Learn about the importance of having one central area when reviewing the contents of a mobile device, including but not limited to recent comms and tagged artifacts.
Digital Forensics Specialist
Grayshift
Answering Who, What, When, Where, and Why?
Every investigator faces five key questions during their duties: Who, What, When, Where, and Why? Answers to these questions help solve cases, and tools should be available for law enforcement that help them in their journey to justice.
The answers to these main five questions are what examiners and investigators need as soon as possible. With ArtifactIQ by Grayshift, you can answer many of these questions within minutes of beginning a mobile device extraction with GrayKey. You read that correctly – not after the extraction and subsequent parsing have been completed, but within minutes of only beginning the initial extraction.
To begin, when you open ArtifactIQ by Grayshift, you will land on the Dashboard. Think of this area as the main landing page of a website containing relative information about the collected device – we’ll dive more into these artifacts later. The Dashboard will provide your investigations team with eyes-on immediate actionable intelligence that will lead you to additional extracted information. It’s easy to get lost in the weeds with current forensic analysis software and be uncertain about where things are stored, so we created the Dashboard feature with this exact problem in mind. A central area that you can revert to in case you’re stuck, or to check on items of interest that are of importance to you.
You can monitor your extraction upload from your GrayKey hardware in the top left corner of ArtifactIQ via the Extraction Process display. The progress bar will simultaneously update the GrayKey and ArtifactIQ interfaces and provide critical insights on the importing process. It will also show the extraction name assigned within the GrayKey user interface, the current progress percentage, and a timestamp indicating the time of completion. We know that time is of the essence in every investigation and knowing how long it will take to complete the ingestion process is especially important to all stakeholders.
Time to first fact is one of the key benefits and differences between ArtifactIQ by Grayshift and other legacy analysis products. Data from the mobile device extraction will show almost immediately within ArtifactIQ, even before the completion of the device extraction.
The Details of Your ArtifactIQ by Grayshift Dashboard
So, we have explained what the Dashboard is intended to do. Let’s dive further into its interface and what it has to offer:
- Device Owner Information: In this area, you can view information about the device owner and various associated accounts. For example, you might see phone numbers, email addresses, and social media and messaging application user IDs. This area can vary depending on what applications the user has installed and how they interacted with them.
- Device Information: You can see information such as the device make and model, assigned device name, OS version, IMEI, and IMSI, among other helpful device details. Like the Device Owner information, these details could vary depending on the device’s make and model.
- Latest Message, Most Contacted, and Most Recent Location: Located in the Dashboard’s header, you have direct access to the newest message on the device, the most contacted party, and the most recent logged location. These are what Grayshift refers to as Key Clues.
- Details Pane: Quickly obtain a more detailed view of a selected artifact once it is selected. For example, suppose a specific message is selected. In that case, the details pane will show the application source, when it was sent, and the status of the message, among other helpful information. You can also dive deeper into artifact source file information to know where this message resides within the device file system. If this message is important to your case, tag this message as important. Or you can dive further into this conversation containing the selected message by taking you directly to that thread within the Messages category.
- Tagged Clues: Easily see artifacts of interest. Evidence tagged as important will be saved directly to the Dashboard in list format.
We also focused on another critical element of investigations, collaboration. The ability to share information at the agency level and with other outside investigative units is vital for speedy case resolution. With ArtifactIQ by Grayshift, investigators can also quickly share an extraction with other involved parties via the Dashboard. It’s that simple, eliminating the need to generate reports which takes time and resources. Recipients of the ArtifactIQ data will be brought directly to the case Dashboard category, obtain immediate intelligence pertinent to their investigation, and collaborate with the original investigator or examiner, in real time. This is where the Dashboard and ‘Tagged Clues’ section comes into effect. Collaborators can see where you are during your analysis and work alongside you as you dive into the analysis process.
Also located on the Dashboard is the Navigation Pane. The easiest way to describe the Dashboard is to compare its features to a general website, containing important information about the item and linking to other key pieces of information. The Navigation Pane contains these links, which break down the contents of a mobile device extraction into specific categories, including Calls, Contacts, Locations, Media, Messages, and Timeline.
We understand the need for simple, easy-to-use interfaces that work for us, not against us, especially when time is of the essence, and the Navigation Pane in the ArtifactIQ by Grayshift Dashboard was designed to address this problem and focus on items that matter to you.
© 2022. Grayshift, LLC. All rights reserved. Proprietary and confidential.
