Nuix Web Review & Analytics: Process, Search And Review Evidence In A Single Workflow

by Scar de Courcier, Forensic Focus

Background

Nuix Web Review & Analytics (WR&A) was created to enable analysts and non-technical investigators to collaborate on investigations.

The tool allows a senior investigator or case supervisor to allocate and assign data to individuals within a case. They can then log into the web interface to look through data, which will help them to assist technical investigators.

Once they have been set up, analysts can then start investigating and analysing elements of the case, even if they do not have any technical knowledge. Quite often, the case officer will be the person who knows the case best, but they are also often the ones who have not been trained to run a given forensic product – with Nuix WR&A, the idea is to enable them to use the Nuix suite of products alongside WR&A by providing a non-technical inferface with which they can interact.

This can be particularly useful in cases such as IP theft, where you might need to show data to HR representatives, but this is much more easily done via a user-friendly web interface than by sitting them in front of a full forensic product.


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.


Unsubscribe any time. We respect your privacy - read our privacy policy.

WR&A is part of the standard Nuix suite, so once a case has been created in workbench, it can easily be brought into Web Review. The data can then instantly be available to the relevant individuals as soon as the image has been loaded.

What it does

WR&A will sit in a central environment, which can be on either a local or an external network. One important thing to note is that, despite the name, WR&A doesn’t need to be web-facing. Many users will simply interact with WR&A on a local network; it does not have to be on the internet. If preferred, however, it can also be hosted online.

At the outset, Nuix WR&A will provide a URL to a given user. They can then log into the web interface to view and analyse the case. When they first log in, they will reach a dashboard where they will be greeted with cases they have access to.

The administrator can control what others are able to see at a very granular level. It is possible to restrict a user’s case view to a particular file, or just a portion of the evidence. The options range from a full interface with analytics, visuals and interactive options, all the way back to a basic document review. The administrator controls the permissions via the Groups and Users menus at the top of the screen.

groupsOnce a user logs in, they will only see the cases they have been given access to. Depending on their permissions, they can then distribute tasks and assign different sets of data to other individuals. This is a particularly useful feature as it is often the case that multiple people might be investigating the same case, but all with different abilities and needs. Within Nuix WR&A, it is possible to show every user different things about the case, thus only allowing relevant data to be shown to the right people and lessening confusion at the user level.

The interface is particularly user-friendly; anyone who is used to using Gmail, Facebook, or similar web-based interfaces should have no problem navigating around. Under ‘Emails’, for example, it is possible to click through and read a message; select multiple messages; and apply bookmarks, just like you would in an inbox setting. Decisions can be made on the right-hand side, along with notes and comments for the attention of other investigators.

Viewing metadata and information around the file is also straightforward. The user can go to a review tab which allows them to go through items one by one. For example, a non-technical investigator could look through the documents relevant to a case, tag them or write comments about them for the attention of a technical investigator. This will then be saved as part of the Nuix case, after which a technical investigator can go through what others have tagged as relevant, take a closer look, start producing reports, and so on. There is no limit on the number of investigators that can be added to a given case.

search

The Search bar (pictured above) uses the same query syntax as standard Nuix products. If a user wants to narrow things down after performing a search, they will find at the top of the screen several buttons which allow filtering based on file type and so on.

Once a search has been run, the preview pane will show an overview of the item in question and whether there are any attachments, along with metadata. The user can then make a decision regarding whether to take a closer look at this item or tag it as not relevant and move on to other items in the case.

wra_5

The gallery view is a particularly useful tool that allows a user to see thumbnails of any images that may be relevant to the investigation. Once again, it looks a lot like a file folder or a search engine’s image results page, making it easily comprehensible and navigable for the average user.

gallery

From the gallery view, it is possible to highlight duplicates, select items, and pull items into a separate window for more detailed analysis. Again, a pane on the right hand side of the screen allows the user to make decisions, add comments and assign tasks. Users can also easily see whether an item has been attached to an email or has formed part of an MMS message, among other things.

Once data has been extracted from a given deviced and indexed by Nuix, it will automatically be available to view in WR&A. This coincides with all the file support Nuix offers; regardless of whether a user is examining a desktop, mobile device, items from Cellebrite, XRY, Oxygen or similar, everything can be brought in to be viewed.

geolocation

Mobile data can be easily distinguished and viewed using the ‘mobile’ button, which when clicked will show call logs and any other relevant data. Users can custom-design their own metadata profiles, meaning that each person can look at the elements in which they are specifically interested. Investigations can also be carried out simultaneously across different devices, showing collaboration of suspects and commonalities between devices.

wra_7

Non-technical analysts will be particularly interested in the Analytics section, where a user can start visualising information and then drill down to a more in-depth view. Multiple visualisation techniques are available, and the visualisations are completely interactive. As a user clicks on different parts of a visualisation, the backdrop will refresh – so the user can use the visual to create or filter criteria.

wra_6For example, if a user wanted to find out about timelines, they could define a date range in the Visualisation screen, then drill down further by hovering over a location. Automatically the background will refresh, showing all of the items using the visual. All of these items will be within the time frame selected and will also refer to any other parameters the user has chosen. Call records, images and other actions within that time frame can then easily be seen. If call records are found, the user can also see who has been talking to whom during the specified period, potentially helping to identify collaboration between suspects. These options are available for all mobile elements – not just call records but also texts, data from WhatsApp and Skype, emails, and so on.

The language selection tool is also very useful; this allows a user to see which languages have been used by specific individuals within their data sets. Again, if something of interest is found, it is then possible to drill down further and see the specific list of items behind the visual.

Analytics can be combined into a dashboard, which can be fully customised on a per-user basis. This will show an overview of the case being worked on when the user first starts up, giving them an overview before they start looking at individuals items. The dashboards can be completely bespoke to the user, so for a counter terror investigation it might be useful to see the languages used and the main people who are communicating with one another. A fraud investigation might require a list of monetary values, email accounts, and companies involved.

The interface is highly intuitive and in general users need a maximum of two hours’ basic training before they are able to use WR&A.

Nuix Web Review & Analytics offers a simple interface that enables people with minimal training or technology expertise to search, review and tag data. This powerful web analytics software delivers fast, collaborative review for eDiscovery and  investigation cases. It provides secure and compartmentalized access to case data for multiple reviewers, investigators, lawyers, analysts subject matter experts and external parties—and it rapidly scales to tens or hundreds of reviewers per case, with no complex databases or tricky client plugins to install. Find out more: nuix.com/webreview

Leave a Comment

Latest Videos

Digital Forensics News Round Up, March 27 2024 #dfir #digitalforensics

Forensic Focus 27th March 2024 6:06 pm

Digital Forensics News Round-Up, March 21 2024 #digitalforensics #dfir

Forensic Focus 21st March 2024 6:15 pm

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feeds settings page to add an API key after following these instructions.

Latest Articles