Uh-oh, it looks like your Internet Explorer is out of date.

For a better shopping experience, please upgrade now.

Cybercrime Investigative Case Management: An Excerpt from Placing the Suspect Behind the Keyboard

Cybercrime Investigative Case Management: An Excerpt from Placing the Suspect Behind the Keyboard

by Brett Shavers

See All Formats & Editions

Investigative Case Management is a "first look" excerpted from Brett Shavers' new Syngress book, Placing the Suspect Behind the Keyboard. Investigative case management is more than just organizing your case files. It includes the analysis of all evidence collected through digital examinations, interviews, surveillance, and other data sources. In order


Investigative Case Management is a "first look" excerpted from Brett Shavers' new Syngress book, Placing the Suspect Behind the Keyboard. Investigative case management is more than just organizing your case files. It includes the analysis of all evidence collected through digital examinations, interviews, surveillance, and other data sources. In order to place a suspect behind any keyboard, supporting evidence needs to be collected and attributed to a person. This first look provides you with traditional and innovative methods of data analysis to identify and eliminate suspects through a combination of supporting methods of analysis.

Product Details

Elsevier Science
Publication date:
Product dimensions:
5.80(w) x 8.70(h) x 0.20(d)

Related Subjects

Read an Excerpt

Cybercrime Investigative Case Management

Using Digital Forensics and Investigative Techniques to Identify Cybercrime Suspects

By Brett Shavers

Elsevier Science

Copyright © 2013 Elsevier Inc.
All rights reserved.
ISBN: 978-0-12-409546-5



Investigative Case Management

1.1.1 Basic Case Tracking 2
1.1.2 The Case Name 3
1.1.3 Note Taking 5
1.1.4 Analyzing Your Notes 6
1.1.5 Analysis with Spreadsheets 9
1.1.6 Analysis with Databases 12
1.1.7 Analysis Using Charts 15
1.1.8 Analysis Using Maps 18
1.1.9 Fresh Set of Eyes 21
1.1.10 Summary 21


This chapter introduces several methods which may allow you to see inferences as you manage the information in your case. These inferences help connect the dots between evidence and suspects. Instead of simply taking notes during your investigation, create a system that can lead to discoveries that may be otherwise missed. Gone are the days of writing reports and placing reports in binders such as seen in Figure 1.1. A case with any amount electronic evidence from a single storage device will quickly overwhelm a system of binders.

Investigative case management enables you to find information quickly and help you understand your investigation as a whole. Comprehending your reconstruction of the incident in your investigation will allow to you see the totality of the reconstructed incident as if you were there when it occurred. You will have more "Eureka!" moments when data can be seen as a whole and inferences between suspects and acts stand out clearly among all information.

There may be a few investigators and analysts who can keep a neat desk during complex cases whilst the rest of us struggle to keep ahead of growing mounds of paper. Hundreds of pages are printed to be sorted throughout the case, duplicates of forms, photos, mail, court orders, and evidence requests are constantly generated to be filed in some manner, and this can quickly engulf anyone. With multiple cases and exams of multiple storage devices in each case generating even more case records, a common scene of the work area can appear to look like the results of a small office hurricane. Work areas that are cluttered and disorganized will also coincidently consist of cases that are not solved quickly, or even solved at all. This chapter intends to give methods of controlling information and analyzing it at the same time.

1.1.1 Basic Case Tracking

If there is one rule to remember, it is to handle evidence and information as it is collected. As long as each item is bagged and tagged in your system, the odds of losing or overlooking information are minimized. Bagging and tagging can easily be accomplished using logs where evidence or information that arrives is logged on paper, as it arrives, and filed away.

All other methods of dealing with evidence make your case management that much easier. If you have a good system already, perhaps it can be made better using one of the methods described. And if one suggestion saves you minutes or hours over a period of time, then it is a worthwhile change to make.

Although electronic data can be reproduced and fingerprint cards photocopied and scanned, the reproductions of the actual physical items cannot be cloned. The storage of these types of items requires safe storage within a secured facility. Physical evidence storage is vitally important, but this will not be the focus of this chapter. The focus is to manage your investigation information so that suspects can be clearly identified and evidence supporting suppositions are evident.

