The term “triage” often brings to mind a healthcare setting where teams with limited resources are required to prioritise treatment based on the severity of the injury or illness. The function of triage in digital forensics is no different. It helps investigators save time and resources by rapidly scanning a range of digital devices, mobiles, computers, loose media or others, and associated data to identify ones that contain evidence crucial to investigations.
From necessity comes invention and with a huge growth in device types, increases in data storage size and how many devices one suspect typically owns, the popularity of digital forensics triage has never been higher or more needed. It is now at a point where it has become an essential and integral part of any investigator’s toolkit regardless of whether they conduct investigations on-scene or in the lab.
I have experienced the critical benefits of triage from my time as the digital investigations lead in the UK Special Forces. As a forward-leaning organisation, it learned early of the need to seek out and utilise this type of technology, plugging what was a dangerous capability gap. On many high-value time-sensitive operations, we consistently achieved ground-breaking results, which fed live time into our intelligence picture, assisting to counter threats and protect lives. In addition to saving time and successfully prioritising evidence, triage tools enabled us to avoid other common issues such as skill fade, training burden and the dreaded backlogs and evidence pileups on the frontline or in the lab.
Law enforcement teams, border control agents, military units, intelligence agencies, and corporate investigators can all benefit from triage tools across a vast range of investigations such as fraud, harassment and bullying, child abuse, human trafficking, counter-terrorism and more. Some of the currently available tools can offer valuable insights to enable on-the-spot decision-making, leading to faster suspect arrests and / or providing grounds for further investigation. This makes multifunctional digital forensics triage vital for nearly all investigation types. For example, huge benefits have been seen for those utilising triage techniques while investigating ICAC (Internet Crimes Against Children), IIOC (Indecent Images of Children) and CSAM (Child Sex Abuse Material). Like any investigation, being able to identify devices with relevant data in minutes helps investigators bypass the need to run standard, time-consuming data extraction and analytical processes on all suspect devices. The ability to focus on the devices that contain the most beneficial information is elevated further by tools triaging the plethora of data rapidly, all culminating in aiding investigators to answer the questions critical to their investigations and, of course, reducing stress on overburdened labs.
Among the many benefits of triage is its ability to help address skill gaps and dispel the associated ‘digital fear’. Triage tools can help address these challenges by enabling less experienced team members and frontline agents to carry out preliminary investigations without the need for complex and complicated manual methods. Often managed by a seasoned Investigator, automated triage profiles can be configured giving junior investigators an instant leap in investigative capabilities, enabling them to gather and produce evidence in a forensically sound manner while adhering to known best practices and processes.
While there are many options available for investigators considering digital forensics triage technology, not all tools are created equal and assessing the following factors will help shortlist the ones that will work best for your team.
Speed and accuracy: The speed at which devices can be scanned, extracted, analysed, and reported on is a major consideration when selecting triage tools. However, speed needs to go hand in hand with accuracy and requirements. For one example, in CSAM crimes, it might not be an acceptable risk to ONLY match known indecent images via HASH only scanning. The ideal tool should also be able to additionally identify other vital indicators or first-generation images if required. Using a triage tool that can only focus on one avenue increases the risk of not identifying illicit or harmful material.
Ease of use: As these tools will be used by both technical and non-technical team members, the triage tool selected needs to be easy to use and deploy. Features such as guided menus, visual alerts and prompts, plug-and-play capabilities, and the ability to quickly train team members on the solution need to be considered.
Advancing Technology: With triage always evolving, there are companies out there working hard to keep investigators equipped with what they need to get the job done through regular software updates to the tools. Advances in development mean patented triage technology, and new innovative capabilities are always being researched to give your teams the edge over criminals and threat actors.
Flexibility: The ideal tool for many will need to be configurable to many different types of investigations while enabling the sophisticated technology under the hood to be simplistic in the manner of its operation. Triage is enhanced by many factors, including keywords, phrases, and hash value matches, so it is vital to select triage technology that is compatible with pre-defined profiles and databases (DB) such as CAID (Child Abuse Image Database), projects VIC and the NITRA Counter Terror DB, as well as the ability to expand beyond that when needed.
Support: A good company with values and support ethics in this field is often essential, meaning your teams can communicate effectively with manufacturers speedily and feedback on future requirements to aid the investigator community and receive essential training to be effective in any technology deployment.
The digital investigation landscape is always evolving, and the already vast number of digital devices is exponentially expanding all over the globe; digital triage is there to assist individuals and organisations to back against the ever-growing digital tide.