The demand for data forensics and emergence of Triage

The demand for data forensics and emergence of Triage
The demand for data forensics and emergence of Triage

In today's world digital content is everywhere - from corporate environments to home computers, to the latest smart phones, games consoles and media centres, digital content can be created and stored in an ever increasing number of devices.

Many modern crimes include multiple forms of digital media/content and the proliferation of this creates a lot of complexity for forensic scientists when tasked with finding and analysing digital evidence in an investigation.

Traditional investigative methods have approached digital forensics with either a ‘seize all' or ‘image on-site' strategy, which involve forensic scientists analysing all digital devices found at a given crime scene. While this method has historically worked well, the rising number of devices seized per crime, coupled with an increase in the amount of data that is storage on each device, means that forensic examiners are starting to struggle.

Several hours are wasted on imaging and analysing vast amounts of data and devices that are irrelevant to the overall investigation, which significantly impacts staff resources and costs. Managing the workload and associated storage required for digital evidence is becoming an increasing issue, and the size of the problem can be clearly seen when comparing technology and its use today with five years ago.

Moreover, one report  has noted that during the London Olympics, around 306 billion files were shared on the World Wide Web and Almost 5 billion tweets and in excess of 100 billion files were shared via social media outlets, showing the scale of data in today's world. This has led to an increased demand for forensic examiners to help the increasing workload.

To help front line officers tackle these challenges, police forces have started to adopt an approach called ‘Triage', or ‘Targeted Data Collection'. Triage helps filter out devices that do not contain information or items of interest and instead prioritises analysis of items likely to be of evidential value.

By only giving investigators devices that are known to contain evidence, their time can be focussed on the real items of interest. In addition, users of Triage technology do not necessarily need to be highly skilled examiners as the technology assists in much of the forensic process.

This means that the forensic examiners themselves can focus on critical evidence once it has been identified, rather than having to be involved in the process of identifying evidence.

A recent Government study showed that forces that adopted a strategic Triage approach reduced their backlogs by 60 per cent and increased the productivity of their investigators by 90 per cent, and an example of the benefits of Triage technology can be seen with the Lancashire Constabulary Hi Tech Crime Unit (HTCU).

In July 2011, Dell's Triage solution, SPEKTOR, was chosen as an effective tool to assist in processing the ever increasing range and volume of digital evidence presented for examination. This is operated and managed by Nigel Hardacre and Mick Ellwood within the Hi-Tech Crime Unit.

The team has found it to be a very useful tool, as it has been able to overcome many of the difficulties associated with processing complex devices such as those containing multiple disks or solid state storage. It has assisted them in acquiring forensic images from these types of devices using the specially developed SPEKTOR collection technology, which has proved to be a real time saver and avoids the often onerous task of disassembling devices to remove hard disks.

In addition to its regular use within the lab, SPEKTOR can also assist on scene, helping examiners with the challenge of potentially complex crime scenes, involving multiple and varied devices.

Triage solutions are helping forensic examiners reduce the backlogs of data analysis, providing the ability to handle the wide variety of PCs, servers, phones, removable media and satellite navigation units, seized on a daily basis. Simple-to-use triage tools allow an investigator with minimal training to process, review and make an informed, forensically sound decision as to whether a suspect device requires deeper forensic analysis.

While the technology is not currently mandated, the benefits of Triage are clear and proven in operational environments, helping digital investigators analyse data more effectively and help address the backlog of devices and huge costs associated with traditional approaches to digital investigations.

James Buckland is EMEA business developer of digital forensic solutions at Dell

close

Next Article in Security Cats Blog

SC Webcasts UK

Sign up to our newsletters

FOLLOW US