Effective resource management in digital forensics: an exploratory analysis of triage practices in four English constabularies

This is the author accepted manuscript. The final version is available from Emerald via the DOI in this recordPurpose: Building on the findings of a British Academy-funded project on the development of digital forensics in England and Wales, this article explores how triage, a process that helps prioritise digital devices for in-depth forensic analysis is experienced by digital forensic examiners and police officers in four English police forces. It is argued that while as a strategy triage can address the increasing demand in the examination of digital exhibits, careful consideration needs to be paid to the ways in which its set-up, undertaking and outcomes impact on the ability of law enforcement agencies to solve cases. Design/methodology/approach: The findings presented are the result of ethnographic observations and semi-structured interviews. They emphasise the challenges in the triage of digital exhibits as they are encountered in everyday practice. The discussion focuses on the tensions between the delivery of timely and accurate investigation results and current gaps in the infrastructural arrangements. It also emphasises the need to provide police officers with a baseline understanding of the role of digital forensics and the importance of clearly defined strategies in the examination of digital devices. Originality/value:This article aims to bridge policy and practice through an analysis of the ways in which digital forensic practitioners and police officers in four English constabularies reflect on the uses of triage in digital forensics to address backlogs and investigative demands. Highlighting the importance of digital awareness beyond the technical remit of digital forensic units, it offers new insights into the ways in which police forces seek to improve the evidential trail with limited resources.British AcademyEconomic and Social Research Council (ESRC

File system modelling for digital triage: An inductive profiling approach

Digital Triage is the initial, rapid screening of electronic devices as a precursor to full forensic analysis. Triage has numerous benefits including resource prioritisation, greater involvement of criminal investigators and the rapid provision of initial outcomes. In traditional scientific forensics and criminology, certain behavioural attributes and character traits can be identified and used to construct a case profile to focus an investigation and narrow down a list of suspects. This research introduces the Triage Modelling Tool (TMT), that uses a profiling approach to identify how offenders utilise and structure files through the creation of file system models. Results from the TMT have proven to be extremely promising when compared to Encase’s similar in-built functionality, which provides a strong justification for future work within this area

A Practitioner Survey Exploring the Value of Forensic Tools, AI, Filtering, & Safer Presentation for Investigating Child Sexual Abuse Material

For those investigating cases of Child Sexual Abuse Material (CSAM), there is the potential harm of experiencing trauma after illicit content exposure over a period of time. Research has shown that those working on such cases can experience psychological distress. As a result, there has been a greater effort to create and implement technologies that reduce exposure to CSAM. However, not much work has explored gathering insight regarding the functionality, effectiveness, accuracy, and importance of digital forensic tools and data science technologies from practitioners who use them. This study focused specifically on examining the value practitioners give to the tools and technologies they utilize to investigate CSAM cases. General findings indicated that implementing filtering technologies is more important than safe-viewing technologies; false positives are a greater concern than false negatives; resources such as time, personnel, and money continue to be a concern; and an improved workflow is highly desirable. Results also showed that practitioners are not well-versed in data science and Artificial Intelligence (AI), which is alarming given that tools already implement these techniques and that practitioners face large amounts of data during investigations. Finally, the data exemplified that practitioners are generally not taking advantage of tools that implement data science techniques, and that the biggest need for them is in automated child nudity detection, age estimation and skin tone detection

Anti-Forensic Trace Detection in Digital Forensic Triage Investigations

Anti-forensics, whether intentionally to disrupt investigations or simply an effort to make a computer system run better, is becoming of increasing concern to digital investigators. This work attempts to assess the problem of anti-forensics techniques commonly deployed in South Korea. Based on identified challenges, a method of signature-based anti-forensic trace detection is proposed for triage purposes that will assist investigators in quickly making decisions about the suspect digital devices before conducting a full investigation. Finally, a prototype anti-forensic trace detection system is given to demonstrate the practicality of the proposed method

DEEP: Extending the Digital Forensics Process Model for Criminal Investigations

The importance of high quality, reliable forensic analysis –an issue that is central to the delivery of justice– has become a topic for marked debate with scientists, specialists and government bodies calling for improved standards and procedures. At the same time, Law Enforcement agencies are under pressure to cut the cost of criminal investigations. The detrimental impact that this has had on all forensic disciplines has been noted internationally, with the UK’s House of Lords warning that if the trend continues, crimes could go unsolved and miscarriages of justice may increase. The pivotal role that digital forensics plays in investigating and solving modern crimes is widely acknowledged: in Britain, the police estimate it features in 90% of cases. In fact, today’s law enforcement officers play a key part in the recovery, handling and automated processing of digital devices yet they are often poorly trained to do so. They are also left to interpret outputs, with the results being presented in court. This, it is argued, is a dangerous anomaly and points to a significant gap in the current, four-stage digital forensics process model (DFPM). This paper presents an extension to that model, the Digital Evidence Enhanced Process (DEEP), with the aim of fine-tuning the mechanism and ensuring that all digital evidence is scrutinised by a qualified digital forensics analyst. The consequence of adopting DEEP in actual criminal investigations will be to ensure that all digital evidence is analysed and evaluated to the highest professional and technical competency standards, resulting in the enhanced reliability of digital evidence presented in court which will serve the cause of justice in terms of reduced instances of associated unsafe convictions and/or unjustified exculpations

