There's a few problems with this but I'll start with the "triage" problem (which this could largely be seen as).
Triage is often seen as a magic bullet but can itself lead to miscarriages of justice. Whether it gets to court or earlier as a case progresses (harm can happen long before court). There is no substitute for an examiner looking at something properly. That doesn't mean every examiner is perfect or will find "everything" but they're considerably more likely to "spot" something which an automated process will not. Whether that be things that support/strengthen/prove the case or whether they indicate the suspect may in fact be innocent (or someone else should be looked at...perhaps urgently).
Let's just say a "scan" picks up 10 images, this may well not be anywhere near the sum total of what the defendant has (or has been doing), or even a tiny fraction of it. Let's just say these are the few they forgot to hide well. In this system, they plead to a tiny charge, and get away with X/Y/Z (whether this be the scale of the offences, related offences, or different offences entirely) because it doesn't get looked at properly by an examiner.
Similarly, on the other hand, you might end up with the reverse situation, where someone is confronted with evidence of say 10 images, and under the stress of the situation feels the need to plead (despite their innocence), or does something worse to themselves (I don't know how true it is, but believe some in the US feel there's an issue with people of colour or those in deprived areas, feeling the need to plead, even when innocent, because they feel the system is against them). Again, a proper look by an examiner might lead to them not being faced with this dilemma, because they can see what actually happened.
I could probably think of many different variations of this but I personally believe anything short of a proper digital forensic examiner looking at something is a failure of the justice system.
Also, what's to stop, "I pled guilty because I felt pressured to / felt I had no other choice /etc", "I want to change my plea" just before trial, then they get off because the evidential package is extremely weak because nobody has looked at it.
Furthermore, I think you've got a bit of a non-starter with extracting all the images and uploading them, and is something that in this kind of case would be a legal minefield, even if being sent to defence counsel, and something that most police forces would try desperately to avoid (back to your making of indecent images). That's not to say that I've not seen a judge order copies to be made during the course of a trial, rightly or wrongly, but it's somewhat different when a judge is ordering it rather than anyone, including the police, doing it off their own bat.
Digital forensics is arguably suffering the same problem as traditional policing has in many ways. With ever-increasing regulatory burdens meaning less time for a human investigating a crime and a lot more time form-filling and process following.
Probably not the answer you want to hear, but I don't personally believe the answer is more automation / regulation / standards, but rather funding DF properly such that there are more examiners and they get more time on each job rather than the race to the bottom it has been on for a long time (due to the work ever-increasing and funding not increasing at the same pace).
Automation can/could/does help, in some ways, but a bit like with my argument for ISO17025, it should be targeted to assist an examiner, and not bypass them (or go down a process-led, human-light, route). For examiners, there are already various tools for dealing with this kind of material, to categorise material based on hash, or skin tone filters, and so on and so forth. You could argue better funding of development of these tools would improve things further (reducing errors/omissions/ease of use/etc). There are various ways this could be done.
Â
There is a ton of great stuff in here and you have got me thinking. I am torn between going into the detail of it and asking some rather more basic questions. If it is OK I will go with the questions first.Â
How does the lab get their instructions and in what form are they? I have been imagining a box full of the confiscated hardware along with information as to the suspected crime (or the set crimes that fits with the initial intelligence). Do you get more than just that? Â
Does the lab work in strict order of reciept, or does it prioritise?
What are the most common suspected crimes you see?
How is time allocated to a job? I realise I may be asking how long is a peice of string. But there must be some way time is managed in the lab.
Do you consider the lab is properly equiped?
Do you consider the software is good enough? If you could improve the software, what would you change?
Does the lab use a set of standard methods. So, if the suspected crime is embezzlement you use workflow one, if the crime is distribution of indecent images you use workflow two etc. Is any of this procedurised/standardised?   Â
Do you use iterative workflows? So, let us say the first analysis yeilds odd or contradictory data, do you run more analysis to try to resolve it? Is contradictory data a rarity?Â
Most DFUs seem to be of just two or three people. In situations like that it is common for everyone to do all functions. Is there a separation of functions?
