Often an examiner will analyze all the digital media only to determine that the probative data was limited to a browser’s history file, an e-mail, a document, the mobile devices’ logs, or an inappropriate graphic video or picture. Finding the critical probative data faster in a cost effective manner while reducing or eliminating case backlogs is going to require a more efficient methodology.Blame Moore’s Law, Sort Of
As digital devices continue to proliferate, digital storage capacities are approximately doubling every two years. The sheer amount of digital media being submitted for forensic analysis is overwhelming. Four years ago if an agency employed two examiners and was able to keep up with its case load, today that agency would have to employ eight examiners just to maintain the status quo! How many agencies can afford a 400% increase in personnel and equipment? It is simply not feasible, realistic, or practical.

Often an examiner will analyze all the digital media only to determine that the probative data was limited to a browser’s history file, an e-mail, a document, the mobile devices’ logs, or an inappropriate graphic video or picture. Unfortunately, the examiner may have spent several days or weeks to determine where the incriminating data resided. Compounding the matter further is the fact that some agencies require their examiners to analyze all the digital media, as doing so may uncover indications of other criminal activities. This traditional approach is inefficient, expensive, causes long turn-around-times, and inevitably leads to case backlogs which forces management to implement possible solutions such as:

  • Imposing arbitrary, unrealistic case workload expectations upon examiners (such as a monthly quota)
  • Paying examiners to work overtime
  • Transferring cases to another laboratory
  • Hiring more examiners
  • Purchasing more forensic tools and equipment (which may require more physical space, facility renovations or relocations, etc.)
  • Only analyzing cases in which speedy trial is an issue
  • Only analyzing cases related to particular violations of the law (e.g. child pornography vs. low threshold white collar crimes)
  • Returning cases unworked to the submitting agencies

Some of these solutions themselves are inefficient, costly, time consuming to implement, and in the long term will lead to examiner burnout and further increases in backlogs. Other solutions will let potentially guilty suspects remain unprosecuted. Finding the critical probative data faster in a cost effective manner while reducing or eliminating case backlogs is going to require a more efficient methodology.

A First Step
The number of digital devices containing potentially probative data being submitted continues to grow faster than those devices can be analyzed. The traditional methodology employed by examiners and their agencies has not kept pace with this continued growth. This places examiners and investigators under immense pressure to provide information in a timely manner to prosecutors. It also has an adverse effect upon agency budgetary matters. Adding to these problems, examiners also encounter considerable difficulties when analyzing media using the common traditional tools. In addition to being expensive and time consuming to use, these tools often have built-in shortcomings and limitations, some of which include:

  • The volume of data and the number of devices involved in investigations has grown much faster than the tools’ ability to process the devices
  • Require detailed, expensive examiner training to effectively use the tools
  • Usually require one forensic computer per forensic tool
  • Non-intuitive and difficult-to-use interfaces
  • Not able to triage data sources, thereby requiring a full forensic analysis
  • Lengthy times to create forensic images
  • Not able to timely process a sufficient volume of evidence per day
  • Examiners have to analyze each data source separately
  • Investigators have to manually correlate the data from multiple data sources
  • Not able to reliably process data (or beyond the tools’ capabilities) that may reside in enterprise systems, complex archival storage systems, the cloud, or on mobile devices
  • Difficult to separate the data to allow multiple examiners or investigators to perform analysis at the same time

Faced with these difficult issues, examiners will have to modify their workflow to provide probative data in a timely manner. Rather than the typical approach, a more practical approach would be to streamline the workflow:

  • Use a triage tool to identify the most likely evidence sources
  • Seamlessly export the work product into another tool to process the data and cross reference the sources
  • Divide the evidence among multiple investigators for further analysis
  • Export any relevant data found into reports

This approach will allow the examiner to rapidly focus on the most relevant data source(s) and provide the investigator with information in a meaningful way. However, to make this happen, examiners are going to need a new generation of more suitable, enhanced triage and examination tools. A primary triage tool should incorporate the following functionalities:

  • Be easy to use
  • Support multiple platforms (Windows, Macintosh, and Linux)
  • Be forensically sound when booting a system and/or accessing a live system
  • Have search capabilities using both default and user defined search criteria
  • Include imaging capabilities
  • Examine attached HDDs, SSDs, SD cards, USB flash memory, etc. on a live system
  • Examine digital media removed from a suspect system
  • Support a wide array of acquired images
  • Connect to smartphones and tablets
  • Analyze smartphone and tablet data from images
  • Parse files for analysis (keyword, GREP, etc.)
  • Examine word processing and pdf reporting templates
  • Retrieve artifacts (Web-based chat, e-mail, etc.) from unallocated space
  • Search and review the content of e-mails
  • Index results in a non-proprietary format (e.g. SQLite DB) for later searches
  • Provide document previews
  • Include MD5 hashes of known matching file sets
  • Identify faces or people in pictures and videos using filters for facial detection, skin detection, and camera metadata
  • Include technology to translate information from foreign documents
  • Report and export results in non-proprietary formats (pdf, HTML, txt, csv, etc.)

Since most triage tools are automated, they require less training and can be used to rapidly eliminate digital media that does not contain relevant data. However, some triage tools are limited in scope and often cannot provide comprehensive or interpretable data extraction. For instance, one of the key elements often lacking is a tool’s ability to analyze unallocated space. There are many triage tools currently available: BitFlareCOFEE (Computer Online Forensic Evidence Extractor)EnCase PortableIEF Triage, Paraben’sPorn Detection Stick and Data Recovery StickMacLockPick 3.0Triage 2020AccessData Triage 2.4NetX Triage, ADF’s Triage-Examiner and Triage-G2, and others. The triage tool(s) offered by ADF Solutions, Inc appears to include most (if not all) of the above listed functionalities.

This discussion will continue in a future column. Before purchasing any tool, examiners should thoroughly research those available and select the tool which provides the best functionality to meet their requirements. The listing of a particular tool or vendor is not to be construed as an endorsement of that tool or vendor by the publisher or the author.

John J. Barbara owns Digital Forensics Consulting, LLC, providing consulting services for companies and laboratories seeking digital forensics accreditation. An ASCLD/LAB inspector since 1993, John has conducted inspections in several forensic disciplines including Digital Evidence.