Triage template pipelines in digital forensic investigations

Overill, Richard E.; Silomon, Jantje A. M.; Roscoe, Keith

doi:10.1016/j.diin.2013.03.001

Cited by 18 publications

(8 citation statements)

References 6 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Furthermore, by repurposing the standard AFF format to support partial images, sifting collectors produce portable images that are readily analyzable by existing tools, without modification. Triage has become a hotly debated topic in the digital forensics community (Roussev et al, 2013;Overill et al, 2013;Marturana and Tacconi, 2013;Bogen et al, 2013), with the Journal of Digital Investigation devoting an entire issue to it (Digital Investigation, 2013). While certainly valuable, triage has several shortcomings as a replacement for acquisition, such as missing important evidence and potentially damaging relevant evidence, particularly in view of how triage is currently practiced (Shaw and Browne, 2013).…”

Section: Related Workmentioning

confidence: 98%

Rapid forensic imaging of large disks with sifting collectors

Grier

Richard

2015

Digital Investigation

View full text Add to dashboard Cite

a b s t r a c tWe present a new approach to digital forensic evidence acquisition and disk imaging called sifting collectors that images only those regions of a disk with expected forensic value. Sifting collectors produce a sector-by-sector, bit-identical AFF v3 image of selected disk regions that can be mounted and is fully compatible with existing forensic tools and methods. In our test cases, they have achieved an acceleration of >3Â while collecting >95% of the evidence, and in some cases we have observed acceleration of up to 13Â. Sifting collectors challenge many conventional notions about forensic acquisition and may help tame the volume challenge by enabling examiners to rapidly acquire and easily store large disks without sacrificing the many benefits of imaging.

show abstract

Section: Related Workmentioning

confidence: 98%

Rapid forensic imaging of large disks with sifting collectors

Grier

Richard

2015

Digital Investigation

View full text Add to dashboard Cite

show abstract

“…Overill et al [20] propose an attractive idea to introduce triage template pipelines into the investigative process for the most popular types of digital crimes, enabling digital evidence to be examined according to a number of prioritised criteria. Each specific digital crime has its own template of prioritised devices and the data based on the cost-effectiveness criteria of front-loading probative value and back-loading resource utilisation.…”

Section: Models and Methods Of Live Triagementioning

confidence: 99%

“…The introduction of triage template pipelines into the investigative process for the most popular types of digital crimes, presented by Overill et al [20]. However, the authors do not enumerate these types of crimes and provide only the DDoS and P2P template diagrams without the discussion of the details 4.…”

Section: Lessons Learned From the Reviewmentioning

confidence: 99%

Methods and Tools of Digital Triage in Forensic Context: Survey and Future Directions

2017

View full text Add to dashboard Cite

Digital triage is the first investigative step of the forensic examination. The digital triage comes in two forms, live triage and post-mortem triage. The primary goal of the live triage is a rapid extraction of an intelligence from the potential sources. The live triage raises legitimate concerns. The post-mortem triage is conducted in the laboratory and its main goal is ranking of the seized devices for the possible existence of the relevant evidence. The digital triage has the potential to quickly identify items that are likely to contain the evidential data. Therefore, it is a solution to the problem of case backlogs. However, existing methods and tools of the digital triage have limitations, especially, in the forensic context. Nevertheless, we have no better solution for the time being. In this paper, we critically review published research works and the proposed solutions for digital triage. The review is divided into four sections as follows: live triage, post-mortem triage, mobile device triage, and triage tools. We conclude that many challenges are awaiting for the developers in creating methods and tools of digital triage in order to keep pace with the development of new technologies.

show abstract

“…Even the process of triaging, i.e, the initial assessment process where cases are filtered and prioritised by digital forensic experts, is coming under increasing pressure. For example, London Metropolitan Police services receive over 38,000 digital devices a year for digital forensic examination, a situation described as "resource overload" [3].…”

Section: Background and Contextmentioning

confidence: 99%

“…However, evidence collection and handling methods for social media crimes lack technical sophistication. For example, Facebook gives the following advice for evidence collection in case of cyber bullying on its platform 3 .…”

Section: Background and Contextmentioning

confidence: 99%