Shortly after beginning an investigation, after receiving the evidence and starting the processing, we try to get a better understanding of the specifics in the matter. More often than not, these specifics come in the form of keywords or key terms or search phrases. First and foremost, let me put this type of search in proper context. Keywords (I’ll settle with this description) are one type of search in the course of a digital investigation. Much like developing what USB drives were connected, what emails were deleted and what online storage 
places were visited, looking for specific keywords is merely another tool in the toolbox of a high tech investigation. Why does this matter? Because many well intentioned clients have tried to guide us through this process by telling us exactly what we should be looking for. And by guide us I mean literally “you are looking for just things that have these words.” How we almost always win them over so that they don’t try to keep us in a box, I’ll get to in a moment. But for now I want to re-iterate that having specific words (although oftentimes tremendously beneficial) is not the end all be all. All of the searches and artifacts we’ve talked about, and will talk about more in the future, are typically all related. Singling out one exact type of search involving specific keywords (unless explicitly limited by the court in an already ongoing matter) is rather silly in terms of the overall investigation.
Having said that, keyword searches sometimes bring to light other pieces of information you wouldn’t have otherwise found. I’m reminded of one instance where we were instructed to look for some specific terms, namely clients of our client. After several inquiries to get more of the bigger picture regarding information on what the suspects in this case did for the company, as well as company culture, goals etc., we still weren’t satisfied that we had the sort of information that would prove beneficial to the case overall. We instinctively went off script on this and did some research ourselves including looking at the family (on our investigative side) to see if by chance anyone had setup a business and filed various places to do so. Low and behold the spouse had formed a company several months prior. I should also point out that we were also asked to search for only the last few 
weeks of the suspect’s activities on the computers, another oftentimes unnecessary and limiting criteria. Armed with the new information discovered from our related investigation, we continued a bit off script with our digital investigation on the evidence. In particular, we wondered if they might have started working on a business plan while still on the company’s dime (truth be told we’ve looked for this before with good results so it’s clearly worth investigating). We found the early makings of just such a document scattered in an unallocated area of the computer’s hard drive. After carving out the data and getting it cleaned up, it listed none of the clients that we had been supplied and in fact had a different variation of the name they settled on in their filings for their venture. Success! This is where the client realized the importance of allowing us to work a little outside the box. In the course of following our instincts, we were able to bring the client around to our way of thinking, in how our investigative mindset shapes our course as well as methodology. This is really what enables us to provide the investigative difference.
Having earned our stripes, we now have a trusted advisor relationship with this client working similar matters as they arise and are given a wealth of information that might prove beneficial to the investigation. This is an interesting anecdote on a real world case that helps put the value and limitations of keyword searches in it’s proper context.
How about those keywords? What makes a good keyword? Believe it or not, specificity. Being vague and giving general terms doesn’t typically help us to understand what we’re looking for. Let us be the ones to come up with some vague terms once we get a better understanding of what the issue is. Then they’ll be tailored towards the subject matter and 
allow us the latitude needed. As mentioned in a previous post, in the past we’ve received a list of keywords that included words like “money”, “cash” and “cheese”. I mentioned that last one before but it still cracks me up. These typically don’t really help us. On the other hand, specifics such as client names, email addresses, contact names, vendors names and phone numbers do help. As do current projects or top secret endeavors that the company, as well as the suspects in the matter, might have been working on or had access to.
You know what else is good to look for? Previous employees that have gone to work for a competitor or others that have struck out on their own. This is why a holistic approach to a digital investigation is almost always the best. Putting your investigative team in a box and being less than transparent only helps to limit our overall value, which hurts the case and makes it a whole lot harder to catch those that have done you and your business wrong. Our next post will be more real world questions and answers! #Keywords #KeyTerms #SearchPhrases