When you hear the word triage, what do you think of? The typical person may imagine wartime images of medics checking soldier’s wounds on the battlefield to determine priority. For those of us in the computer forensics field, the image is quite different, although the objective is remarkably similar.
Forensic triage is emerging as a tool to help investigators find evidence more quickly using fewer resources and taking a load off of the overburdened forensic expert.
Forensic triage is the practice of searching a computer in the field to determine its priority in an investigation. If relevant evidence is discovered, a number of things can occur, including gaining a warrant to seize the computer and potentially taking the owner into custody. If nothing is uncovered, the computer may be left at the scene. The benefits of effective field triage are many. First, field agents can avoid over-collecting on scene, reducing the amount of computers being held in secure storage waiting for investigation. Second, first responders, field agents, and detectives on the scene can gain valuable evidence in real time, allowing them to focus their on-site investigation. Last, and most importantly, the forensic investigators can be given a clear direction in which to focus their investigation, allowing them to build their cases faster.
Over the past several years a shift in the type of tools available for triage has occurred. In the early days of computer forensics, triage tools were developed for the forensic expert. These tools were cumbersome and required a skilled operator. However, as budgets are continually cut, the number of experts available for field triage is steadily declining. Fortunately, many new tools have been introduced, specifically designed for a non-expert. These tools allow a lay person to perform various triage tasks in the field by following a few simple directions. This new class of product is changing the face of field triage. With so many tools to choose from, where does one start?
Before selecting a triage solution several questions should be answered. First, who will be performing triage in your organization? For some agencies, the triage performer may be a novice when it comes to computers, in others he may be well versed in technology. If your agency constitutes more novice computer users, you will want to select a solution that requires minimal user interaction. For the more technologically savvy team, you can consider a more sophisticated solution that requires more interaction, which will tend to have more flexibility.
Second, what sort of evidence does your organization encounter most? Some organizations, such as probation enforcement agencies, may be concerned with images and Internet history. Others, such as counter-terrorism units, may primarily focus on personally identifiable information (PII) and names of interest. Still other agencies may have a completely different area of interest. In any case, the selected triage solution should enable the customization required to meet the needs of the organization.
Finally, before selecting a triage solution you should understand what tools are used by the forensic specialists back in the lab to complete the investigation. Since one of the objectives of triage is to focus the forensic specialists’ investigation, the triage solution selected should enable integration of the collected evidence into the computer forensic investigation software of choice. Once these important questions have been answered and a triage solution has been identified that meets the requirements, the next step is to introduce the solution and triage process into the organization.
Several agencies are looking at the best ways to enable a large number of field personnel to perform triage in the field. Historically these agencies have relied heavily on a sparse population of forensic specialists for triage and evidence collections; however, these specialists do not have the bandwidth to support them and complete investigations. These agencies are trialing EnCase Portable from Guidance Software
as a means to obtain quick results in the field. With EnCase Portable, the forensic specialist is able to pre-configure specific search parameters, including keywords and hash values, and deploy the kits to field personnel.
In the case of one corrections department that is looking at using this in its parole division, probation officers are equipped with the device for when they go to visit parolees. Once onsite, they can easily insert the device into the parolee’s computer and review all the images or relevant files stored on the computer in a matter of minutes. This real-time feedback allows the officers to ascertain if the parolee has violated the terms of his parole quickly, something that simply wasn’t possible before. Implementing Forensic Triage
Most field agents, first responders and detectives adhere to the mantra, “seize everything and above all, do not touch the computer, let the experts figure it out.” This was how they were taught and for years this methodology worked well. However, as technology continues to evolve, the magnitude of devices and data seized is overwhelming the forensic specialist. To stem this problem, we have to initiate a shift in the mentality of those in the field.
To begin, it’s recommended that a few field personnel be selected as “triage champions.” The triage champions will be people who promote the use of the triage solution within the agency and they are invaluable for successful adoption of the solution. When selecting the triage champion, choose personnel who are comfortable with technology and have a genuine enthusiasm for becoming involved in the triage process.
These personnel should then be trained top to bottom on the solution. Most triage solutions that are fit for purpose should only require a few days of training for proficiency. Initially, the standard field practices should be maintained, but when appropriate, these newly trained triage performers should use the solution on computers found in the field. The objective is for them to build up real world examples of how the triage solution helped them in the field. These examples will be used later to further encourage adoption by the rest of the organization’s field personnel. After a period of trial use in the field, the triage solution can be rolled out to the rest of the field personnel, with the initial triage performers being the champions for the solution and process. Over time the shift in mentality will occur and your organization will be transformed into a proactive, dynamic, collaborative digital investigation team.
The challenge the digital investigation community faces in regards to triage is tradition. The collect then search methodology has resulted in stacks of laptops, rows of desktops, bags of hard drives waiting weeks, months and longer for analysis. This process simply cannot continue. We as a community should embrace triage, promote it in our organizations, and over time the process can change. Backlogs will come down and the forensic investigators, the lynchpin in the investigation process, can focus on what they do best—catching the bad guys. Steve Salinas is product marketing manager for the forensic business unit at Guidance Software where he’s focused on the company’s EnCase Forensics and Tableau product lines. He holds a bachelor’s degree from Texas A&M University and is pursuing an MBA from Pepperdine University. He can be reached at firstname.lastname@example.org.
Photo courtesy of Guidance Software.