Analyst's procedures

Introduction

The goal of the Analyst is to provide valid evidence for the investigation in progress. Evidence is:

To do this, the Analyst can perform the following procedures:

Procedures
To retrieve important evidence and be alerted

To select and retrieve important evidence:

Step Action
1

In the File System section, during remote tapping, explore the device hard disks searching for files to be downloaded. See "Retrieving evidence from devices".

2

In the Dashboard section, add the operation, targets and agents to be monitored to the dashboard.

See "Monitoring evidence (Dashboard)".

3

In the Alerting section, set rules to be alerted when evidence of special interest arrives and to tag evidence according to relevance. See "Alert".

 

Analyzing, selecting and exporting evidence

To analyze, select and export evidence:

Step Action
1

In the Evidence section, analyze evidence and tag them according to relevance and whether or not they are to be exported.

See "Evidence analysis" .

2

For evidence of special interest, move on to detailed analysis.

See "Evidence details"

3

In the Evidence section, export useful evidence.

See "Evidence analysis" .

4

In the File System section, export the hard disk structure

See "Retrieving evidence from devices".

 

To process information obtained on people and places involved in the investigation

To process information obtained on people and places involved in the investigation:

Step Action
1

In the Intelligence section, view and manage entities in an operation.

See "Entity management: icon and table views", "Entity management: link view", "Entity management: Position view".

2

View or edit entity details.

See "Target entity details" , "Person entity details","Position entity details","Virtual entity details".

3

In the Alerting section, build rules to be alerted when the system automatically creates new entities and new links and to tag links according to their relevance.

See "Target alert (Alerting)".