Digital triage can do more than save you time. It may save a life.
Scenario (yes, this really happened):
Parents reported their daughter missing. They gave the assigned detective a laptop that their daughter was using prior to being lured from home.
The assigned detective conducted his own "triage" of the laptop by turning the laptop on poking around looking for clues. He even logged into the daughter's social media accounts and did not find anything of value. I am sure you are cringing reading this and thinking no one would do that. But it happened. It is in the case report..
Months later (!), the detective called me to examine the laptop for any clues. I impolitely (and probably unprofessionally) gave my 2 cents as to how this case progressed before it came to me, how it should have been done, and how this should never happen again.
The daughter's buried body was found six months later.
The investigation backstory was also bad
There are more details to this case, but I'll save those for other another day. This one case has so many points that emphasize the importance of obtaining enough information in the shortest time to make informed decisions that it deserves a case study. But the main point of a missed opportunity of (effective) triage stays with me.
How this case affected me
I have been a believer in digital triage since the beginning of my career in forensics. It just makes sense. Documentation of triage goes back hundreds of years. Documentation of digital triage goes back decades.
If time is of the essence and informed decisions need to be made, the most reasonable method is triaging devices in a timely manner. It is unreasonable to wait. It is unreasonable to not use a reliable triage tool and method.
Back to that case…
Soon after the murdered teen investigation, I started writing my first book, Placing the Suspect Behind the Keyboard. I chose triage to be in the first chapter, because triage should be the first step in your investigative process. How else can you make an investigative plan if you don't have an idea of what data exists, at least at a high level?
What is triage?
A process to obtain enough information in the shortest possible time to make an actionable decision.
That is all that there is to it, but effective triage can affect the outcome of a case.
Back when Placing the Suspect Behind the Keyboard was written in 2012, I tested several triage software solutions as suggestions. One of these was "Triage Examiner" by ADF Solutions. A few of the others that I listed in the book have been discontinued, or have not been updated. As for ADF, their tools have grown into becoming the top developers in the forensic software market, particularly strong in digital triage.
Chapter 1, Page 22, Placing the Suspect Behind the Keyboard, First Edition
Mobile device triage
I will use ADF Solutions' Mobile Device Investigator as an example of one of the best triage tool choices you could choose.
In brief, ADF's Mobile Device Investor is: Easy. Fast. Effective.
In my opinion, when you need to make quick decisions that affect case outcomes, your process and tools should not be prone to operator error or complex to use.
A side note on case outcomes
In the civil litigation world, rather than forensically image and examine dozens or hundreds of devices, triage can save hundreds of thousands of dollars in expenses. The potential of finding the evidence needed up front can also steer the case forward and faster.
In the criminal investigation world, effective triage can result in obtaining probable cause for arrests and warrants in minutes, and more importantly, save a life.
These are not trivial matters.
ADF's Mobile Device Investigator scans and acquires unlocked iOS and Android devices, recovers user data (chats, messages, call records, images, browsers, and more..), searches for keywords, and generates reports. All of this is to give you the ability to make informed decisions on the spot.
The interface is clean and intuitive. The Help files are extensive. ADF provides plenty of training videos and even a certification course. Mobile Device Investigator sorts data into clearly visible and easily selected categories for viewing and decision-making data.
If you have ever spent a massive amount of time perfecting something, you have learned that if you do it right, your end product is simple on its face. The end product looks so simple, that many people think that it must have been simple to create. But you know that this is not the way it works. Creating 'complex' is easy. Creating 'simple' is not.
In the example of ADF Mobile Device Investigator, connecting a device and being able to scan for actionable intelligence seems all too easy and simple. And it is. It is effective too.
Do you triage?
Generally, there are two different processes and reasons for triage.
(1) Time sensitive decision-making, and
(2) Analysis prioritization.
Time sensitive decision-making scenarios are those where someone's life or property are at risk. Analysis prioritization helps with backlogs in deciding which devices should be examined in order or even not at all. Both situations are well worthwhile to conduct triage. There are areas where both of these may cross.
Without triage or more information about what might exist on the devices, your decision-making might be as good as flipping a coin.
Like I mentioned, triage has been around a long time. Choosing to not triage when appropriate means choosing not to use the most fruitful information in the shortest amount of time in order to make the best decision possible.
There are many tools that can triage and there are tools that are specifically designed to triage. ADF Solutions is my personal choice.
Before touching your next electronic storage device, think "TRIAGE". Also think about the case of the missing child that should have been handled differently.
About that eDiscovery thing….
Civil litigation continues to grow in scale and scope when electronic storage devices are concerned. I have been part of creating full images of more than a HUNDRED devices in individual cases. I have also been part of triaging THOUSANDS of devices in individual cases. Triaging THOUSANDS of devices is still much faster, more effective, and more efficient than imaging everything under the sun for no reason other than to do it and examine later.
Tools like ADF Solution's triage products make this process so much more efficient.
If you are interested in purchasing ADF's Mobile Device Investigator, consider taking their certification course with a $500 discount if you buy a MDI license through their online store (discount code is DFIR).
If you ever heard me speak or read things that I have written, you know that I am big on training and training documentation. Don't pass up on training for any tool that you use as your case may depend upon it!
Let me rave about ADF Solutions a little more…
You now know the case that clearly affected much of what I do, so much so that I put triage in the first chapter of a book in how to place someone at a device. For the second edition of Placing the Suspect Behind the Keyboard, I asked ADF Solutions if they would be a contributor in this book with an entire section dedicated to triage. I am honored that ADF agreed. In the triage section of this upcoming book, you will have the decade+ experience of a major developer of tools, specific to triage, at your fingerprints. There was no other tool for triage that I wanted to speak on this topic for my book. That is how much I believe in ADF.
When you subscribe to the blog, we will send you an e-mail when there are new updates on the site so you wouldn't miss them.