“Dr When : Time Traveller?”

Rob Shrubsall, specialist in computer databases and chartered engineer, examines opportunities for greater clarify in multi-dimensional computer forensic examinations.
For immediate release – 1st February 2008

COMPUTER FORENSICS can create mountains of data, complicating and confusing the simplest of cases. When the number of exhibits containing electronic evidence multiplies, the challenge is analogous to finding a needle in a haystack. Reports from forensic investigators can become over burdened with data, often with very little real “information” to substantiate the case arguments and determining when events occurred.

When you’re instructed by commercial or public sector organisations you can often be presented with electronic evidence from a multiplicity of computers and networks; along with the usual mobile phones, telephone records and desktop/laptop computers. All these “systems” store increasingly high volumes of granular data.

If you progress down the traditional forensic examination route, you can quickly receive a witness statement plus allied report detailing a list of exhibits that match particular search terms or dates of relevance for each individual item of evidence. The exhibits may be individual email messages, system log files, digital images and word processing documents. Whilst this can reveal quite compelling elements, there is still often a considerable amount of manual effort in correlating the exhibits, identifying temporal relationships and tying in with the case chronology. Also, the software that aids the forensic examiner is often limited in the breadth of information it can extract – it will often be designed to focus on popular desktop software such as office productivity, email and basic common applications such as financial packages; but will be unable to extract data from larger databases or computer systems.

Is there an alternative? Is there a method to bring together all rich sources of data? Is there anyway of focussing on real information that has a significant bearing on the case?

Whilst most experts are trained to avoid multiple questions, in this case we must concede: Yes, Yes, Yes! By developing proven techniques used in the world of business intelligence, an alternative approach can rapidly progress the results obtained from a conventional computer forensics investigation.
In this highly connected world, having a single window onto all electronic evidence enables lawyers to determine the next step…

The success factor is engaging experts that can forensically extract, time-base and link (FETL) together data such that it can be searched, aggregated, parsed and statistically processed producing a full four dimensional model of the electronic evidence. We are not talking activities of a “maverick expert” sticking out on a limb, but a professional that can rapidly architect a repository of electronic evidence on a case by case basis that is designed to be interrogated for the particular case in question.

The ability to add data from any computer system – whether it be a laptop, desktop, server or mainframe. To recognise the varying formats of email messages, financial transactions, electronic orders, telephone call records, security logs, system events. To open the different syntax of text files, spreadsheets and email messages. To access large relational databases, email stores and application servers, and source its underlying structured data.

By pulling together all these components into a single repository enables the expert to travel through time, and follow a sequential chain of events that could start with a single telephone call or text message, followed by a flurry of online activity, conspicuous trading and ending up with an array of fraudulent financial transactions.

So when you are next presented with a potentially daunting list of electronic evidence, consider the alternative. Are you sending a forensic investigator on a wild goose chase (at your client’s expense); or are you looking for real answers?

Rob Shrubsall is available to discuss a case prior to formal instructions. Contact his office on 01252 621843 or email info@contentengineer.com.

Notes to Editors

About the CONTENTENGINEER^® Group

The CONTENTENGINEER Group are independent experts based in the UK's own "silicon valley" near London in the M3/M4 corridor. The Group has the knowledge and resource to provide independent expertise and with proven methodologies, the Group provides a broad spectrum of services including software development, computer forensics, data recovery and expert witness services.

About the Founders

The Group was founded in 2001 by Rob and Sarah Shrubsall.

Rob Shrubsall is recognised as one of the UK's leading independent information system experts and investigators of electronic data storage with twenty years experience. An open systems pioneer, he has specifically worked in highly regulated markets of E-Commerce, Telecommunications, Corporate Finance, Equity Trading, Pharmaceuticals and HealthCare, as well as a trusted adviser to other industries.

Sarah Shrubsall is pioneer in the field of energy finance management, with over twenty years experience of implementing: monitoring, targeting and auditing systems. As UK Energy Finance Manager, she was responsible for the first organisation in the UK to receive electronic invoice data through EDI. She has specifically worked in Telecommunications, Finance, Building Services and Property.

Trademarks

contentengineer^®, contentforensic^®, woodlandstudios^®, and FETL^® are registered trademarks. contentrecover™, vendorneutral™ and energyforensics™ are trademarks. Copyright 2001-2010. All rights reserved. Other marks may be the [registered] trademarks of others.

Contacts

For more information please contact the Group on 01252 621843, via the website www.contentengineer.com or by info@contentengineer.com.