When it comes to digital forensics, investigators’ caseloads are growing rapidly, as are the data loads they must sort through. At the same time, resources are becoming more stretched and timelines shorter, making larger investigations more difficult. It is increasingly important to be able to identify the extent of infractions early in a case to cease unnecessary prosecutions before they consume significant resources and to encourage earlier settlements of cases worth pursuing by regulatory and law enforcement authorities.

Every day more files are created, file sizes grow, and new software applications create new file types, all of which increase the complexity and difficulty of identifying and analyzing what is or is not relevant to an investigation. However, smart investigators can take a number of simple steps to dramatically improve the efficiency of their data collection and review activities. This will decrease the time required for them to work out key case facts if they are present in any data set. In addition to saving time, these steps can also help to eliminate irrelevant cases at an earlier stage, reducing headaches for both investigators and the people and organizations they are investigating.

Undertake an Early Investigative Review: Look for the 5-10 Documents that a Judge Would Want to See
To start, investigators should identify a single point at which to begin an assessment. Their initial focus might be a key custodian, a project title, or even a narrow date range to identify a small cluster of documents. Those documents might reveal information significant to the investigation, with a specific focus on communications between important individuals. These people can often be central to the matter being investigated. This activity often brings to light additional custodians which may be key to the investigation.

Technology can help investigators to evaluate information discovered initially in a visual manner, enhancing the speed and accuracy of their understanding of it. Any number of simple methods can be applied to bring to light potentially relevant documents and visualized timelines created to allow teams to build an immediate impression of the strengths and weaknesses of a particular case. The focus here is on the actual facts of the case rather than simply looking at how much data you have. Basically, investigators should look for those 5-10 pieces of evidence that are crucial to the investigation and can help them to determine whether or not to even proceed with a full investigation in the first place.

Irrelevant material can also be identified and eliminated from the investigation early on, reducing the total amount of data to be reviewed later, helping to speed the investigative process overall.

The Challenge is Capability, Not Volume
While investigations now often require analysis of terabytes of data, the vast volume of data that exists in modern life is not the most significant problem investigators face. Powerful software can now process a terabyte of material overnight. The biggest challenge for investigators is the inability to quickly cull through the information they process and surgically identify relevant documents to find the knowledge they require at the earliest possible stage.

If you know what type of information you are looking for, it should require minutes or hours, rather than days or weeks, to evaluate a body of content. Investigators cannot afford to waste precious weeks on a review that simply results in determining probable data loads and time estimates rather than setting fact-based strategies.

Focus on Interaction
Investigators who interact with data sooner rather than later to understand the details of a case secure an advantage. Those being investigated are more likely to admit wrongdoing when confronted early with hard facts, which can change the course and length of an investigation. It also distinguishes the process from a fairly standardized document review.

This practice of interacting with information makes the early assessment process an evidentiary endeavor. It also allows teams to get around budgetary and time constraints typically associated with preliminary review because they are concentrating on a smaller pool of documents with a higher potential value in the matter. For example, 99% of all corporate information goes through an e-mail server at some point, and 99% of personal e-mails end up in a PST file, making those good places to start. As a result, technology can support, rather than hinder, the evaluation effort.

Foster a Convergence between Forensic Practitioners and Case Investigators
While more experienced investigators typically—and correctly—focus on genuine investigation over surface review, forensic team members are often more dependent on technology and lack specific insight on the details of the case. At times they can allow digital tools to distract them, resulting in discussions about processes, instead of decisions about outcomes.

Those who concentrate on a unified approach between forensic practitioners and case investigators are likely to find a smaller and more manageable number of pivotal documents. Such findings will encourage collaboration between those members of the team focused more on strategy and those focused on technology, which creates a potent combination. This combination takes the best of both strategies to again reduce the time and effort required to carry out the investigation.

Harness Advanced Technology
Modern technology can simplify evidence collection and review and better equip investigators to form faster and more accurate conclusions. More importantly, in an environment of almost limitless information, they are now capable of automatically removing mountains of irrelevant data and investigating the contents of reduced pools of material to find answers.

A recurring theme throughout this article has been the reduction of time, resources and energy required to carry out a comprehensive and accurate digital forensic investigation. Techniques such as looking at the actual information you have from the start, rather than trying to simply gather as much of it as possible, are simple and cost effective to implement. Those investigative teams that combine logical, rational analysis with advanced technology will be the most successful, and will be more effective in accurately and more rapidly identifying whether or not a violation has actually taken place; or at the very least, whether or not it seems likely one way or the other. This means less hassle for everyone involved, including those being investigated.

Eddie Sheehy is CEO at Nuix (www.nuix.com). Sheehy has extensive experience working with digital forensics projects at Nuix, which produces advanced electronic discovery and investigation software used by corporations, law firms, consultancies, and government agencies including the U.S. SEC and UK FSA. He can be reached at eddie.sheehy@nuix.com.