SANS Digital Forensics and Incident Response Blog

Using mind maps in forensics

by Jeff Bryner

I've been playing with mind mapping software lately, mostly using the wonderfully open source freemind. I'm definitely not the first one to consider using this for forensic analysis, but hopefully I can help spread the meme and help us all organize our thoughts.

Just for fun, here's a sample starting point for a fake embezzlement case if you've not seen a mind map before:
basic mind map

I've posted it here in case it's easier to start with a template.

Nothing but the facts right? Now the beauty isn't it's complexity, it's the dynamic nature of the tool allowing you the freedom to think of something, jot it down immediately, categorize it later and avoid the dreaded 2 a.m. wake up because you forgot something. You hover over a node, press insert, type and you are done. Drag it wherever you like, if it's in the wrong spot/category. Freemind doesn't offer timeline templates, however, Matchware does, which is especially useful for forensics.

Here's another expansion of the same template with some detail as we learn more about our case:
after we've learned a bit more

Finally let's imagine that we've stumbled upon some key bit of information. Simple copy/paste adds it to our map:
after we've learned a bit more

And we've got something we could even show a client, get their feedback on, add new branches, etc. Give it a go!

Jeff Bryner , GCFA Gold #137, also holds the CISSP and GCIH certifications, occasionally teaches for SANS and performs forensics, intrusion analysis, and security architecture work on a daily basis. He just re-upped on GCFA *and* GCIH and may actually now flirt with free time rather than ogle it from across the street.


Posted May 18, 2009 at 8:35 AM | Permalink | Reply


Frankly you were not the first one for several years (not even me btw). But it is really good that you are one of pioneers on publicly show that mind maps are good for forensics. Anyway some additions I think it would be useful for anyone:
1. Crossing important coordinates ''" Certain tools allow for cross links. You create a branch to "follow" a set of data related to a something or someone. Each node is a name, a mail address, a phone number or an IP. After you introduce all objects, you make cross-links between common nodes. When you have one or two "objects" this approach is not useful and probably a waste of time. But when you have tens or hundreds, it is the tool of the trade. You may even find completely unexpected and amazing relations between companies or suspects. But be careful, keep things tidy and objective or someone will think you are John Nash, of that film.
2. Directories with more than a filename and date ''" You have a complete mess with data. Your people are pouring tons of evidence but you lost your train of thought in the XXX note. Yes, your subordinates are good guys, they love to work, but they are a little clumsy. Pick up a mindmap and organize the document tree with some basic data. And you start seeing the misleads, the gaps, the holes everywhere. However, don't go too specific or you are just changing your notebook for macaroni on the monitor.
3. Identity search ''" Smith said "I am the father of five orphans", Jonny said "I am the father of six orphans", Martha said "I am the father of ten orphans". Well, it seems we are seeing too many fathers in the same case, the possible author even goes transexual'' You gather the key phrases into a mindmap, then you search for similarities. The best you usually get is to prove that Smith, John and Martha are one and the same person, but sometimes, you may even find the true name of the suspect. Anyway, a warning ''" this demands a few things more than computer forensics and may give a false positive or a more common false negative.

Posted June 1, 2009 at 3:36 AM | Permalink | Reply


The first thing any security professional needs is a whiteboard.