1.1.2 The Case Name

Before you can analyze your own information, you need to be able to find it. As seemingly unimportant it sounds, naming your cases deserves some attention. Depending upon your agency or organization, there may be an automated system for case names and you have no choice other than what the system gives you. There is nothing wrong with that as an internal system is already in place.

But what if you are responsible for creating the name for all your cases? In that instance, especially if there is more than one person that works cases in your organization, having any system is better than having more than one system or no system at all. Figure 1.2 shows a simple case numbering system that is based on the date the case was created with an additional sequential number if more than one case is drawn on that particular day.

It might seem easier to name a case with its legal name, such as Doe v. Smith, or maybe even use the name of the client, suspect, or victim. Realistically, this is not the best method as clients may change during a civil case, identified suspects may be cleared, or additional victims identified. Even a court case number can change if the court venue is changed, perhaps from a state case to a federal case. There are too many variables that can change with any such designated name. A date-based format is unaffected by any variables as it is based on the date created and not the content of an investigation.

The electronic file names within an investigation may be organized by using your case name. Simply, each file's name can be preceded by its respective case number for ease of searching and cataloging. An example is seen in Figure 1.3, where case folders contain files named by the case and type of file. Cases where more than one person creates documents require a central repository for all documents, which could be stored on a shared network drive or internal database. Electronic records propagate quickly and can just as quickly be lost or overlooked.

If you currently have cases where your electronic case files have no order in naming conventions, what can you do? Spend hours renaming dozens or more individual files to some order? To save time and get your files in order, you could use a file renaming software utility, such as the Bulk Rename Utility seen in Figure 1.4. In one fell swoop, an entire folder can have the prefix of your case inserted into each file name.

1.1.3 Note Taking

Sometimes, during the investigative or analysis steps of an investigation, facts jump out and directly point to a suspect. Other times, it can take much longer to review and follow up on information just to be able to develop a list of potential suspects. Unless an investigation clearly points to a single suspect, the effort to develop leads begins with taking notes and reviewing those notes as the case develops.

Taking notes should be seen as more than documenting your investigative steps. Note taking is one of your investigative steps. Whether your notes are scribbled in a notepad or entered into a database, when reviewed at later dates, you most likely will be able to put one piece of information together with another that you didn't see before, forming an inference and potentially leading to case resolution. It's getting a "Eureka!" moment when you least expect it by analyzing your own notes and reports.

One method of keeping all investigative notes and related information in one place can be accomplished through multifaceted programs, such as OneNote from Microsoft Office (http://office.microsoft.com/en-us/ onenote/) and EverNote (https://evernote.com/). There are similarities between both programs, such as being able to save all your notes in one location with search capabilities. Your notes can include pictures, audio and video recordings, faxes, e-mails, and almost any electronic file format you may be using as you conduct your analysis and investigation.

Other benefits to programs like OneNote (Figure 1.5) and EverNote (Figure 1.6) are that the information can be sent and accessed in the field through mobile devices. Investigators can take a photo of evidence with a mobile device in the field and send it directly into the case file. Web screenshots can also be saved directly into the program. As an information management option, these types of programs may be useful to your investigation to organize case data.

1.1.4 Analyzing Your Notes

Gone are the days of typewriters. Reports are now typed using any one of the many word processing software applications available or typed directly into an internal system. Report narratives, summaries, and briefs are created and stored electronically. The ability to search these electronic files for information that may have been entered months or years earlier eliminates the need for physically searching for paper documents. Instead of spending hours sifting through a dozen boxes of case files looking for one document, you can search electronically in seconds.

But is typing your notes using a word processing application good enough? For a final report, any word processing application will work, however, reviewing a word processed report may not be the easiest to analyze. As notes are written and typed chronologically, reviewing all instances of a specific event is a difficult process with a chronological report. An example would be finding all instances when a USB device was connected in multiple systems. A typed, chronological report requires reading through every page to find every instance this information was typed. Sometimes, being able to review notes out of chronological order helps find the information needed to understand a case. Perhaps an application that is not a simple word processing program would be better.

