by Yuri Gubanov
Diving deeper may be the key to the eventual success of a digital forensic investigation. This is true not only when it comes to a single given case, but also when it comes to intersections between different cases.
Sometimes, a person being investigated may have associates who are problematic, or who have been involved in different forms of misconduct. Consequently, in the course of a digital investigation, investigators may need to examine links between a current case and other opened (or recently archived) cases. A reliable tool is needed to get a clear and coherent picture in its entirety.
That is why Belkasoft Evidence Center has a ‘Cross-Case Search’ function. This article is intended to demonstrate, step by step, how to use this feature productively.
The aim of Cross-Case Search is to detect intersections between cases. By ‘intersections’ we mean pieces of information identified in the current case that can be linked with relevant data found in other cases chosen at the time of analysis. The resulting matches are subsequently displayed in the ‘Search Results’ screen.
Belkasoft Evidence Center (BEC) is capable of using the following data types for Cross-Case Search:
- Phone numbers
- E-mail addresses
- Application user identification numbers (UINs) and profile names
- First, you need to enable Cross-Case Search while adding a data source. Switch on ‘Run cross-case analysis’:
2. Click ‘Next’ twice (just leave the second page by default).
3. Select an existing case (or cases) for your Cross-Case Search.
Pay Attention: Each case is identified with the following three parameters:
- Database icon. If you see this, you can pick up this particular case for a Cross-Case Search.
- Case name.
- Path to the case.
If you created a case with an earlier version of BEC, it will not be available for Cross-Case Search. However, you can upgrade such cases by opening it with the newest version of BEC.
4. Once you have launched your Cross-Case Search, BEC starts to search for matches in the selected cases as it processes the current one. In fact, matches can be detected before the current case is completely processed.
5. An alert icon in the status bar will inform you about the first identified match. Clicking on the icon will lead you to ‘Search Results’.
6. If you would like to examine your Cross-Case Search results, follow this route: ‘View’ –> ‘Search Results’. You need the ‘Cross-Case Search’ node. Here you can start examining individual links between cases. You can find such a link, exemplified by an e-mail below.
- Results associated with your current case can be accessed in the area indicated here as ‘1’.
- Matches from the other cases are displayed in the area ‘2’. These matches are items from the other case related to the new one.
In this sample case, the match is PhilipLombard1939@gmail.com.
Some of our customers, discussing this feature, tell us that they cannot store closed cases, so the question arises: is the Cross-Case Search function useful for them? It is, and here is why:
- First, this feature is not necessarily to be used on archived cases. You may use other open cases.
- Second, you can look into cases which are already examined but not yet deleted because they have not yet gone to trial. Some cases may last for a year or longer, and during this time you still possess these cases’ data.
- Third, you can run Cross-Case Search on your colleagues’ open cases.
- Lastly, even if you delete a certain case, the data required for Cross-Case Search will not be deleted by BEC by default. This data is kept anonymized, meaning that phone number and emails are not bound to any person since this information is not stored in the Cross-Case Search database. You are still able to run Cross-Case Search analysis and find meaningful results, though you will not be able to open the deleted case. This means that you can launch such a search, without corresponding images or devices, within the frames of legality.
Cross-Case Search is an invaluable function to modern-day digital investigators. With Belkasoft’s Cross-Case Search, such a quest for data intersections with other cases is simple, intuitive, and automated. You can see it for yourself by requesting a free trial version of Belkasoft Evidence Center at https://belkasoft.com/get.