Every day, the number of computer users is increasing as well as mobile, IoT, and similar devices that are capable of storing increasingly large amounts of data. Additionally, nearly every criminal act today involves at least one electronic device, while more complex criminal activities can involve a double-digit number of devices. With the rise in the number of devices and the amount of stored data, the complexity of performing forensic investigations increases, putting forensic investigators under significant pressure to obtain the desired data within a reasonable timeframe, known as TTE (Time To Evidence). Often, certain forensic cases require urgent data acquisition and analysis, so it is necessary to prioritize evidence using triage.
The concept of triage was first mentioned in medicine, where the triage process represents a system for caring injured individuals based on the categorization of injuries sustained during battles on the battlefield, as well as the urgency of the need for injury care. The same methodology has been introduced in digital forensics, representing a process of rapid collection and analysis of evidence while prioritizing essential digital evidence, whether at the scene of the incident or outside the laboratory, as well as within the laboratory.
Benefits of using the triage tools, [1]:
- Time – Significant reduction of the time required to find critical evidence, and faster response to the incidents.
- Case preview – Provides insight into the incident itself, enabling the creation of an analysis strategy.
- Resources – More efficient distribution of forensic tools and focus on the most important evidence.
- Amount of evidence – Less evidence to collect and preserve.
- Cost savings – Reduction in financial costs by focusing on more important evidence.
Introducing triage into the forensic investigation process partially reduces the workload on forensic investigators. Take, for example, a corporate environment with 7 employees and an equal number of computers where data exfiltration has occurred. If all computers are infected with some type of computer virus, it is necessary to determine how the incident occurred, i.e., the initial point of virus infection. Using traditional forensics methods, forensic investigators would need to create a forensic image of each computer’s disk and then perform an analysis. The testing process of creating a forensic image of a computer disk with a capacity of 500 GB in our company’s digital forensics laboratory, takes approximately 2 hours and 20 minutes and according to best practices, it is recommended to create 3 forensic images. This would ultimately result in approximately 7 hours needed to create forensic disk images for one computer. Processing the forensic image can take approximately 6 hours. Adding the time required for creating and processing the forensic disk image of one computer, we arrive at a total of 13 hours, to which we can add several hours for analyzing a large amount of data, further extending the forensic investigation.
Given the duration of this process, it would be more efficient to use forensic triage tools so that investigators could quickly identify which computer contains digital traces that are crucial for the investigation. By using triage tools, it’s possible to obtain significant evidence depending on the amount of data, type of device, and the tool itself within 10 minutes to a maximum of several hours. If essential evidence is found through triage on any of the computers, forensic investigators prioritize that computer in the forensic investigation, while the remaining computers are handled according to the results of their analysis. Although triage tools speed up the forensic investigation process, they require more knowledge from forensic investigators to correctly collect and interpret evidence found through triage. It is important to note that triaging digital evidence does not include artifacts that have been deleted, which require data recovery, etc. Triage only includes currently available system data.
When it comes to triage tools, some traditional forensic tools already partially enable triage. But what about tools that are specifically developed for this type of acquisition?
A review of the market for currently available tools indicates that forensic tool manufacturers have recognized triage as an extremely important area and that there is a need for the development of triage tools. As one of the market leaders in the field of digital forensics, the company INsig2 collaborates with companies developing triage tools such as Belkasoft T, Magnet Forensics Outrider and Ignite, ADF Triage-Investigator, Cyacomb Examiner Plus, Detego Field Triage, and various tools from other manufacturers.
Picture 1. Tool interface display of the Magnet Outrider.[2]
Although triage is most often related to field work, triage can also be performed in the laboratory. During the triage process, commercial tools enable extremely fast verification of the presence of a targeted file on the media based on the calculation and comparison of the HASH values of all files with the HASH value of the targeted file. Additionally, besides HASH values, it is possible to use the option of searching data by keywords.
During triage, these are the potential pieces of evidence that can be found, [3],[4],[5]:
- previously connected portable media to computers,
- used applications,
- Internet browser history,
- system files,
- communication traces (IP addresses, SMS, MMS, calls, emails),
- user profiles,
- GPS records,
- multimedia content,
- detections of content related to child sexual abuse material (CSAM),
- passwords,
- malware,
- encryption detection, protected folders, and backups,
- detection of virtual machines, and more.
Some of the triage tools have the capability to load a forensic image of the subject device to quickly obtain crucial evidence, as well as the ability to create a forensic image of the RAM and capture screenshots of the computer being triaged, [6].
Along with all of the above, we can say that forensic tool manufacturers stand alongside forensic investigators and aim to ease the performance of complex work, which is becoming more and more common every day. By implementing triage in digital forensics, investigators significantly save time, can set very good and clear goals for the further course of the investigation, and reduce the number of devices waiting for acquisition and analysis. As authorized sales representatives of digital forensic tools and equipment, in recent years we have noticed a significant increase in our clients’ interest in digital forensic triage, which is the result of more intensive education and raising awareness of the importance of triage.
Keywords: digital forensics, triage, forensic tools, incident response, prevention, prioritization, identification of key information, key evidence, TTE
Author:
Petar Majić, Digital Forensics Consultant
REFERENCES:
[1] 3 Benefits of Digital Forensic Triage. https://www.adfsolutions.com/news/digital-forensic-triage-benefits
[2] Magnet Outrider Overview. https://www.youtube.com/watch?v=3ZVvfyk92ac&t=8s
[3] Triage Investigator. https://www.adfsolutions.com/triage-investigator
[4] Belkasoft Triage https://belkasoft.com/t
[5] Field Triage, https://detegoglobal.com/field-triage/
[6] Magnet Outrider, https://www.magnetforensics.com/products/magnet-outrider/
