Welcome back to another instalment from the Cyacomb Forensics blog.

In my previous blogpost I discussed the challenges impacting DFIR investigations and the key issues facing investigators today.  I focused on the rise in the number of devices encountered during investigations as well as increasing volumes of data and a growing trend in larger storage capacities on devices as manufacturers keep pace with the demands of users’ needs.

In this blogpost I will discuss Digital Forensics Triage in more detail and how it can assist with those challenges that I mentioned previously.

Digital Forensics Triage! What is it?

Historically, the concept of medical triage is firmly rooted in the Napoleonic wars in the early 1800’s where French military surgeon, Baron Dominique-Jean Larrey[1], devised a system for treating casualties on the battlefield, categorising the wounded based on the injuries they had sustained and their need for urgent medical attention.

In the world of Digital Forensics, the process of triage is no different and stems from the Computer Forensics Field Triage Process Model (CFFTPM)[2] that called for an onsite or field approach to identifying, analysing and interpreting digital evidence and would be particularly useful to time sensitive investigations.

This involves screening those items of evidential value and placing those that are the most important or most volatile first.

An important aspect of Digital Forensic Triage is that it is not reliant on the need to acquire a forensic copy of the device which means that investigators could discover relevant evidence quickly on scene rather than waiting for a full forensic examination of the device in a Digital Forensics lab, which is time consuming and increases risks associated with devices being held in backlogs.

The process of triaging digital evidence has been proven to help reduce the bottlenecks in investigations that appeared from seized devices remaining in labs for weeks and months before being examined.

Digital Forensic Triage also addresses the imbalance between growing demand for digital forensic investigation services and availability of these limited resources, ensuring that specialist forensic capability is targeted to where it can make the most impact.

Let’s look at the benefits of using Digital Forensics Triage and how it can help with digital investigations.

Benefits of Digital Triage

There are a number of benefits to using triage as part of a digital forensics strategy.

Speed

The early identification of critical evidence is going to be crucial to unlocking investigations, particularly those that are time sensitive. The process of extracting and analysing data from devices is time consuming, particularly as storage capacities on digital devices have increased over the years to keep up with user needs and requirements. This has directly impacted digital investigations as larger capacity drives containing greater volumes of data will require examination of one form or another, whether on-scene or in the Digital Forensic lab.

Finding evidence quickly and accurately is going to be a key consideration when choosing a tool to aid investigators in the triage process.

Prioritising devices

The proliferation of digital devices has consequently led to a rise in the number of devices seen in investigations. Factor in the number of devices per suspect, various device platforms, larger storage capacities coupled with the increased volume of data, and it is easy to see how investigations can be impacted and overwhelmed.

Using Digital Forensics Triage investigators can quickly identify devices that contain relevant evidence. Devices containing evidence critical to the investigation can then be prioritised by Digital Forensics staff in the lab.

Effective use of resources

Triage in digital investigations also enables decision makers to make the best use of resources, be that human resources or forensic tools. It is therefore important that these finite resources are used efficiently and effectively to maximise their impact on investigations.

Digital Forensics staff are highly skilled professionals with Subject Matter Expertise in their field of work, making them a valuable resource in supporting investigations. Backlogs can be further compounded by shifting personnel from lab work to on-scene examinations, so it is extremely important that they are managed effectively.

Likewise, Digital Forensics tools should be deployed by making full use of their capabilities to identify critical evidence during the triage phase of the investigative process. In an ideal world a single tool would enable investigators to conduct all aspects of digital forensic work, from triage through to thorough analysis, however the reality is that the perfect Digital Forensic tool simply does not exist.

The analogy of a trades person with a toolbox containing an assortment of tools, with each tool having a specific purpose, is applicable in the context of conducting digital investigations. Similarly, it is important that Digital Forensics professionals are aware of the variety of tools available to them and that they choose the right tool for the right job, incorporating them into workflows and utilising specific tool capabilities.

Save time and reduce risk

The use of triage in Digital Forensics investigations has proven to significantly reduce the time taken to identify critical evidence which will speed up the investigation process. Investigators can focus on relevant data and progress investigations quickly while eliminating irrelevant information that would otherwise take up valuable time.

Nowhere is this more evident at a crime scene where investigators are often confronted with multiple devices. Using triage to aid the decision-making process around device seizure, investigators can make the determination that a device does not need to be seized where it contains no relevant data and therefore can be left behind, effectively reducing backlogs.

Risk is also reduced as devices containing relevant evidence can be expedited for a thorough examination as opposed to waiting in a backlog to be examined weeks or even months later, potentially leaving offenders at large and victims unidentified.

Cyacomb Forensic Tools – Breaking new ground in Digital Forensics Triage

Cyacomb’s Forensic Tools have already proven to be a valuable and effective addition to our customer’s Digital Forensic Toolkits, for all of the reasons discussed above and more.

Our tools are:

Fast – Up to 100x faster than using traditional methods to find evidence relating to child abuse or terrorist activity. Results are presented within seconds, which matters when you are dealing with time sensitive investigations.

Simple – The easy-to-use interface of our tools means that investigators require limited training and are only a few clicks away from conducting effective digital forensics triage.

Thorough – Cyacomb Forensic tools are built on scientific principles, underpinned by university research and both fast and thorough.

Interested to know more about our ground breaking technology and how it can empower your Digital Forensics staff and unlock investigations? Contact us today to find out how Cyacomb’s tools can integrate into your existing Digital Forensic toolkit and workflows.

[1] The American Civil War and the Development of Triage - National Museum of Civil War Medicine

[2] "Computer Forensics Field Triage Process Model" by Marcus K. Rogers, James Goldman et al. (erau.edu)