With the increase in device seizure on Police raids and heavy burdens being placed on HTCU's will there ever be a system for non technical police officers to triage machines? Is there any plans for a computer triage system similar to the RT Kiosk? Does it exist?

Questions?

Would policy allow?
Is it feasible?
Would this streamline or help in any way?

I ask as I have seen this sort of system proposed at an overseas event.  

Are you asking about tools or about a policy that allows or denies the use of such tools?

Here is a thread from which it is possible to gather indirectly that a given tool is (or has been ) in use by some local Police in he UK:
www.forensicfocus.com/...c/t=10931/

You can contact Harry Parsonage of ADF solutions through the Forum, I am pretty sure that he knows about the "state of the art" both from the technical and from the legal/policy point of view.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

many thanks Jaclaz, I am looking at the digital influx to High Tech Units in the UK. I am aware of ADF and it's capabilities. I am looking at/or answer to the problem of a Police Raid, presented with 5 computers, atm they are all bagged and tagged and sent for analysis (and triage) or outsourced (time + £).

Would there be or a need for a bobby on the beat to conduct this triage. The enormity of data is only getting worse and will continue to do so.

What is the forensic examiners view on this, the training burden, chain of evidence and potential to harm rather than do good?  

i have hundreds of LEOs in the UK that use osTriage with great success. been that way for a few years now. its not made just for forensics people tho, its also a tool for first responders and your average investigator. it is also free for LEOs  

Here my 2p:

The idea of technical officers routinely using Triage software to decide which exhibits to seize, quite frankly, scares me.

Triaging exhibits can be used to reduce the amount of examinations required and we have used it in the recent NCA/CEOP operation which dealt with suspects using Peer-Peer for sharing of IIoC.
However the triage pack used was targeted for this operation only and was used within the HTCU rather than by non-technical officers.

There are many reasons why triage may fail, including but not limited to encrypted drives, raided disks, very old machines and iShite/EFI machines.
Within the HTCU we have the capability to look at why the triage process won't work and make a decision based on the available information. For example if the hard disk is fully encrypted then it is of interest so we'd image it.

A non-technical officer probably wouldn't have the expertise to figure out why and would either seize it or leave it when triage fails. There is also the risk that they would misuse the triage and assume that a negative triage result means the device has no evidence.

Once the triage packs leave the HTCU, all control is lost. The officers may attempt to use them in cases where the pack would not apply (such as grooming jobs) and may be using an old outdated version of the pack.

The only situation currently where I think triage would be used by non technical officers is in units managing registered sex offenders, where it could be used as part of their visits.  

i assume you meant non-technical officers using triage?

for every reason triage MAY fail, there are 1000 reasons that it will work. in fact some of the reasons you mention, at least for running machines, are the most important reasons you SHOULD triage a computer. most of the reasons you point out seem to be related to dead box forensics vs live response. while there is some use in triage for dead box, it is much more important for running machines.

i am not ever recommending a street cop be given access to a bunch of hardware or run a search warrant scene, but there is no reason that with proper training (hours, not days or weeks) that people with a basic understanding of computers cannot assist in the triage process ("this computer has keyword hits", "i found hashes of interest here", and so on). of course there will be experts around to look at the odd cases (those you mention).

now i cannot speak for all agencies and labs, etc, but i can tell you that, in almost every situation, you will get more information from osTriage in 10 minutes than you will from waiting 6 months for a full review. by essentially getting just about everything you will need while on scene you can now conduct a much better interview of the owners of the computers (by asking questions you already know the answers to).

i dont like the concept of preconfigured packs for the reasons you mention and their inherent lack of flexibility. to not allow all the benefits because "someone might go off the rails" by using an old version or similar seems like a bad idea to me.

one thing i am curious about is your mentioning triage failing when you have full encryption, but then, if such a drive is found, you would want to image it. is it encrypted but the data is accessible? how can triage fail against an unlocked disk that, when off, is encrypted? the encryption is transparent to the imaging program and by extension, any triage software that would be used.

i am unaware of any court cases (in the US at least) where evidence obtained via 'triage' was thrown out. i am aware of many instances where triage made the case however and found stuff in minutes vs months via more traditional forensics. Evidence is either there or it isn't. properly designed software will not change any forensically relevant artifact on a computer and the effects on a computer can be shown to be consistent and minimally intrusive. at least in the cases of osTriage, the only changes are what Windows makes to a machine (prefetch, usbstor keys and some other registry keys windows uses to track program execution). none of those things, if wholly lost, will break a case (if your case rested solely one one of those artifacts its not much of a case to begin with).

again i am not advocating giving triage software to everyone, but in the context of a task force (like the ICACs in the US) it is an essential and, IMO, mandatory thing that should be happening on every search warrant. Once machines are back at the lab a lot more possibilities for triage become available, but to me the most critical triage is live response based.  

- EricZimmerman

Evidence is either there or it isn't.

Well said.

As a side note, and possibly a bit off topic , I sometimes wonder when (and if) "enough is enough" (particularly in the case of CP or IIOC), and cannot say if the problems rise from the existence of some given policies or from the lack of them (or from too generic or too specific search warrants or Court orders or similar).

I mean, it seems to me - at least from what I read/can find on related cases - that the "typical" bad guy involved in this kind of activities will have hundreds or thousands (or more) of such images or videos, and additionally - again at least from what I can gather from the forum posts and talked about documentation - that these are usually not the most computer savvy people around.

So WHY exactly a search warrant is given to the police by the Court?
Like, I presume, 80% of the cases because there was evidence of internet connections with known to be hosting this kind of materials sites or the IP address, or e-mail, etc. of the suspect was found on the PC of another known/convicted pedophile, 15% because someone in the family of the suspect went to the Police, 5% for other reasons.

Let's also say (provided that the above percentages are roughly accurate) that a thorough investigation on the given devices will have at least 85% of success in finding illegal material.

Now, how much of it is *needed* to get the suspect to trial (and reasonably be enough to have the Judge/Jury sentence him)?

You find 5 computers.
You go triaging them, on (say) the first of the five you find 3127 IIOC images, do you need more?
You go triaging them and find that the fourth computer has an encrypted volume, is it not enough to have all the 5 computers seized and later fully examined?
And when you start fully examining this fourth computer, and you find in the encrypted volume the 3127 images, it is really needed to examine the other four ones?

As I see it, the only adverse case with triage (as I tried to evidence in the other thread) is when a negative result with it is obtained, which in my mind reads as a N/A and not as a "NO", in all other cases it is useful to limit the amount of "thorough" examinations, provided that a "limit" is somehow set.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. -