McAfee Learnings

4.5 On-Site Triage Processing

Currently, many organizations are challenged with large backlogs of digital forensics casework. An on-site triage solution is being employed more and more worldwide to accommodate for this exponential growth in digital forensic caseload. Triaging involves performing data Guidelines on Mobile Device Forensics extraction (i.e., Manual or Logical) on-scene followed immediately by a preliminary analysis of the data extracted. Logical extraction tools provide additional capabilities to use keywords and specific known hashes, alerting the on-scene examiner immediately to potential issues that need to be addressed. Where possible, devices supporting encryption, such as Android and iOS devices, should be triage processed at the scene if they are found in an unlocked state, as the data may no longer be available to an investigator once the device’s screen is locked or if the battery exhausts. Deploying the use of field forensics tools to either acquire the device or establish a trusted relationship with the device will ensure that at a later time, access of data occurs after the device has been locked.

On-Site Triage is especially useful in identifying:

  • Media most likely to contain evidence
  • Those investigations that require a more detailed and technical examination
  • The investigations that could be subject to a limited examination by qualified practitioners
  • Material requiring urgent investigation
  • Examinations suitable for outsourcing
  • The extent of the assistance the unit will need to provide to an investigation.

On-Site Triage processing benefits include:

  • Reduced laboratory workload – Digital forensic laboratory submissions may be reduced when nothing of interest is found on-scene, and the level of suspicion is low
  • Exigency – On-scene examiners have actionable results immediately
  • Better leveraging of existing resources – Intelligence resources are enhanced through the use of keywords/hash lists
  • Reduced training costs – Triage tools are typically designed to require less training than deeper analysis tools and techniques
  • Reduced unit cost – Triage tools are frequently more affordable than deeper analysis capable counterparts
  • Live collection opportunity – Devices are often presented in an unlocked state affording the on-site examiner the potential to extract more data before the locking mechanism is activated.

Organizations may wish to develop some “scoring” method to prioritize on-site triage examinations. This should be developed on a per-organization basis and should be reviewed and updated to accommodate changes.

Feedback

Was this helpful?

Yes No
You indicated this topic was not helpful to you ...
Could you please leave a comment telling us why? Thank you!
Thanks for your feedback.

Post your comment on this topic.

Post Comment