How To Use Cross-Case Search With Belkasoft Evidence Center
Diving deeper may be the key to the eventual success of a digital forensic investigation. This is true not only when it comes to a single given case, but also when it comes to intersections between different cases.
Sometimes, a person being investigated may have associates who are problematic, or who have been involved in different forms of misconduct. Consequently, in the course of a digital investigation, investigators may need to examine links between a current case and other opened (or recently archived) cases. A reliable tool is needed to get a clear and coherent picture in its entirety.
That is why Belkasoft Evidence Center has a ‘Cross-Case Search’ function. This article is intended to demonstrate, step by step, how to use this feature productively.
General OutlineThe aim of Cross-Case Search is to detect intersections between cases. By ‘intersections’ we mean pieces of information identified in the current case that can be linked with relevant data found in other cases chosen at the time of analysis. The resulting matches are subsequently displayed in the ‘Search Results’ screen. Belkasoft Evidence Center (BEC) is capable of using the following data types for Cross-Case Search:
- Phone numbers
- E-mail addresses
- Application user identification numbers (UINs) and profile names
- First, you need to enable Cross-Case Search while adding a data source. Switch on ‘Run cross-case analysis’:
- Click ‘Next’ twice (just leave the second page by default).
- Select an existing case (or cases) for your Cross-Case Search.
- Database icon. If you see this, you can pick up this particular case for a Cross-Case Search.
- Case name.
- Path to the case.
- Results associated with your current case can be accessed in the area indicated here as ‘1’.
- Matches from the other cases are displayed in the area ‘2’. These matches are items from the other case related to the new one.
Legal QuestionsSome of our customers, discussing this feature, tell us that they cannot store closed cases, so the question arises: is the Cross-Case Search function useful for them? It is, and here is why:
- First, this feature is not necessarily to be used on archived cases. You may use other open cases.
- Second, you can look into cases which are already examined but not yet deleted because they have not yet gone to trial. Some cases may last for a year or longer, and during this time you still possess these cases’ data.
- Third, you can run Cross-Case Search on your colleagues’ open cases.
- Lastly, even if you delete a certain case, the data required for Cross-Case Search will not be deleted by BEC by default. This data is kept anonymized, meaning that phone number and emails are not bound to any person since this information is not stored in the Cross-Case Search database. You are still able to run Cross-Case Search analysis and find meaningful results, though you will not be able to open the deleted case. This means that you can launch such a search, without corresponding images or devices, within the frames of legality.
Cross-Case Search is an invaluable function to modern-day digital investigators. With Belkasoft’s Cross-Case Search, such a quest for data intersections with other cases is simple, intuitive, and automated. You can see it for yourself by requesting a free trial version of Belkasoft Evidence Center.
The Belkasoft team is proud to announce that the new version of our flagship product Belkasoft Evidence Center (BEC) has already been released! The new BEC v.9.6 includes an entire range of features and capabilities. Claim your free trial right now!