One example of such an application is KeepNote (http://www.keepnote.org), a cross-platform note taking utility. As seen in Figure 1.7, data is stored in a hierarchy format and customizable to a specific case or need. The information is able to be searched electronically, files of various formats can be attached, and reports generated in html or xml format. KeepNote can also be run from a portable storage device. Although KeepNote has a simple interface, it provides the analysis of investigator notes with supporting evidence without completely relying upon chronological information.

There are other similar applications, available freely through open source or freeware applications. Some of these are primarily report writing utilities or light case management utilities, which leaves scalability as a drawback. A program similar to KeepNote is NoteKeeper (http://www.tolon.co.uk/software/notekeeper/). NoteKeeper is also freeware and useful for organizing investigative notes. Another note taking utility with capabilities of encryption and tamperproof notes is CaseNotes (http://qccis.com/resources/forensic-tools/casenotes-lite/). CaseNotes, like NoteKeeper and KeepNotes, is freely available.

The point to be made in analyzing your notes is that although the information in the notes consists of investigative steps taken, including analysis of electronic evidence, being able to analyze your actual notes can be productive. Sometimes, a short sentence created weeks earlier can take on a whole new meaning when reviewed with other notes created later.

1.1.5 Analysis with Spreadsheets

The spreadsheet is perhaps one of the most commonly used, versatile, and powerful software application used in digital forensics investigations. The spreadsheet could be used for entering text as if it were a word processing application, but it shines when used to analyze massive amounts of information such as displaying events in a chronological timeline. Timeline analysis allows viewing and interpreting of data by sorting the data by various criteria, such as chronological dates or specific event types.

Timelines can be used to display internet history, event logs, registry files, or a combination of system and file data. Important events in a timeline can be given focus through the use of color and bold text to draw attention during review of the data. As spreadsheets can be sorted by columns, any header of interest can be chosen to view in ascending or descending order, or other selection of criteria available. The header columns are the titles for the metadata for each data item. The metadata consists of timestamps, file names, file paths, or any user-selected metadata descriptor that may be available.

Manipulating a spreadsheet in this manner allows you to quickly find specific information, even if there are hundreds of thousands of data rows. This manipulation of how data is viewed also helps to change your perspective on the data to perhaps see information leading to investigative leads or conclusions.

Creating a timeline usually involves importing a raw or filtered amount of information in .csv format into a spreadsheet that can range from thousands to millions of rows of data. This data can be collected using timeline applications, including such applications as Log2timeline (http://log2timeline.net/), Aftertime (http://www.holmes. nl/NFIlabs/Aftertime), or through scripts and applications such as RegRipper (http://code.google.com/p/regripper/) developed for collecting timeline data.

Even the export of file lists from forensic analysis applications such as X-Ways Forensics (http://www.x-ways.net) can be used to create a timeline. However, exporting massive amounts of data will most likely contain an amount of information not needed for your investigation. At that point, time will be needed to substantially cull the data in order to understand specifics and context of a certain incident.

As information can be imported into a timeline that is specific to a file type, separate timelines are able to show focus on specific events. For instance, graphic files, documents, or system related data such as registry files can be either combined into one timeline or separated into individual timelines depending on your objective. Figure 1.8 shows filtered data of USB device use only, sorted by date created, as an example of a narrowly focused timeline, or mini-timeline, displayed in a spreadsheet.

Excerpted from Cybercrime Investigative Case Management by Brett Shavers. Copyright © 2013 by Elsevier Inc.. Excerpted by permission of Elsevier Science.
All rights reserved. No part of this excerpt may be reproduced or reprinted without permission in writing from the publisher.
Excerpts are provided by Dial-A-Book Inc. solely for the personal use of visitors to this web site.

Meet the Author

Brett Shavers is a former law enforcement officer of a municipal police department. He has been an investigator assigned to state and federal task forces. Besides working many specialty positions, Brett was the first digital forensics examiner at his police department, attended over 2000 hours of forensic training courses across the country, collected more than a few certifications along the way, and set up the department’s first digital forensics lab in a small, cluttered storage closet.

Customer Reviews

Average Review:

Post to your social network


Most Helpful Customer Reviews

See all customer reviews