Deep Dive on Portable Case Part 1
One of the most essential parts of the forensic process is reporting what you find on a system. Often, the forensic examiner may only know part of the case. Not having the complete picture as a single examiner makes collaborating on findings essential to the reporting process. Magnet Forensics has built Portable Case, a feature of Magnet AXIOM and Magnet Cyber, to help foster that collaboration, make it more integrated, and allow that needed collaboration.
Using Portable Case to Collaborate
Often, during a digital forensic examination, it is necessary to collaborate on a case with other stakeholders. Stakeholders can include attorneys, investigators, subject matter experts, translators, Human Resources, and clients. AXIOM allows the forensic examiner to collaborate via Portable Case since the Digital Forensic Investigator can create a Portable Case to share with others.
You can create a Portable Case within AXIOM Examine.
Sometimes, sharing a report is not always the best way for a stakeholder to review data. Often, you may have multiple people with differing expertise involved in a case. By sharing a Portable Case, stakeholders can explore the evidence and add their comments. The examiner can collaborate with the stakeholders and merge their feedback in the form of tags, comments, and bookmarks into the case. The examiner can then incorporate feedback into the main case files.
The examiner can create a portable case containing some or all the artifacts parsed from the case. This allows the examiner to provide the stakeholders with the essential portions of the case without overwhelming them if it is not necessary.
Workload Management
You can pass a portable case to other examiners if a case requires multiple examiners. This feature allows multiple examiners to provide feedback and merge comments. You can also share content reviews across a team and merge the results. With Portable Case, you can create different content in different portable cases. For example, you can divide the case by type of content, with one examiner looking at pictures and videos while another looks at the user’s emails and chats.
No Additional License Required
Portable Case includes an executable so that your stakeholders can look at the case, navigate through the artifact data just as the examiner would, and take advantage of the different views and filters. You can share the portable case without needing an additional AXIOM or Cyber license.The Portable Case provides an easy interface for other examiners or stakeholders working on the investigation. The primary difference is that they cannot access the File System or Registry views.
Comment, Tag, and Bookmark
Stakeholders and examiners reviewing evidence in portable case can add bookmarks, tags, and comments. Additionally, they can see any comments, tags, and bookmarks previously created for artifacts in the portable case and add their thoughts and comments for easy collaboration.
Merge Feedback
Once the other stakeholders and examiners have added comments, tags, and bookmarks, the lead examiner can merge them into the original case. The examiner can then view the additional input stakeholders or users provided in the context of their current examination.
Relevant Evidence Compliance
Another area where examiners can use Portable Case is in jurisdictions where only relevant data may be kept, searched, and submitted in court. Portable Case allows for separating relevant from non-relevant information by filtering based on a warrant and creating a portable case. The examiner can then work off the portable case and seal non-relevant data that investigators collected in the original seizure.
Creating a Portable Case
You accomplish creating a Portable Case in AXIOM Examine. To start, right-click on any Artifact category and select Create Portable Case.
Choose Portable Case >
Select All Evidence >
Select just the evidence artifacts you want included in the Portable Case >
From here, you can follow the wizard and complete your Portable Case. You can even create a Template so you only have to decide on the artifacts you want to include in a Portable Case once, and your stakeholders will receive consistent information from case to case.
Wrapping it Up
Regardless of your reason, the Portable Case export in AXIOM allows examiners to collaborate easily with others involved in an investigation. Collaboration could involve multiple examiners to help share the workload on large cases, sharing data with subject matter experts, or even allowing an attorney or client to view data and provide feedback via tags, comments, and bookmarks. Everyone can now collaborate in a format that is easy to use.
Part Two
In part two of our Portable Case blog series, we will guide you through a step-by-step process of setting up and sharing a case.
Free Training Course: Making a Case (Portable Case)
This course is specifically designed to introduce stakeholders, such as investigators, attorneys, and subject matter experts, to the utilization and review of digital forensics case data provided in the form of a Magnet Forensics Portable Case. It aims to equip students with the necessary skills to navigate, search, filter, analyze artifacts, generate reports, and distribute findings using the Portable Case.
In this free tutorial, available in numerous 20-minute-or-less modules, we’ll walk through how you and your team members can leverage Portable Case to collaborate on cases, play to each other’s strengths, and reduce turnaround time.