Over the next few years, the way Forensic Incident Response is performed will have to be change significantly. The science of digital forensics is and should be continually evolving to take account of advances in the wider IT environment.
Over the last few years, there have been many changes in response methodology. Take, for example, the introduction of techniques for the preservation of volatile memory, the acceptance in criminal prosecutions of “logical evidence files” rather than complete disk images or the introduction of corporate email caching systems to allow rapid and acceptable disclosure.
Within the digital forensic community, change is inevitable and probably our biggest issue but it can also be one of our greatest assets – as long as it is managed and controlled.
So, in order to address the demands of the future role of forensic response, it is essential that we identify ….
• what our limiting factors are
• what stops us from delivering results
• what can and cannot be changed
• How we maintain accuracy, reliability, legal and scientific acceptability.
In all cases, speed of appropriate response is of the essence but achieving that is not easy. Appropriate forensic skills may not be available at the scene or even close to the scene and seizing all items that could contain evidence for future forensic analysis has, for some time, been the cause of severe examination backlogs in forensic labs, unavoidable and constant task prioritisation which, in turn, results in unacceptable delays in the legal process.
This examines the accepted methodologies and practices used by forensic analysts when responding to an incident and considers the need to perform a forensically acceptable and evidentially sound triage “review” of computers and other digital media devices with the aim of:
• Quickly identifying those devices that are likely to contain material of interest
• Avoiding unnecessary seizures of items with no evidential or intelligence value
• Reducing delays in processing critical evidential items
• Reducing the time from arrest to sentence
• Improving the efficiency and effectiveness of forensic analysts
• Reducing the costs of forensic analysis
read the next instalment next week
