Identities: what are they, merging and exporting


When we implemented Identities in Tracks Inspector in 2013 we co-authored two scientific papers (see below under more reading). The paper at the International Conference of Artificial Intelligence and Law in Rome triggered  NewScientist to write an article called “Fast digital forensics sniff out accomplices”. The article starts as follows “When a suspect is apprehended, their computers, phones and other devices become important sources of evidence. But mining all that data – a typical case can involve several terabytes of information – takes time, and usually requires specially trained officers. Backlogs can delay investigations for weeks.” Identity analytics can help speed up the investigation. But what are identities and how can they be used in Tracks Inspector?

What are identities?


Identities are text snippets extracted from records that are likely to be related to a person. For example email addresses from email records, phone numbers from mobile phone contact records, user accounts from the MsWindows registry or user handles from a Skype conversation. Tracks Inspector ranks identities and enables a user to search for aliases and merge them in a single identity. Tracks Inspector also presents dashboard that can be used to discover which identities occur on which evidence units. This use of computer-assisted extraction, merging and correlation of identities helps investigators with prioritizing evidence units in their investigations so they can find “low-hanging fruit” quickly. This feature of Tracks Inspector is unique by not focusing on full-text searches but instead on the digital-forensic features of files, operating systems, file systems and applications.


 How can identities be used?


A user can merge different aliases of a person into a single identity. Tracks Inspector will automatically present an overview of all evidence related to an identity including all aliases that have been merged in that identity. Identities can also be used as facets to filter evidence and combine it with other facets such as dates, language and camera type. Relations between identities (e.g. through email exchange, phone calls, chats) can be exported in a format that is compatible with I2. This allows information analysts to take intelligence from Tracks Inspector and visualize this in a relationship diagram or timeline line.

More reading: