When it comes to digital forensics, investigators’ caseloads are growing rapidly, as are the data loads they must sort through. At the same time, resources are becoming more stretched and timelines shorter, making larger investigations more difficult. It is increasingly important to be able to identify the extent of infractions early in a case to cease unnecessary prosecutions before they consume significant resources and to encourage earlier settlements of cases worth pursuing by regulatory and law enforcement authorities.

Every day more files are created, file sizes grow, and new software applications create new file types, all of which increase the complexity and difficulty of identifying and analyzing what is or is not relevant to an investigation. However, smart investigators can take a number of simple steps to dramatically improve the efficiency of their data collection and review activities. This will decrease the time required for them to work out key case facts if they are present in any data set. In addition to saving time, these steps can also help to eliminate irrelevant cases at an earlier stage, reducing headaches for both investigators and the people and organizations they are investigating.

Undertake an Early Investigative Review: Look for the 5-10 Documents that a Judge Would Want to See
To start, investigators should identify a single point at which to begin an assessment. Their initial focus might be a key custodian, a project title, or even a narrow date range to identify a small cluster of documents. Those documents might reveal information significant to the investigation, with a specific focus on communications between important individuals. These people can often be central to the matter being investigated. This activity often brings to light additional custodians which may be key to the investigation.

Technology can help investigators to evaluate information discovered initially in a visual manner, enhancing the speed and accuracy of their understanding of it. Any number of simple methods can be applied to bring to light potentially relevant documents and visualized timelines created to allow teams to build an immediate impression of the strengths and weaknesses of a particular case. The focus here is on the actual facts of the case rather than simply looking at how much data you have. Basically, investigators should look for those 5-10 pieces of evidence that are crucial to the investigation and can help them to determine whether or not to even proceed with a full investigation in the first place.

Irrelevant material can also be identified and eliminated from the investigation early on, reducing the total amount of data to be reviewed later, helping to speed the investigative process overall.

The Challenge is Capability, Not Volume
While investigations now often require analysis of terabytes of data, the vast volume of data that exists in modern life is not the most significant problem investigators face. Powerful software can now process a terabyte of material overnight. The biggest challenge for investigators is the inability to quickly cull through the information they process and surgically identify relevant documents to find the knowledge they require at the earliest possible stage.