Identify – Process – Analyze
Digital Investigation
Workflows
Efficiency with digital data processing.
Technology – Training – Service
The Single-Tool Workflow
In this workflow you see there is only one primary tool. Sometimes with budget and time it is difficult to have more than one tool in the workflow to process and analyze data. To help with the two tool verification of data the secondary tool is represented in the analysis only stage with the use of Zandra AI.
When you have a single tool workflow you want to pick a platform style tool as your primary. This way you can do acquisitions of as many sources as possible, as well as break down the analysis. In this workflow E3 (Electronic Evidence Examiner) is the primary tool. With the ability to captures, mobiles, computer, and IoT as well as cloud it gives a lab the most value.
Once the capture and the data breakdown is done this is where the use of an analysis tool like Zandra AI can act as your second tool. By normalizing the data for Zandra you case receives the speed benefit of AI and it’s ability to understand DFIR artifacts with the value of being able to verify the results back in the E3 Platform.
Technology – Training – Service
The Multi-Tool Workflow
In this workflow you see there are multiple machines that are each designed to process data that is specific to a data type. The above workflow will walk through a smartphone to be processed. The same workflow works with other data artifacts with a substitution of tools on each of the systems.
This machine represents your best tool for acquisitions of iOS devices. These images might be full file system images or enhanced logical images.
This machine represents the best tool for acquisitions of Android devices. These acquisitions might range from rooted full file system images to enhanced logical images with ADB downgrades. (E3)
This focuses on the analysis of the data output from the accquisitions. This analysis can be done locally or have cloud access to process data in a private AI platform like Zandra AI.
This machine is set for cross validation of prior steps in the workflow. This is the ideal option for adding in multi-function tools like E3 or adding in open source tools.
The combination of machines and licenses create a cost effective acquisition system for mobile devices as well as the cross-validation that is so critical in digital forensics.
Technology – Training – Service
The OSINT/DFIR relationship
OSINT and DFIR are two very distinct investigation fields with unique workflows for each. However, the true power comes from the combinations of the workflows to create the largest scope collection and data correlation.
Data collection is the first step for both OSINT and DFIR professionals with different tools and methods for each. Once the data is collected looking at it through the scope of a forensic platform like E3 allows the appropriate validation and logging to start. After that logging has started further exploration of new leads or additional sources can all be brought into the suite for review. Passing the normalized data to an AI like Zandra or another ensures your first sources as still kept as forensic-grade as possible.
With OSINT and DFIR more and more frequently multiple reports are being generated using a platform to keep the data together can provide the cleanest and most efficient workflow.