In order to handle the work to your satisfaction from the point of view of quality, turnaround and justice, how much more human and physical resource do you need?
BestÂ
Â
A
Â
Â
Â
Â
    Â
How does the lab get their instructions and in what form are they? I have been imagining a box full of the confiscated hardware along with information as to the suspected crime (or the set crimes that fits with the initial intelligence).
This is going to vary, but in very broad terms, probably often yes.
Does the lab work in strict order of reciept, or does it prioritise?
This is going to vary. You might say broad-brush FIFO but there probably isn't anywhere that won't prioritise, whether to manage their own resources, or under instruction from submitter/client (whoever that may be), or as part of an agreed strategy/targets.
What are the most common suspected crimes you see?
Not best placed to answer. Having worked lots of different places that would depend on where I was working and what work they'd agreed to do.
How is time allocated to a job? I realise I may be asking how long is a peice of string. But there must be some way time is managed in the lab.
String is the answer on this one.
Do you consider the lab is properly equiped?
Can't answer this either. Everywhere I've worked has been kitted out to varying degrees. LE MIGHT be better off in this regard but again I suspect the answer will be yes/no depending on place. The cost of tools does make it hard for many to kit out every examiner with a wide range of the leading tools (which would be advantageous for both the discovery of evidence, presentation of it, and dual/many tool verification - which is important as referenced earlier).
Do you consider the software is good enough? If you could improve the software, what would you change?
No and the answer to that would require typing for a week 😉 Let's just say I think the QA process from the majority of tool makers is nowhere near good/thorough enough. Although I should say, in their defence, what many of the tools can now do, is impressive in speed/coverage of artefacts that are constantly changing in volume and nature. My criticism reflects the QA more than their attempt to do the near-impossible and decode every artefact, of every program, and every version, reliably.
Does the lab use a set of standard methods. So, if the suspected crime is embezzlement you use workflow one, if the crime is distribution of indecent images you use workflow two etc. Is any of this procedurised/standardised?
This is less applicable to me these days so best asked of others. When I was doing the kind of work this thread was originally talking about there essentially was a broadbrush process but I can't remember how granular it was back then.
Do you use iterative workflows? So, let us say the first analysis yeilds odd or contradictory data, do you run more analysis to try to resolve it? Is contradictory data a rarity?
Yes (if we're talking generally rather than particularly process based). It's important. In "more complicated" case types it's not uncommon to read a message or messages, that strongly suggest one thing, before reading/finding more later that gives you a better understanding and reveal it meant something entirely different. As you build up the picture, whether mentally, or trying to document it (pre-reporting). It's definitely not a rarity.
Most DFUs seem to be of just two or three people. In situations like that it is common for everyone to do all functions. Is there a separation of functions?
Probably best someone else answers this. A long time ago it was not uncommon to have people who specialise in phones and often the more experienced people doing computers. This is possibly outmoded these days although pretty certain many labs still have a lot more more inexperienced staff doing the bulk phone work (I'm talking in general in most of my answers rather than just police DFUs).
In order to handle the work to your satisfaction from the point of view of quality, turnaround and justice, how much more human and physical resource do you need?
The literal million dollar question. I think it might be an uncomfortable starting point for those with the purse strings (and their bosses to every level above - right to the top) to have a conversation about how much time they think would be reasonable for someone to spend investigating a single case/crime, bearing in mind multiple devices, time to extract/process in multiple tools/report to a sufficiently good quality/QA properly if allocating any time for that....and actually investigate it (I reckon once you talked through the realities of doing each component part, explained the range of complexity/volume of data that might be involved, and then gave a ballpark estimate for doing each part to a good standard.....that number of hours might be WAY higher than many examiners are given, or have to try to, get a job done in).
To square the circle, a not uncommon approach, in the field as a whole, is to do "enough", within the estimated time, then explain why (or argue for) more time/expense is justified. I'm relatively lucky to get considerably more time than most to examine cases so perhaps better answered by anyone closer to the more standard "sausage factory" to appropriate a turn of phrase from a particular forensics blog.
Â