What is Triage-really?

There seems to be a range of views about what “triage” really is.

For me, triage is a process, supported and enforced by technology, that allows our first responders on scene to make informed decisions about 2 things:

a) Whether the item being triaged is likely to contain data of interest/value and should be subjected to forensic examination and…

b) Whether the “suspect” user/owner of the items should be detained or released pending further examination of the items.

Like the breathalyser analogy, the triage process/technology should usable by a wider community than the expert user because, although we have our own skills and a host of technical “triage” tools, there simply will never be enough of “us” to cope with demand.

Users of triage tools should be trained in its deployment but should not necessarily need to be technically skilled because the triage technology should enforce the controls and logging necessary to ensure potential evidence/intelligence is not damaged or tainted by its use.

I believe there is a BIG difference, both technically and procedurally, between the various key stages of a digital investigation. I think these are

1) “Triage” – identifying items likely to contain evidence/intelligence and helping with prioritizing their examination.
Typical location= on site
Skill level = minimal.
Case knowledge level= anywhere between speculative and detailed.
Process time criticality = always as fast as possible

2) “Early Case Assessment” – Processing seized items to make as much relevant information as possible available to the “case officer” as quickly as possible so that they can assist the forensic expert to extract and produce relevant evidence.
Typical location= forensic lab
Skill level = Expert – using complex scripted tools to carve, recover, index and categorize .
Case knowledge level= anywhere between minimal and detailed.
Process time criticality = always as fast as possible – scripting used to limit experts time

3) “Forensic Analysis” An expert uses a combination of being guided by the case officer and guiding the case officer through the materials revealed in stage 2 so the expert can produce “evidence” using forensic techniques to the satisfaction of the court.
Typical location=forensic lab
Skill level = Expert – uses complex tools, technical knowledge & experience.
Case knowledge level= detailed.
Process time criticality = will depends on the materials and the nature of the case.

So, my question is this… what are the objections to using “triage” as defined above?

Andrew Sheldon MSc Forensic Computing

Terminology can mean different things to us all

Having just attended a big conference in the USA, it became even more apparent how we are separated by a common language!

The term ‘triage’ as applied to digital devices seems to involve quite a different process in the USA when compared to the understanding of the term here in the UK. I attended a presentation of a new ‘triage’ tool that is made available free to law enforcement and military customers and I must say it was a brilliant product…. BUT I don’t think it’s what we understand a triage tool to be. The reason? It only works on forensic images of a target device and usually runs overnight! This makes it what I would call an “Early Case Assessment” tool and not a triage solution. The two tasks are quite different for two reasons: Speed and Functionality

Out in the field, where time is of the essence, a triage process should be conducted to quickly help the first responder classify and prioritise devices that the experts need to examine. Once in the forensic lab and with the luxury of more time, an “early case assessment” process can automate many of the time consuming tasks a forensic expert would normally spend hours performing like carving file fragments, extracting and reporting relevant email, identifying event sequences, generating a standard case report etc.

The ‘early case assessment’ tool I witnessed looked very impressive and I’m sure would be of great benefit to forensic analysis in speeding up initial case reviews and I’m happy to pass on details to relevant organisations. Likewise, if your lab is already suffering long delays caused by volumes of unnecessary device seizures then I’m happy to discuss how SPEKTOR Forensic Intelligence and SPEKTOR Phone Intelligence can eliminate these delays and help you focus on what you do best. Call us now for more information. +44(0)845 125 4400

info@evidencetalks.com

The importance of specific training

For some reason, training seems such an unattractive offering, but in reality it is essential for every company producing tools, whether in the Digital Forensic market or not, to offer good training on their kit.

Technical people love new toys. Pieces of gleaming technical kit are so appealing to them, shining in the sun, enigmatically they beckon the purchaser forward to stroke the box and entice the user to know more about it, once hooked they then want to own it. But once they have bought it would they automatically know what to do with it?

Even highly technical people cannot inherently know how to get the most from a tool without training. Should training be sold as an optional separate item or should training be bundled into the purchase price as a package offering?

As a company selling technical equipment for users, some technical and some not technical , we believe strongly in the value of concise, intelligent and interactive training. The user can then get the most from the tool in the most efficient manner. This is clearly beneficial to them and it is beneficial to us as we then have happy users who are proficient and confident in using the tool.

For the product developer, training takes time to develop and deliver and as tools are updated then updates for training have to be pushed out to users taking more time and resources. The value for the user is
a) in the confidence gained in using the tool
b) in knowing when to use the tool
c) in saving time when using the tool
d) by using all of its’ features
e) in the understanding the results that the tool will give the individual or organisation.
Proper training of users will make the tool a real asset to the individual or organisation. Untrained users make the tool an expensive ornament as it stands the danger of not being used or used incorrectly.

The question is should all technical kit and tools be sold with mandatory training and accreditation or should the user still have a choice whether to take this up or not?

Working smarter in these cash-strapped times

A survey by the BBC on ‘Breakfast’ this morning demonstrated that 60% of the public were willing to see cuts in public services in view of the funding deficit the country is facing. This is very encouraging seeing as the public sector seems already to be implementing these cuts and reigning back heavily on any form of spending. Sensible yes, but also very difficult for UK businesses who make and sell products or deliver services to the public sector here in the UK.