A Domain Specific Language for Digital Forensics and Incident Response Analysis

One of the longstanding conceptual problems in digital forensics is the dichotomy between the need for verifiable and reproducible forensic investigations, and the lack of practical mechanisms to accomplish them. With nearly four decades of professional digital forensic practice, investigator notes are still the primary source of reproducibility information, and much of it is tied to the functions of specific, often proprietary, tools. The lack of a formal means of specification for digital forensic operations results in three major problems. Specifically, there is a critical lack of: a) standardized and automated means to scientifically verify accuracy of digital forensic tools; b) methods to reliably reproduce forensic computations (their results); and c) framework for inter-operability among forensic tools. Additionally, there is no standardized means for communicating software requirements between users, researchers and developers, resulting in a mismatch in expectations. Combined with the exponential growth in data volume and complexity of applications and systems to be investigated, all of these concerns result in major case backlogs and inherently reduce the reliability of the digital forensic analyses. This work proposes a new approach to the specification of forensic computations, such that the above concerns can be addressed on a scientific basis with a new domain specific language (DSL) called nugget. DSLs are specialized languages that aim to address the concerns of particular domains by providing practical abstractions. Successful DSLs, such as SQL, can transform an application domain by providing a standardized way for users to communicate what they need without specifying how the computation should be performed. This is the first effort to build a DSL for (digital) forensic computations with the following research goals: 1) provide an intuitive formal specification language that covers core types of forensic computations and common data types; 2) provide a mechanism to extend the language that can incorporate arbitrary computations; 3) provide a prototype execution environment that allows the fully automatic execution of the computation; 4) provide a complete, formal, and auditable log of computations that can be used to reproduce an investigation; 5) demonstrate cloud-ready processing that can match the growth in data volumes and complexity

Practical Application of Fast Disk Analysis for Selective Data Acquisition

Using a forensic imager to produce a copy of the storage is a common practice. Due to the large volumes of the modern disks, the imaging may impose severe time overhead which ultimately delays the investigation process. We proposed automated disk analysis techniques that precisely identify regions on the disk that contain data. We also developed a high performance imager that produces AFFv3 images at rates exceeding 300MB/s. Using multiple disk analysis strategies we can analyze a disk within a few minutes and yet reduce the imaging time of by many hours. Partial AFFv3 images produced by our imager can be analyzed by existing digital forensics tools, which makes our approach to be easily incorporated into the workflow of practicing forensics investigators. The proposed approach renders feasible in the forensic environments where the time is critical constraint, as it provides significant performance boost, which facilitates faster investigation turnaround times and reduces case backlogs

Practical Application of Fast Disk Analysis for Selective Data Acquisition

Using a forensic imager to produce a copy of the storage is a common practice. Due to the large volumes of the modern disks, the imaging may impose severe time overhead which ultimately delays the investigation process. We proposed automated disk analysis techniques that precisely identify regions on the disk that contain data. We also developed a high performance imager that produces AFFv3 images at rates exceeding 300MB/s. Using multiple disk analysis strategies we can analyze a disk within a few minutes and yet reduce the imaging time of by many hours. Partial AFFv3 images produced by our imager can be analyzed by existing digital forensics tools, which makes our approach to be easily incorporated into the workflow of practicing forensics investigators. The proposed approach renders feasible in the forensic environments where the time is critical constraint, as it provides significant performance boost, which facilitates faster investigation turnaround times and reduces case backlogs

An Empirical Investigation of the Evidence Recovery Process in Digital Forensics

The widespread use of the digital media in committing crimes, and the steady increase of their storage capacity has created backlogs at digital forensic labs. The problem is exacerbated especially in high profile crimes. In many such cases the judicial proceedings mandate full analysis of the digital media, when doing so is rarely accomplished or practical. Prior studies have proposed different phases for forensic analysis, to lessen the backlog issues. However, these phases are not distinctly differentiated, and some proposed solutions may not be practical. This study utilized several past police forensic analyses. Each case was chosen for having five distinct forensic phases, complete with documented amount of time spent in each phase, along with the number and type of recovered evidence. Data from these cases were empirically analyzed using common descriptive statistical analyses along with linear regression. By using linear regression, we tested the factors that determine the number of recovered evidentiary artifacts. This study provides models by which future forensic analyses could be assessed. It presents distinctive boundaries for each forensics phase, thus eliminating ambiguity in the examination results, while assisting forensic examiners in determining the necessary depth of analysis