Professional Documents
Culture Documents
Digital Investigation
journal homepage: www.elsevier.com/locate/diin
Research summary
a b s t r a c t
Keywords:
Forensic triage
Backlog
Information security
eDiscovery
Software
Digital forensic process
88
At the core of this approach is the notion of previewing the evidence, whether by software or by eyeball. As
noted above, the former technique may be too restrictive,
while the eyeball approach suffers from the same lack of
a consistent methodology as above, and the requirement
for the owner of the eyeballs to recognize probative evidence beyond the most obvious.
Another form of triage is within the forensic examination process. Examiners have struggled with the problem of
what to look at since the very rst computer forensic examinations. In the early 1990s the foremost computer
forensic training organization was the International Association of Computer Investigative Specialists (IACIS), that
taught its trainees (myself included) that every single le
should be examined. They even went so far as to recommend executing every binary le, in case it was a Trojan
horse program. Today that notion is viewed as absurd, but,
at a visceral level, examiners often fear missing something important. But if we cannot look at everything, what
should we look at? Forensic examiners make judgments
about where to look, and for what, based on experience.
Experienced forensic examiners often make good decisions. However, that judgment process is rarely recorded
and is difcult to articulate, let alone replicate.
Mike Phelan, the late Director of DEAs digital evidence
laboratory, coined the term sufciency of examination to
deal with this problem. By this he meant doing enough
examination to answer the forensic or investigative questions, but nothing more. One of the major tasks of the
digital forensic examiner is to decide what to look for and
where. But this has its own set of problems. Just as the
helpers at a search site may not have a clear understanding of all the dimensions of the case, forensic examiners typically do not have a thorough knowledge of the
case. It simply is not practical to develop this level of
knowledge. In the absence of a solid denition of what
needs to be examined, often examiners will perform examinations of evidence in certain ways, not because it is the
most efcient or effective, but because they always do it
that way, they feel like doing it that way, or sometimes
simply because they can. If you dont have a clear understanding of what you are looking for, how do you know
where to look and when to stop looking?
So, objectively, it would appear that triage is not a particularly good solution to the seizure and examination of
digital evidence. So why has triage become so common that
a special issue of this journal is dedicated to the topic?
Simply because, today we do not have a better approach.
Investigators need the evidence in a timely fashion. They
are more willing to get some useful evidence quickly, than
to wait endlessly for all of the evidence. Examiners, for
their part, are constantly challenged about their backlog,
and the quickest way to reduce the amount of time that
each examination takes is to look at less material. So, triage