Recent users of Oxygen Forensic® Detective may have noticed a new tool entitled “Smart Filter” that appears at the toolbar of the Timeline section.
This feature is designed to make investigations more efficient and insightful by offering a variety of intuitive filters. Investigators will now have the ability to narrow their Timeline searches using the following Smart Filters:
- Show all messages from contacts who have mentioned.
- Show messages from all the contacts, including group members, who have mentioned.
- Show all messages from contacts who shared geo data.
- Show events that happened before and after Key Evidence.
- Show events within the timeframe that happened before and after Key Evidence.
- Show events that happened before and after the events with geo-coordinates.
- Show events within a determined timeframe that happened before and after the events with geo-coordinates.
These smart filters can be divided into 3 categories which focus on 3 different search criteria – Mentions, Geo-data, and Key-Evidence. Let’s take a closer look at each.
Mentions
This category includes two Smart Filters:
- Show all messages from contacts who have mentioned.
- Show messages from all the contacts, including group members, who have mentioned.
Upon selecting them, investigators will be asked to enter the word or phrase they are searching for. Keep in mind, these phrases could be code words used by criminals, the name of a person of interest, or, as in this case, a drug.
Upon clicking “Apply”, investigators will not only see the message(s) containing the entered word but the entire conversation with names of the people involved. From there, the investigator must analyze the conversation to determine if the word was used casually or not.
In our case, the use of this filter helped to determine the nature of the relationship between the device owner and some of their contacts, discover new chains of the drug trade, and some details of the operation.
Geo-data
This category includes the following Smart Filters:
- Show all messages from contacts who shared geo-data
- Show events that happened before and after the events with geo-coordinates
- Show events within the timeframe that happened before and after the events with geo-coordinates.
Upon selecting the last two options, investigators will be asked to enter either the number of events to display or the time range, depending on the chosen filter.
All of them are centered around geo-data, which is not only valuable on its own but can be a useful supplement to other data.
In our previously described drug case, selecting “Show all messages from contacts who shared geo-data” helped to identify the drug couriers who left packages at certain locations and then shared the package locations with the device owner. Upon analyzing the messages, we can distinguish the supposed couriers from other contacts, along with those who occasionally shared geo-data as well.
The last two smart filters in this category are helpful when it comes to studying behavioral patterns, detecting deviations, and examining the device owner’s response to the out-of-ordinary events. In the drug case, for example, applying this filter helped to determine that right after receiving the location from a courier, the device owner always called some unidentified contact. This pattern broke once when the package location was sent not by an actual courier but by a police officer.
What was the cause for not calling then? Was the device owner tipped about the ambush? If so, how? The answers could be found below, among events that happened before data with geo-coordinates.
Key Evidence
This category includes the following Smart Filters:
- Show events that happened before and after Key Evidence
- Show events within the timeframe that happened before and after Key Evidence
These filters are similar to the last two filters in the geo-data category. Upon selecting them, investigators will be asked to either enter the number of events to display or the time range, depending on the chosen filter.
However, unlike the geo-centered options, these require the device data to be reviewed by the investigator prior to running the search since some of the data has to be marked as Key Evidence for this filter to operate. These filters prove useful when analyzing the device owner’s reaction to the situations relevant to the case.
Let’s say an employee took a picture of a document containing confidential information. They claim that it was intended for personal use, to be studied after hours with the intention to delete it afterwards. The picture in question was already marked as Key Evidence by an investigator. Upon applying the filter, a new piece of evidence was discovered: shortly after taking the picture, the device owner texted one of the contacts, “Let’s meet. I have what you want.”This was not evidence per se but rather a lead worth investigating. The communications history with the contact was unearthed by right-clicking on the contact in the grid, selecting “Show the contact card”, and then opening the “Communications” tab. It turned out that this contact was in fact blackmailing the previously mentioned employee and receiving confidential data in return.
We are confident the new smart filters in Oxygen Forensic® Detective will expedite investigations, making the search for evidence more efficient and effective. Try this feature now and share your opinion with us!
If you wish to learn more watch our Knowledge Nugget about the Smart Filters here.