Shortly after beginning an investigation, once we’ve received and processed the evidence, one of the next big steps is getting a clearer understanding of the specifics of the case. Often, that means gathering keywords, key terms, or search phrases.
But first, let’s put this in the proper context. Keywords are just one type of search tool in a digital investigation.They’re on the same shelf as uncovering what USB drives were connected, what emails were deleted, what online storage services were used, and so on. In short: keywords are just another tool in our very big investigative toolbox.
Why that matters
Many well-intentioned clients initially try to guide us very tightly through this process. They’ll say:
“You’re looking only for these words. That’s it.”
And while we absolutely want (and need) their input, it’s also critical that they understand:
- Specific keywords, although often tremendously helpful, are sometimes not the end-all be-all.
- All the searches and artifacts we dig into are typically interrelated.
- Trying to confine us to only one narrow set of terms, unless explicitly limited by the court, can actually undermine the investigation.
The value (and limits) of keyword searches
Keyword searches often lead us to unexpected findings. For example:
A while back, we were told to look for very specific terms, mainly the names of our client’s customers. Even after asking multiple questions to better understand the suspects, company culture, and their work, we didn’t feel we had the full picture.
So we followed our instincts. On the investigative side, we ran some research on the suspect’s family. Sure enough, the spouse had formed a new business several months earlier.
Meanwhile, we’d also been told to only search for the past few weeks of activity on the suspect’s computers. That kind of narrow time frame is another common, but often unnecessary and limiting, restriction.
Armed with what we’d uncovered, we decided to look a little deeper. Given our experience, we wondered if they’d started working on a business plan while still on the company’s dime. (We’ve found this before, so it’s always worth a look.)
It paid off. We found the early makings of just such a document buried in the unallocated space of the hard drive. After carving and reconstructing the data, it turned out to include a different name than what they later used in official filings, and none of the client names we were originally given. Success!
This is when the client really saw the importance of letting us apply our broader investigative mindset. From that point forward, they gave us much more latitude, and we’ve since developed a strong, trusted advisor relationship.
What makes a good keyword list?
Specificity. Believe it or not, being too general actually makes things harder.
We’ve had lists that included words like:
“money,” “cash,” and (my favorite) “cheese.”
That might give you a chuckle, but vague words rarely help us zero in on anything meaningful.
What does help?
Specific client names, email addresses, and contact names
Vendors, project names, or internal code names
Phone numbers
References to key documents or top-secret company initiatives
Also worth looking at: names of former employees who went to competitors or started their own ventures. This can reveal hidden patterns you’d never find if the investigation was kept narrowly confined.
Why we take a holistic approach
A holistic digital investigation almost always yields the best results. Keeping your investigative team “in a box,” or being less than transparent about details you already know, typically just limits our overall value, which weakens your case and makes it harder to catch whoever did you and your business wrong.
We’re here to maximize our findings and protect your interests. The more context we have, the more we can leverage all the tools at our disposal, keywords included, to uncover what really happened.
About Swailes Computer Forensics
Swailes Computer Forensics provides expert digital forensic services to law firms, corporations, and organizations nationwide. Our work includes investigations into intellectual property theft, employee misconduct, data breaches, and more. With decades of experience and a commitment to integrity and clarity, we help clients uncover critical evidence and take informed action.
If you’re facing a potential case of employee data theft or have concerns about unauthorized activity, contact us for a confidential consultation.