Tiered Forensic Methodology Model for Digital Field Triage by Non-Digital Evidence Specialists

TL;DR

This paper proposes a tiered forensic methodology enabling non-digital evidence specialists to perform digital field triage, reducing delays and resource constraints in digital evidence analysis during investigations.

Contribution

It introduces a new process model for training non-specialists in digital evidence triage, validated through implementation and evaluation in real-world scenarios.

Findings

Enhanced response efficiency in digital investigations

Reduced reliance on scarce digital forensic analysts

Improved speed of evidence processing in the field

Abstract

Due to budgetary constraints and the high level of training required, digital forensic analysts are in short supply in police forces the world over. This inevitably leads to a prolonged time taken between an investigator sending the digital evidence for analysis and receiving the analytical report back. In an attempt to expedite this procedure, various process models have been created to place the forensic analyst in the field conducting a triage of the digital evidence. By conducting triage in the field, an investigator is able to act upon pertinent information quicker, while waiting on the full report. The work presented as part of this paper focuses on the training of front-line personnel in the field triage process, without the need of a forensic analyst attending the scene. The premise has been successfully implemented within regular/non-digital forensics, i.e., crime scene investigation. In that field, front-line members have been trained in specific tasks to supplement the trained specialists. The concept of front-line members conducting triage of digital evidence in the field is achieved through the development of a new process model providing guidance to these members. To prove the model's viability, an implementation of this new process model is presented and evaluated. The results outlined demonstrate how a tiered response involving digital evidence specialists and non-specialists can better deal with the increasing number of investigations involving digital evidence.