I was recently asked to attend a conference and speak on the subject of 'Triage in Digital Forensics'. The presentation I had to give was based solely on my opinions, without mentioning any product names, and to give an experience to the delegates to hopefully provide them with some ideas to take away for their own processes. Also, directly following my presentation, a renowned university professor would also be presenting on exactly the same topic.
Gulp. No pressure then.
Thankfully, as part of my work, I am surrounded by a wealth of experts, who have used triage in digital forensics in real life situations, from making entry into a private property and performing on site triage, to the first steps in an investigation on acquired items. These experts I want to thank, as they formed a large part of my presentation, and also parts of this article.
I wanted to take you through my discovery and research and hopefully educate and enlighten at the same time.
Where to start?
The term “triage” comes from the field of medicine, in which it refers to the situations when because of having limited resources, the injured people are ranked according to the necessity to receive treatment. Such ranking ensures the achievement of the least damage to patients when resources are limited.
I really like this quote—and although it refers to medicine, a lot of the same ideology can be applied to Digital Investigations.
Digital triage is the technical process to provide information for the digital forensic investigation—some would say it doesn't involve the analysis of digital evidence on site, rather the educated assessment of search criteria according to recorded process.
The goal of the digital triage is the rapid review of many potential sources of evidence for specific information to prioritise the digital media for subsequent analysis, i.e. if my case involved the suspicion of money crimes, then I'd prioritise sources which could hold banking and transaction data.
Some could say that all investigations could benefit from the use of triage, but I feel like the top investigations that would benefit the most would be the following:
- Counter terrorism - 1st phase
- Drug offences
- Sex offences
- Indecent images
- Money laundering
- Hate propaganda
- Internet fraud
- Hacking/DoS attack
Logic of Triage Work
Thinking through all of these different crimes that would benefit from the use of triage, my next question would be: "What's the logic?" "What's the point?" "Why not go through ALL of the data?"
There are many reasons for the use of triage such as the fact that most investigations are time based. A suspect can only be held for a certain amount of time, evidence has to be produced to further an investigation as early in the process as possible, to warrant extra time being invested.
Most digital investigations have many many sources of data. Imagine your own home right now. You have a mobile telephone, probably a tablet of some sort, a couple of USB drives, some flash cards, a couple of old mobiles in a drawer, your internet linked games console, your personal computer, the work laptop, maybe a smart refrigerator, smart thermostat, and any number of IoT connected devices; and that's just YOU. What about the wife and the children? Their devices are accessible by the suspect, so it's reasonable justification that one of these devices could have been used at some point.
All in all, an investigator could potentially be looking at close to 30 sources, and tens or even hundreds of terabytes.
It's not feasible to analyse all of this data in such a short space of time, and it's definitely not cost effective, especially when an investigator has a growing backlog of cases piling up back in the office.
This brings us on to the HOW. Digital triage is a methodology rather than a specific product. Procedures need to be prepared, documented and tested for the triage process, based on a number of different scenarios, because depending on the offence type, operational objectives, and types of data collected, the triage process can differ. What about volatile data? What about encryption? What happens if I shut the device down?
Moreover, the triage process is expected to fall under ISO 17020, as quoted by Dr Gillian Tully, the Forensic Regulator:
‘Screening or extraction of data from a device and/or local area networks operated by domestic and small business users therefore remains within the scope of incident scene investigation, requiring accreditation to ISO 17020 and the Codes by October 2020’
– Forensic Regulator’s Annual Report
Scope of work: Abusive SMS messages
Dusty HDD in drawer
Samsung® Galaxy® under bed
Apple® iPhone® X on defendant’s person
USB flash drive located on table
Personal computer in office
Apple® iPad® in living room
Which would be the target device? The answer to this question depends entirely on the outcome of the triage, early intelligence collection and operational objectives.
If the suspect isn't at the location, how could you triage a password protected/encrypted device? If these suspect is on scene, can you simply ask them for the login to the device? It has been argued, that merely asking for this information constitutes an interview - which in turn has an effect on CTL's (Custody Time Limits) and whether the suspect has the right to a lawyer present!
Now we have our primary and secondary devices, we need to perform the triage; the discovery on the device according to the remit of the investigation.
Using a write blocker and some triaging software, I'll perform a categorised collection/analysis according to the scope of my investigation.
Once a triage has been completed - a report is generated, and this can be used in the questioning of the suspect, as primary evidence, and it is generally one of the most important parts of the case.
This report will have the most important data within it. The hot, fresh evidence that will lead on to further investigation, deeper dives on to target machines and devices to really hone up the entire case. Making triage one of the most important steps in any investigation, and performed correctly will ensure the success of an investigation, and the conviction of our suspect(s).
Work Smarter, Not Harder
I need to mention the professionals, as while I was performing my research on the different aspects and regulations on digital triage, I leaned heavily on my co-workers, Sarah Hargreaves, Chris Johnson and Daren Menzies. All of whom have had real life investigations where they have had to apply the processes and methodology I have talked about here.
My presentation was a success, and the professor who followed me pretty much gave a very similar presentation to mine—which was great to see, and added weight to the presentation I had put together.
I also read and ingested articles from some professionals such as Rogers, et al (CFFTPM), and Hong (48 Questions), both of which have published some pretty interesting articles and I highly recommend reading.
Daren quoted this to me and I thought it would be an appropriate ending to this article:
Work smarter, not harder. Assess what you have, what you need and why you need it.
This blog post originally appeared on Sam Holt’s personal LinkedIn page. Find it here.
About the author:
Sam Holt is Team Leader and Senior International Engineer/Forensics Pre-Sales at AccessData and compliance champion, authoring papers on GDPR, ISO27001, PCI-DSS, and writing privacy and IT policies to adhere and comply.