±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 34298
New Yesterday: 0 Visitors: 186

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

RSS Feed Widget

±Latest Webinars

Offline forensic review tools

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

Offline forensic review tools

Post Posted: Thu Nov 12, 2009 3:55 pm

I'm looking for an offline review tool to purchase.

What I'm after is something that can either accept a load file or index user files and E-mails that have been extracted with EnCase.

After this is done I want to be able to provide a laptop to the client containing this indexed dataset so that they can run their own searches against it and review all of the responsive documents.

I know NUIX has reviewer licences but I really want something offline that a single user can work with.

If anyone has any idea's I'd be happy to hear them.

Regards
MD  

murdocha
Member
 
 
  

Re: Offline forensic review tools

Post Posted: Thu Nov 12, 2009 5:12 pm

Greetings,

You could do this with EnCase. Extract everything into a LEF and provide them with a dongle and the LEF. Not a great GUI, though.

Could do it with FTK in a similar manner. AD's ediscovery suite has review capability, but I don't think you can buy just the review component, though it might be worth looking into.

-David
_________________
CISSP, CCE, EnCE, Licensed Private Investigator (CA) 

kovar
Senior Member
 
 
  

Re: Offline forensic review tools

Post Posted: Sat Nov 14, 2009 10:33 am

Thanks David

Don't think I'd want to trust my dongle with a client, and I'd hate to have to support them with the EnCase interface. I scare myself sometimes with how easy it is to forget something.

I have not yet tried the AD discovery suite but I think I'm going to be looking into it as a new potential product. I used FTK 1, but kind of steered clear of 2. Might give 3 a demo as I haven't heard anything bad about it yet, but then again I haven't looked into it.

It seems at present as though there is a gap in the market for what I'm looking for.

Lot's of places seem to do online review, but it always comes at a cost.  

murdocha
Member
 
 
  

Re: Offline forensic review tools

Post Posted: Sat Nov 14, 2009 1:23 pm

Please keep us posted on this. I am in need of a solution such as this also.

Sometimes the case agents on my exams want to look for a needle in the email. I'm not going to read thousands of emails with no search direction. It would be great to provide this to the case agent and allow them to look for themselves.
_________________
Some things you just can't "unsee". 

miket065
Senior Member
 
 
  

Re: Offline forensic review tools

Post Posted: Sat Nov 14, 2009 6:16 pm

Have you considered Intella? Intella Home Page

It's an awesome tool for email and indexing data, very visual, and also provides a way to quickly review indexed data via keyword searches. It is both useful for examiners and reviewers, you can also use it to extract useful metadata producing reports etc. Search by subject, author, email address, time and date etc.

It is in active development, so if you download the demo and have suggestions for improvement the developers are very receptive.  

echo6
Senior Member
 
 
  

Re: Offline forensic review tools

Post Posted: Sat Nov 14, 2009 7:08 pm

Many clients want to review the data in-house for cost savings, but actually, it ends up taking much more time (=money) because of not having the skills and knowledge of reviewing electronic data. There are review tools available specifically designed for legal cases, such as Concordance and Summation, which accept load files. However, there are few forensic tools that can create load files for these review platforms directly. The data you collect has to be processed by another tool (litigation support company) who then creates a load file to be imported into yet another tool. This will always create a problem between the examiner and reviewer as the two datasets will not look alike (you won't be able to help much with the in-house review app unless you have a version of it yourself).

Another issue you will have is that when your client finds something of interest, will s/he be able to tell what it means? Metadata, as in when was the file really created can be misinterpreted by someone that looks at a date and makes that conclusion. That is why consultants are hired, to get opinions on what the data really means.

There are many other review methods you can use depending upon your client's technical ability and patience. Renting your Encase dongle to a client to review an image file may give your client acid reflux trying to figure out how to use it, although, it may give you lots of technical support billing time to help them. With your forensic dongles being out of service, your rent will have to be enough to cover your loss of the software, which with some applications is quite a lot to charge. Given that some cases can take years, any dongle you give out will be several versions older by the time you get it back. In effect, your client will be buying that dongle from you.

Depending on how much money your client is willing to spend, you can (I have) set up a machine for them to use in their office. DTSearch (less than $200) can do nearly everything needed for searching through user files insofar as looking for documents and emails. If you have an older version of FTK (1.x), you can even get by using that as a client review tool since the buttons are easy to figure out (like a button that says, "documents"). With whatever system or method you set up for your client, I'd make it that the review application is very similar to the forensic application you used to create the data. X-Ways Forensics as an example, has a X-Ways Forensics Investigator tool at half the cost of XWF. If you use XWF on an image, your client could use the Investigator version of XWF, which will be easier for you to understand the problems your client will have with any review platform if you have the same one.

For email, a simple solution is to install Thunderbird Portable to an external hard drive. Import the email and viola! The email can be reviewed and searched without installing any software as the email client runs off the external drive.

And I'd advise strongly against recommending your client purchase a review tool unless you are proficient in supporting it. It will be your opinion that was paid for by the client, and your reputation of recommending a tool that is too difficult to figure out and expensive. And yes, even though your client can get support from the software company, it will be you getting the emergency phone calls since you must be the expert in that software...

From what I have seen, many clients that try to review data in-house, without having someone dedicated and technical proficient, will eventually spend the fees on having it done by an expert that gets it done right the first time.  

bshavers
Senior Member
 
 
  

Re: Offline forensic review tools

Post Posted: Sun Nov 15, 2009 2:59 am

- echo6
Have you considered Intella? Intella Home Page

It's an awesome tool for email and indexing data, very visual, and also provides a way to quickly review indexed data via keyword searches.


It is also $2,600. The visual interface is quite powerful, but it isn't worth that much. (Yet?)

-David
_________________
CISSP, CCE, EnCE, Licensed Private Investigator (CA) 

kovar
Senior Member
 
 

Page 1 of 1