Telling the Story of Digital Evidence
In digital forensics, demonstrating attribution—using operating system artifacts to prove that the suspect had knowledge of the document or image files found on a device—is one of the key elements of building a case. The ability to tell an evidentiary story is even better. How did a file get here? Where did it go—to whom and from whom?
Link analysis in itself is not a new concept in digital forensics. However, it tends to focus on traditional “call chain analysis”—focusing on phone calls, text messages, and/or social media connections between people—rather than the artifacts they create.
Artifact relationship analysis goes beyond visualizing relationships between people. It applies the link analysis concept to files and operating system artifacts, helping a forensic examiner to visualize relationships within artifacts and across evidence sources—computers, mobile devices, and even cloud-based accounts.
By tracing the movement of files between systems and devices, forensic examiners can build a story of where evidence came from, including where it is currently located, how it was shared, and with whom.
The manual process of building such visual maps is time- and resource-intensive. In contrast, an automated connection and visualization process, such as the one found within Magnet Forensics’ AXIOM software, allows examiners to apply these principles to all cases. By leveraging AXIOM’s ability to pull cloud data, smartphone data, and computer data into a single case file, the Connections feature allows forensic examiners to follow a key piece of evidence and connect it to devices, suspects and other artifacts.
How Automated Artifact Connection Analysis Works
Some of the most common types of cases where this ability is critical include child exploitation, terrorism, and intellectual property theft—or any case in which a suspect denies knowing anything about the contraband or illicit files.
The basic process starts with structured data acquired from mobile devices, computers, memory, and the cloud relating to when, what, who, how often the file moved. This data can show when files were created and updated; what the file is and its download history; its original author and last author; how else it was viewed, besides navigation; and any associated patterns of life.
From there, it becomes possible to add context, not just from file metadata but also from parsed content. Grouping artifacts that have common properties, such as file names and paths, shows meaningful relationships to other artifacts. Connections can also be made via categories of artifacts, such as attachments shared across applications.
These artifacts can be even more powerful when put together with operating system artifacts, which help identify where the file was stored, if it was opened, and if shortcuts were created. They can help additionally when suspects insist that someone else with access to the same computer downloaded the illicit content.
In that case, a relative time filter, applied to the “explored” date on the shellbags related to the files, shows other artifacts created around the same period of time, including logins and web activity. By showing other files being downloaded or accessed, other communications and even other account sign-ins, the examiner can build the timeline and the story of user activity that proves or disproves the original suspect’s defense:
Altogether, these artifacts can provide attributions for things you see and don’t see, to prove that they existed and were accessed even if they no longer reside on a system or device.
By applying the link analysis concept to all artifacts on a given system or device, forensic examiners can now save time and effort in quickly mapping artifacts and their relationships to one another—to build a story, show intent, and attribute evidence to a suspect.
This article, credited to Magnet Forensics’ Account Executive Peter Warnke, will appear in Polish in the Spring edition of Magazyn Informatyki Sledczej/Bezpieczenstwa IT (Computer Forensics / IT Security Magazine). The magazine’s printing will be in conjunction with the April 10 Spring Meetings with Computer Forensics, organized by our partner Mediarecovery.