Forensic triage is the practice of searching and analyzing a digital device (computer, smart phone, and tablets) in the field or at the crime scene. In many investigations crucial digital evidence is essential while at the scene. The traditional method of seizing a device(s), transferring it to the forensics lab, acquiring an image, and then analyzing the image for potential evidence, may no longer be appropriate in cases such as child abductions, pedophiles, or missing persons, when every second counts.
As one of the pioneers in computer triage tool, we have gathered here a set of tips for references.
- Adhere to Commonly Held Forensic Practices
- Assess the Danger a Suspect Poses
- Automate When Possible
- Automated Triage
- Browser Artifacts
- Capture Running Processes
- Cases where Less Traditional Workflows are Required
- Catching a Murderer
- Computer Forensic Field Triage Process Model
- Consideration for Common Practices
- Departure from The Norm
- Email Artifacts
- Evidence has Gone Digital
- Feedback from Triage
- Field Triage Tool Benefits
- Financial Crimes
- Finding Evidence Quickly
- First Responders
- Guide an Ongoing Investigation
- Identify Criminal Charges
- Identify Victims of Crime
- Importance of Volatile Data
- Instant Message (IM) Artifacts
- Internet Artifacts
Adhere to Commonly Held Forensic Practices
Having a computer forensic triage model in place for first responders is important. It is also important that the model adheres to commonly held forensic practices and does not interfere with the ability to later analyze the suspect computer more thoroughly back at the lab. Integrity of the suspect data must be insured at all times during the process.
Assess the Danger a Suspect Poses
Through the use of field triage and live forensics tools, an investigator can not only gather evidence against a suspect but also use the data gathered to access the possible risk that an offender poses to others in society. By evaluating the evidence of crimes committed they can ascertain the possibility of the offender committing further crimes against others.
Automate When Possible
Even small errors in the investigative process of a suspects machine may mean the difference between a conviction and a criminal going free. To minimize the risk of errors, automation should be used whenever possible. Products like MacLockPick allow the investigator to choose from many automated tasks to be carried out. This helps to insure that the results will be consistent and verifiable should they be challenged in court at a later time.
Time is a important factor in any criminal investigation. Both in time critical cases such as child abduction, kidnapping, death threats, missing and exploited children, etc and in dealing with the backlog of evidence that many agencies are experiencing in this increasingly digital-based age.
Automated triage tools allow forensic examiners and investigators to focus on other critical tasks while the triage process is taking place. Automation also decreases the risk of human error and insures that all bases are covered with regards to the data acquired for the investigation. By using "set it and forget it" automation, triage tools can be capturing important suspect information while leaving investigators free to deal with other important investigative tasks.
Web browsers create a number of artifacts that can be of interest to an investigator during the triage state of an investigation and later on during the formal lab investigation. While different browser applications vary, they all create cookies, caches, and other temporary internet files that can contain a wealth of information about the history of a suspects online activities. Searching these files can be very beneficial to an investigation but can also take a lot of time. Applications like MacLockPick can significantly cut down on the time required to analyze these files and find relative evidence to the investigation.
If you need a tool in extracting cache files, consider SubRosaSoft Cache Detective. SubRosaSoft Cache Detective is an easy-to-use utility for reading the cache of many browsers/chat applications and extracting the files currently stored in their cache folders.
Capture Running Processes
Knowing what a suspect was doing on their computer before an investigation begins can be helpful to most examinations. All running applications open processes on the suspects system. MacLockPick can capture a list of the processes running on a suspect system to show an investigator exactly what the suspect was doing at the time.
Cases where Less Traditional Workflows are Required
While more traditional workflow’s may work for most cases, when it comes to time critical cases such as child abduction, kidnapping, missing persons, death threats, etc, a different approach is needed. These situations require quick acquisition and analysis of the available evidence to give investigators as much information as possible in the shortest period of time when it really matters. Cases like this require fast working triage tools to get the evidence to the investigators in the shortest time possible.
Catching a Murderer
Criminals always leave a trail for investigators to find. Zeroing in on this critical data can be difficult at times but the use of specialize tools can make the search quicker and easier. In cases like murder the investigators may find contents such as the suspects Google search and email history to be of interest. MacLockPick can quickly analyze and display this information to speed the investigative process.
Computer Forensic Field Triage Process Model
The Computer Forensic Field Triage Process Model (Rogers, Goldman, Mislan, Wedge, Debrota, 2006) outlines the process and phases of a triage investigation. This process model is a general outline for the field triage process. It is important to qualify the needs of the investigations first as this model isn’t appropriate for every investigative situation.
- User Usage Profiles
- Home Directory
- File Properties
- Chronology Timeline
- Browser Artifacts
- Instant Messages
- Case Specific
Consideration for Common Practices
While time is critical in many investigations, it’s important to insure that investigation procedures used to minimize the time required to find evidence don’t interfere with other important considerations of any investigation. The procedures must still adhere to common forensic principals such as minimizing the contamination of the original scene and the evidence, complying with rules of evidence to insure that it is admissible in court on the Federal and State levels, and maintaining the chain of custody. Well designed field procedures should have considerations for all of these commonly held practices.
