The goal of the Analyst is to provide valid evidence for the investigation in progress. Evidence is:
To do this, the Analyst can perform the following procedures:
To select and retrieve important evidence:
Step | Action |
---|---|
1 |
In the File System section, during remote tapping, explore the device hard disks searching for files to be downloaded. |
2 |
In the Dashboard section, add the operation, targets and agents to be monitored to the dashboard.
|
3 |
In the Alerting section, set rules to be alerted when evidence of special interest arrives and to tag evidence according to relevance. |
To analyze, select and export evidence:
Step | Action |
---|---|
1 |
In the Evidence section, analyze evidence and tag them according to relevance and whether or not they are to be exported.
|
2 |
For evidence of special interest, move on to detailed analysis.
|
3 |
In the Evidence section, export useful evidence.
|
4 |
In the File System section, export the hard disk structure
|
To process information obtained on people and places involved in the investigation:
Step | Action |
---|---|
1 |
In the Intelligence section, view and manage entities in an operation. See "Entity management: icon and table views" |
2 |
View or edit entity details.
|
3 |
In the Alerting section, build rules to be alerted when the system automatically creates new entities and new links and to tag links according to their relevance.
|