Portable Digital Forensics: Navigating Frontline Investigations

Our Products
- For Law Enforcement
  Cyacomb Forensics
  - Cyacomb Examiner Plus
    Find evidence in seconds and improve efficiency with Cyacomb Examiner Plus
  - Cyacomb Mobile Triage
    Must-have mobile scanning feature tackling ever increasing device numbers and backlogs.
  - Cyacomb Offender Manager
    Empowers frontline investigators with a simple-to-use, on-scene triage tool, providing easy to read results in seconds
  - Contraband Filter Hub
    Platform for sharing globally recognized secure-by-design CSAM data sets
  - Free Trial
- For Social, Cloud and Messaging Companies
  Cyacomb Safety
  Privacy assured solution to preventing known child sexual abuse material content being shared on end-to-end encrypted messaging.
About Us
Markets
Resources
Free Trial
Contact Us

Portable Digital Forensics

When the world was simpler, in a bygone era, few cases involved digital evidence. Those that did concerned very few devices, and those devices had limited storage and complexity.  As a result, the science of Digital Forensics developed with a focus on understanding every single artefact on a device.

As volume and complexity increased, digital forensics software evolved from presenting the 1s and 0s to providing sophisticated ways to extract, view and manage larger volumes of evidence.  Automation came into workflows to ensure analyst's time was not wasted on routine tasks, and content analysis (from "pink filters" to advanced AI) arrived to help focus analyst's efforts on the most relevant content.  

In some cases, speed at the front line is important, and portable or triage versions of a number of forensics tools were created, to support the work of an analyst who has gone out with a team serving a search warrant, and to enable them to get results in the field.   

Some of these tools focus on doing things that can only be done in the field (such as RAM capture or probing home networks).  Most were conceived by looking at what an analyst does in the lab and trying to translate it into a portable and abbreviated format.  As a result, they struggle with a fundamental compromises.  Fast or thorough?  Fast or accurate?  Portable or complete?  For experts or field users?  

While these tools are often described as being used for "triage", what they offer is actually a pale shadow of the original meaning of triage. 

What is Triage?

 The Oxford English Dictionary describes triage in its original medical context:

"To perform a preliminary assessment (of a patient) in order to determine the nature and degree of urgency of treatment required"

Looking across the Atlantic, Merriam-Webster follows a very similar pattern:

"The sorting of and allocation of treatment to patients and especially battle and disaster victims according to a system of priorities designed to maximize the number of survivors"

The concept is clear.  Triage is not about diagnosing or treating patients. It is about prioritising patients for more detailed diagnosis and treatment.  Triage identifies where immediate attention is needed and where it is not.  It should identify those who will bleed or suffocate if not helped immediately.  It is not about determining precisely how a patient with serious bleeding should be treated, or for those at no immediate risk, diagnosing whether someone's ankle is sprained or broken.

The output of the triage process is prioritisation for medics to come in and take immediate action with the patients that need it most.

These definitions of triage don't fit very comfortably with the classic Digital Forensics approach to triage.  What is often called triage in Digital Forensics seems more like a doctor sitting down with a patient and taking the first steps towards diagnosis.

Triage that works

Triage is about prioritisation, and a key aspect is being able to make decisions about many devices in a short space of time, right at the start of a process.

Medical triage is a process that allows a first responder to separate those needing immediate attention from those who can wait for attention, and those who might need no attention at all.  In some cases that first responder may be a doctor, but they might also be a nurse, first aider, police officer or medical corpsman.

By analogy, the job of digital forensics triage should be to find the devices and evidence that can drive immediate action (arrest, safeguarding), those that are suspicious (perhaps due to high levels of encryption or other indications of offending behaviour) and those that don't offer immediate results.

This is what Cyacomb Forensics aims to accomplish.  We strive to empower people at the front line (whether they are investigators, probation officers, border officials or digital forensic analysts) with the information they need to act, and to do so in a time-frame compatible with their role (seconds or minutes, not hours or days).

Start with Outcomes

To deliver effective triage we start by looking at the operations and processes we support, and look at the key questions that need to be answered.  Those questions can vary depending on the situation:

 Is this person offending?
Is this person re-offending?
Which person in this home is offending?
Which devices is this person using to offend?

Answering these questions helps to direct the search or investigation.  Often our users are working to a process which can be expressed as a flowchart.  Our objective is to align our outputs with the decision points on that flowchart, or to enable new decision points that improve the overall process.

Powering Decisions

While we align our tools with those decision points, we are not in the business of trying to automate decisions.  At the simplest level we present a result that is Red / Amber / Green. 

Red indicates we found strong evidence of offending.

For example a match against a database of known CSAM.  In some scenarios this may be sufficient to enable a decision, however, we provide the ability to manually verify this result before making a decision (assuming the situation is appropriate and user qualified to do so).

Amber indicates we found something that requires further consideration.

This may be something indicative of or concealing offending and could include matches against non-CSAM images which usually circulate as part of a CSAM series, filenames often associated with CSAM, or indications of unexpected encryption.  Again, in some scenarios this will enable a decision (usually to seize the device for further analysis).  We also allow the user to see more detail, which is carefully prioritised to highlight exactly what they need to know.  We try to avoid providing long lists of highly technical artefacts (although they are there if you need them) in favour of clear prioritisation and flagging.

A green result indicates we didn't find anything. 

That doesn't mean there's nothing there.  We're looking for information to enable fast decisions, and there are many categories of data that we can't access at speed.  For example, a device could contain first generation content or grooming chats that we're not going to find.  This doesn't mean we ignore these devices - it just means they aren't yielding information to enable decisions in a triage timescale.  Just like in medical triage an apparently well patient could have a slow internal bleed or high risk of secondary drowning.  This may be less urgent, but cannot be ignored.

An Extra Opportunity

Medical triage doesn’t necessarily change the number of people seen by a doctor or admitted to hospital, but it does ensure that resources are directed where they are needed most urgently and can do the most good.  It is this model of triage that Cyacomb embraces.

Time and time again our customers come to us with examples of how real triage helps them make decisions that accelerate investigations and power safeguarding.  Just a few very quick examples:

Cyacomb helped triage out several devices and associated residents. This allowed detectives to quickly focus on the devices and resident that mattered and led to freeing of a live victim from being actively trafficked.  Speed allowed officers to intervene before the victim could be moved on.
In a search at a family home, Cyacomb identified CSAM on devices belonging to both a man and his teenage son. Officers recognised the son was a victim of sexual abuse who had become addicted to CSAM, and were able to take prompt safeguarding action in a situation where they saw a high risk of suicide.
Cyacomb identified CSAM during a routine offender management visit, triggering arrest and further digital investigation.  This uncovered nude images of children from a hidden camera in a sports club changing room.  These images were being used to blackmail children into sending more images and meeting the offender.

 In each case the officers were using Cyacomb to provide evidence fast in ways that their previous workflows would not have been able to deliver.

 "The time saved through using Cyacomb is a remarkable efficiency improvement for our unit and adopting it is a no brainer." ICAC Investigator

To find out more about how Cyacomb can help transform your digital investigations contact sales@cyacomb.com

To see Cyacomb in action watch our demo video or to try it for yourself request a trial.

Your First Name *

Your Last Name *

Your Organisation

Your Email *

Your Phone Number

I agree to Cyacomb Terms & Conditions