Departure from The Norm
The Computer Forensic Field Triage Process Model may be a bit difficult for some investigators to get use to at first as it is a bit backwards from what they have been taught to do in most investigations. In many cases investigators have been taught never to touch a suspect computer and simply unplug it to prevent any alterations to any evidence on the machine. In cases where time is critical, it may be necessary to depart from the commonly held forensic principals in order to get the evidence in time to make a difference.
Email is a valuable tool for all online users. It’s also a common tool used by criminals. The information found in the email messages of a suspect can help to direct an investigation and may help secure a conviction. The procedure to examine email evidence can be time consuming. The use of tools like MacLockPick and MacForensicsLab can significantly cut down on the amount of time it takes to examine email evidence and zero in on suspect data.
Evidence has Gone Digital
The increase in technology also changes our concept of what constitutes evidence in a criminal investigation. Where previously most evidence was physical document based, the large majority of evidence has now gone electronic and is stored on hard drives, digital media, and web-accounts. Computers and smartphones have become the main source of evidence in many crimes where they use to only be one of the many small parts of the illegal act.
Computer crimes are becoming more common and proper procedures and tools are needed to combat these challenges.
Feedback from Triage
There are many benifits to field triage such as on site access to evidence.
An additioan benifit to performing triage on the scene is the feedback that can be given to investigators. This allows the computer forensic analyst to modify their search based on feedback from investigators and those that may be in contact with the suspect.
Field Triage Tool Benefits
The use of forensic triage tools can increase the effectiveness of any investigation.
Through the use of forensic triage tools an investigator can quickly:
- Gain quick access to evidence that may allow them to secure a warrant or confession.
- Determine if a computer/system requires further analysts.
- Eliminate or dismiss a computer/system from further analysts.
- Determine key areas for further investigation.
- Insure the acquisition of evidence that would be lost by powering the computer/system down.
- Acquire a snapshot of the suspect systems current state before seizure.
Financial crimes such as currency counterfeiting, money laundering, intellectual property crime affect all levels of society. When searching for evidence for a financial crime, a search for documents such as spreadsheets and images of checks or potentially fraudulent financial materials may be high on the list of priorities. Documents for financial applications such as MS Money, Quicken, and QuickBooks may also contain items of interest.
Finding Evidence Quickly
Finding useable evidence quickly is one of the most important focuses of field triage and live forensics. Being able to zero in on suspect evidence quickly can be very important to an investigation. It may give an investigator new leads, help secure a confession and conviction, or be the difference between life or death for a victim.
First responders must be very aware of their tasks when first arriving to perform forensic triage. The efforts of the first responder is critical to ensure that the evidence is gathered and preserved in a simple, secure, and forensically sound manner. The initial response to an incident is more important than later technical analysis of the computer system as actions taken by the first responder can greatly impact the subsequent laboratory examinations of the computer/system. The success of evidence recovery and prosecution is dependent on the actions of the individual who initially responders to the scene.
Guide an Ongoing Investigation
Field triage and live forensics are key to acquiring critical evidence in an active investigation. This information can be used to guide an investigation. The information obtained through the on site investigation of a suspect computer can give examiners new leads to pursue. The acquired information may also point the investigators to new suspects or victims they were previously unaware of.
Identify Criminal Charges
The use of triage on scene and live forensic tools can identify evidence that can lead to potential charges. Quickly finding proof of a crime committed can help the investigation secure an arrest warrant and bring forth formal charges against a suspect. Live forensics can play a critical role in this process.
Identify Victims of Crime
The use of field triage can help to identify current and possible future victims. By quickly examining the evidence on the scene, a forensic examiner may be able to guide the investigation to possible victims of a crime. They may also be able to those that may be at risk to become future victims.
Importance of Volatile Data
Capturing information about the current state of a suspect computer before powering it down is important to a forensic investigation. There is a wealth of volatile data that can be lost once the suspect’s computer is powered down. This information may help direct an investigation in the early stages and can be beneficial during other stages of the investigation. First responder triage tools can capture this important data which can play a critical roll in every investigation.
Important information that may be lost when the computer is powered down may include:
- Clipboard contents
- Attached device listings
- Open network ports
- Current running applications and processes
- Temporary cache files
- Active memory contents
- Connected network drives
- Active peer-to-peer connections
- And more…
Instant Message (IM) Artifacts
Instant messaging is a common method of communication on the internet. Many instant message programs store contact lists along with chat histories. This information can be useful to an investigation as it can provide new leads, help secure a confession, or help to prove intent.
Almost every investigation will involve the analysis of internet artifacts. Web browsing caches store records of sites a suspect has visited. Emails may help to prove intent or correlate other events. Instant message conversations can contain evidence that could help to secure a conviction. The investigator must weigh the time costs of investigating such artifacts but with specialized tools, such as MacLockPick, the time requirements to analyze such data can be greatly reduced.
If you need a tool in extracting cache files, consider SubRosaSoft Cache Detective
Click here for Part Two (M – Z)