes too many issues. This may mean that the "best" system isn't the one you end up using as it doesn't fill some random requirement.

Interesting. From ISO themselves (link)

ISO/IEC 170252005 specifies the general requirements for the competence to carry out tests and/or calibrations, including sampling. It covers testing and calibration performed using standard methods, non-standard methods, and laboratory-developed methods.

ISO/IEC 170252005 is for use by laboratories in developing their management system for quality, administrative and technical operations.

No mention of certification of tools (or systems), only methods. So despite what the product marketeers would have you believe you can choose whatever case management system works for you.

Back on topic, I have heard positive things about the Lima tool from IntaForensics, although have never used it myself.

 
Posted : 03/08/2017 9:28 pm
minime2k9
(@minime2k9)
Posts: 481
Honorable Member
 

No mention of certification of tools (or systems), only methods. So despite what the product marketeers would have you believe you can choose whatever case management system works for you.

Back on topic, I have heard positive things about the Lima tool from IntaForensics, although have never used it myself.

Yes, until you actually read it. So it doesn't say that you have to use system x, however it will say that whatever system you use has to do x y and z.
So for example, if you have a paper file for a case with paper sheets with imaging details on it, every page has to be numbered, every folder has to have a contents sheet which lists every item in the folder. This is under a section called document control.

Then every exhibit that comes into the lab has to have a transport sheet which details the locations it has been in whilst in the unit. So if it was delivered, stored in a temporary store before imaging it and then sending it back, all the locations it had been would have to be documented for each exhibit individually.

You can do all this without a system that supports these functions, however it becomes more man power intensive than if you have a system that is ISO compliant. ISO don't certify these tools, the tools state they are designed to be compliant with ISO 17025 requirements.

We have LIMA in our unit, its a passable system and will help to an extent but it is far from perfect and not as configurable as you would want.

 
Posted : 03/08/2017 10:47 pm
(@c-wawrentowicz)
Posts: 26
Eminent Member
 

First I wrote database in MSAccess but when database reached size limit 2GB for MSAccess (photos!) I created database using MSSQL + WebForms (ASP.NET) and used this database for few years. I am only examiner.

 
Posted : 04/08/2017 4:47 pm
(@sentineldata)
Posts: 1
New Member
 

Atlas Forensic Case Management may be a good fit for your lab. It was designed specifically for digital forensic lab environments. It has the vigorous record keeping utilities available to help you meet your certification requirements such as the complete chain of custody and immutable record submissions to which some of the others have alluded. Check it out at sentineldata.com.

 
Posted : 08/08/2017 5:50 am
(@matt91)
Posts: 2
New Member
Topic starter
 

Thanks everyone for your feedback and information!

 
Posted : 27/10/2017 10:37 am
(@simarno)
Posts: 11
Active Member
 

How about www.foreman-forensics.org
Foreman a new open source forensic case management system.

 
Posted : 27/10/2017 10:42 am
Share: