- SOAR 101
D3 Security’s Forensics Case Management system garnered a lot of attention from CISOs, corporate investigators and eDiscovery specialists at the world’s largest data security and digital investigations conference, CEIC. They were impressed with how the workflows, automation features and logic built into the system managed custodians, data sources, tasks and evidence so efficiently and in accordance with the industry’s exacting best practices. Many wondered how D3 Security, a relative newcomer to the digital forensics marketplace, was able to “nail it” (actual quote!).
It’s no doubt a relevant question—and we’ve provided the rather interesting answer below. I’ve also taken the liberty of reviewing overwhelmingly positive feedback given to us by CEIC attendees—namely Security Investigations Specialists, IT Forensic Examiners, Incident Response Directors, CISOs, Information Security Officers, and eDiscovery Specialists—to create the following list, D3 Forensics Case Management System: CEIC’s Top 5 Features.
In 2012, an unnamed Fortune 50 company (“The Company”) familiar with our incident reporting software and investigation/case management system approached us hoping to solve a problem. The Company had searched thoroughly for a solution that could manage and streamline the massive volume of case requests, custodians, evidence, tasks and reporting increasingly assigned to their global IT Forensics team—and nothing on the market came close. So, they offered to work closely with us to create an IT Forensics Case Management system laser-focused on managing simultaneous digital, mobile and computer investigations from inception through resolution. As noted by CEIC attendees, the system’s workflows and logic work extremely well to streamline cases significantly, and that’s because they’ve been shaped by one the world’s leading corporate IT forensics teams, its senior investigators and data security specialists—each with decades of relevant experience and best practice development. This foundation—particularly when paired with D3’s renowned configurability—is what makes the D3 Security solution such a focused and capable platform for any team conducting computer, mobile and digital investigations.
I’ve taken the feedback from CEIC attendees and created a list of what they thought were the Top 5 features of the D3 IT Forensics Case Management system. These features—and many others—were demonstrated or described on the show floor, and they consistently were hailed as significant improvements over existing products and practices. Primarily, attendees were impressed with the amount of time and effort the D3 system saved through its streamlined user experience, elimination of redundant exercises and numerous automation features. As one user who visited CEIC put it, “your system helps me shave days and weeks from a single case.”
A tailored web form allows users to easily request a case, identify its type, associate a list of custodians and specify any necessary parameters such as keywords, dates or locations. The Case Type tab is fully configurable; selecting a certain case type will trigger default settings in the rest of the form, streamlining the selection of data sources and uploading of custodians. This process works to ensure that all relevant information is consolidated in the case record while also removing any unnecessary fields that contribute to redundancy or the submission of useless information.
The Web Intake Form is integrated with Active Directory and other personnel management systems. Accordingly, users can upload a list of hundreds of custodians with a just a few keystrokes. You can even upload specific groups—such as entire departments, locations or work teams—further streamlining the custodian process and ensuring that only the most thorough cases are requested.
Evidence tracking with the D3 solution begins with tag-number barcoding and image file creation of hard drives, tablets, mobile devices, and any removable media. Checking any exhibit in or out is automatically logged in the chain-of-custody, as are any processing and retrieval outcomes and dates. Once data has been acquired from physical devices, it can be viewed, stored and referenced through the Evidence Tracking component’s intuitive tabular window.
From the software application, users can leverage advanced search capabilities, image files, chain-of-custody and processing information to manage physical evidence or analyze acquired data from virtually any type of standard source; email and webmail, web history and cache, chat sessions, audio, compressed files, backups, servers, RAID workstations, disk or RAM memory, plus data from smartphones and tablets.
The Case Management interface is an intuitive window that displays case status and related information on the right, including case status, priority level, any due dates stipulated as per an internal Service Level Agreement (SLA), and the date, time and quantity of any data retrieved or processed from each data source. Outstanding tasks are color-coded based on their due date and priority, enabling at-a-glance management.
In addition to this case status dashboard, there are configurable tabs located on the left. These are by default populated with Entities, IT Forensics, and Reviews. In Entities, you can review a case’s custodians and data sources, in addition to the Dynamic Link Analysis feature which allows investigators to establish relationships, test theories and generally use visualized data to improve the effectiveness of their investigations.
In IT Forensics, you can monitor all processing that has occurred or is occurring. Adding a new process is easy and forthcoming integrations with various forensic workstations will only enhance this capability further.
Finally, in the Reviews tab, the user can receive and review any collaborative items such as tasks or feedback completed by other departments, instructions from his or her superiors, or messages that have been received through the External Survey feature, which can be used as a securely encrypted method of distributing questionnaires, witness statements or general commentary from case collaborators.
Reporting from any field in the system is a hallmark of all D3 Security software modules, and the D3 IT Forensics Case Management System is no different. Investigators quickly drill down using a variety of analytics and reporting tools for real-time vision into legal holds, custodians, data sources, SLA phase stages and much more. D3 has also built several straightforward pre-configured reports that generate significant time savings and allow investigators to focus on advancing their cases. For example:
So, there you have it: the D3 IT forensics solution’s top 5 features—as indicated by the CISOs, computer forensics investigators, data security professionals and eDiscovery specialists at CEIC.
Click the button below to schedule your one-on-one software demo.
Do you want to see D3 in action? Join us for a 25-minute deep-dive demo and see how our award-winning Security Orchestration, Automation, and Response (SOAR) platform helps security teams accelerate incident response, scale processes, and learn from every incident.REGISTER NOW