I wonder how many of those 60% would still be happy if the cuts directly affected them. There were comments that education and defence should be protected. surely if cuts are to happen then they should be fair across the board, otherwise we are all going to say that our area of interest should be protected.

Hence the need for us all to be flexible and think and work smarter. Tools that save money and human resources are the order of the day. Retraining users to be adaptable and skilled in more than one area. Buy and deploy tools that can be used for multiple tasks and then in the future additional functionality can add even further value.

Everyone has a civic responsibility to encourage the country to maintain a balanced economy. Likewise the procurer’s of equipment and services for the public sector need to be mindful of companies whose livelihood are resting on the fortunes of the UK economy. Let us as manufacturers, design smarter products and sell smarter tools and all of us do our bit for the good of our futures.

The need for Forensic Triage

Over the next few years, the way Forensic Incident Response is performed will have to be change significantly. The science of digital forensics is and should be continually evolving to take account of advances in the wider IT environment.

Over the last few years, there have been many changes in response methodology. Take, for example, the introduction of techniques for the preservation of volatile memory, the acceptance in criminal prosecutions of “logical evidence files” rather than complete disk images or the introduction of corporate email caching systems to allow rapid and acceptable disclosure.

Within the digital forensic community, change is inevitable and probably our biggest issue but it can also be one of our greatest assets – as long as it is managed and controlled.
So, in order to address the demands of the future role of forensic response, it is essential that we identify ….

• what our limiting factors are
• what stops us from delivering results
• what can and cannot be changed
• How we maintain accuracy, reliability, legal and scientific acceptability.

In all cases, speed of appropriate response is of the essence but achieving that is not easy. Appropriate forensic skills may not be available at the scene or even close to the scene and seizing all items that could contain evidence for future forensic analysis has, for some time, been the cause of severe examination backlogs in forensic labs, unavoidable and constant task prioritisation which, in turn, results in unacceptable delays in the legal process.

This examines the accepted methodologies and practices used by forensic analysts when responding to an incident and considers the need to perform a forensically acceptable and evidentially sound triage “review” of computers and other digital media devices with the aim of:
• Quickly identifying those devices that are likely to contain material of interest
• Avoiding unnecessary seizures of items with no evidential or intelligence value
• Reducing delays in processing critical evidential items
• Reducing the time from arrest to sentence
• Improving the efficiency and effectiveness of forensic analysts
• Reducing the costs of forensic analysis

read the next instalment next week

Forensic Triage

There is no doubt forensic analysts are going to have to work smarter as working harder is not keeping up with the backlog. The quantity of digital data to be examined for each forensic case is growing larger almost weekly as storage capacity expands, becomes more affordable and more compact.

Although more forensic analysts are coming on to the job market this is not solving the backlog issue, the answer lies in the ability to effectively triage computers and other digital media to ascertain whether the item requires a full forensic analysis by the experts.

So who would perform this forensic triage? It makes no sense to ask fully trained (and relatively scarce) forensic analysts to do the triaging as they are much better employed back in the lab doing what they are really skilled at doing; that is the deep dark analysis of systems. Far better is to find a tool that can be deployed by front line staff much as breathalysers are used today by front line staff. The breathalyser embodies sophisticated chemistry but the user only needs to know how to calibrate it, deploy it and then interpret the results. A positive reading will enable the officer to take the suspect back to headquarters for further scientific testing by means of a blood or urine sample.

SPEKTOR is such a tool. A few hours of training will enable an officer or front line person to be able to configure the device for targeted data collection, collect that data from a suspect device in a write-protected manner that does not allow any changes to that device and then generate a report that allows them to see easily and clearly that targeted collected data. Time and effort saved by only seizing the data requiring full analysis is enormous, instead of seizing everything a few hours onsite triaging the items will result in many fewer false positives back in the lab and the use of the forensic analysts’ time on a concentrated and effective manner.

To learn more about SPEKTOR and how it might benefit you read here

What are your views on forensic triage and who should be using it?

Best advice for recovering lost files

I answered a post recently from a student who had lost an important essay plus all the accompanying research on her computer. She had asked on this yahoo group if anyone could advise her how to retrieve the work. There were many answering posts suggesting that she download a tool to recover the data.

The act of downloading any item could potentially overwrite the very data she was hoping to recover. Luckily she saw my post suggesting that we have a look at it for her, using our non-invasive forensic tools and we were able to recover the data in full very quickly for her.

It is advisable to seek professional help if you find yourself in this situation, we always provide such advice free of charge.

Exciting times in the world of Computer Forensics

Banks are crashing around us and business are closing at an alarming rate but the world of the computer forensics expert is getting rather busy and exciting. It is a fact that when times get tought people take more risks, they think ” I am being made redundant so what have I got to lose ..”

We have seen enquiries rise in the recent months and significantly more enquiries about our specialist forensic products. Especially Remote Forensics, as it saves both time and money and allows organisations to increase the productivity of their existing staff.

Remote Forensics Mobile POD