“now i cannot speak for all agencies and labs, etc, but i can tell you that, in almost every situation, you will get more information from osTriage in 10 minutes than you will from waiting 6 months for a full review. by essentially getting just about everything you will need while on scene you can now conduct a much better interview of the owners of the computers (by asking questions you already know the answers to).
i dont like the concept of preconfigured packs for the reasons you mention and their inherent lack of flexibility. to not allow all the benefits because "someone might go off the rails" by using an old version or similar seems like a bad idea to me.”
Herein lies the danger, Officers will begin to see triage exams as replacements for a standard forensic examination. As mentioned by someone else, triage is deciding which order to examine exhibits, not excluding exhibits or a “forensic exam lite”.
If we are looking for a quicker method of getting results then maybe the answer is a 'forensic exam lite', where a technician or similar uses an automated tool to extract 'high value' areas from an exhibit (such as the registry, windows edb, live internet history, contents of peer – peer download folders etc) and run automated keyword searches against them. As an automated step through a writeblocker, this would provide a quick overview for an interview. My original post relates to using a triage tool to triage, not mini exams.
“one thing i am curious about is your mentioning triage failing when you have full encryption, but then, if such a drive is found, you would want to image it. is it encrypted but the data is accessible? how can triage fail against an unlocked disk that, when off, is encrypted? the encryption is transparent to the imaging program and by extension, any triage software that would be used. “
From my experience, 9 times out of 10 when a warrant is executed, the computers are turned off. Hence the problems and as you alluded to triage loses some of its value if the computer isn't on and in use. For the most part, using a triage tool will show an encrypted drive in the same manner as a raid 0 drive (i.e. unreadable).
“i am unaware of any court cases (in the US at least) where evidence obtained via 'triage' was thrown out. “
No neither am I, minor changes can be explained, even if the system accidentally boots. I've got no problems with what a triage produces, however sometimes it can be over interpreted. For example, you get hash matches for IIC on an exhibit, then CPS authorise charge based on that. Without the supporting evidence, the images are almost worthless but CPS/Officers often just see images and run with them.
“I mean, it seems to me - at least from what I read/can find on related cases - that the "typical" bad guy involved in this kind of activities will have hundreds or thousands (or more) of such images or videos, and additionally - again at least from what I can gather from the forum posts and talked about documentation - that these are usually not the most computer savvy people around.”
There are a wide range of offenders who range from future nominations for the Darwin Award to similar knowledge to the examiners. Some of the suspects I've dealt with have gone to great lengths to avoid prosecution, not just in technical terms but habits as well (deleting images after viewing, using CCleaner or similar tools immediately after). Virtual machines, encryption, wiping software, VPN's, TOR etc are becoming more widely used as once offenders are caught and spend some time in a cell together, they seem to discuss how they got caught and think of better ways not to get caught.
“Now, how much of it is *needed* to get the suspect to trial (and reasonably be enough to have the Judge/Jury sentence him)? “
Maybe not that much to sentence for a possession/making charge of IIC (making for those not familiar with IIC jobs means downloading/copying etc. Production is the offence for creation of brand new IIC). But first I think its important to understand sentencing in the UK. Images are graded as one of three categories A- C, with A being most serious. In the sentencing guidelines, there is a table with 3 headings; Making/taking, distributing and Production . Underneath is the 3 categories and each box has a starting sentence for small quantity and large quantity.
So back to the question “how much is needed?”, firstly once you have a large quantity of the highest category of images (approx 200 say), then in terms of the possession/making charge you have enough for the higher level of sentence.
However distributing image carries a much higher sentence (staring 3 year custodial for Cat A images as opposed to 1 year for possession). Distributing includes making available via peer to peer and other similar methods. So we need to prove that, if we can.
Proving production is rarer than the other 2 offences, however if it exists then it definitely needs to be looked for.
Next we have agrivating factors of which there are 18 (2 statutory and 16 IIC specific), including Collection includes moving images, Attempts to dispose of or conceal evidence, Active involvement in a network or process that facilitates or commissions the creation or sharing of indecent images of children and Deliberate or systematic searching for images portraying young children, category A images or the portrayal of familial sexual abuse.
BTW guidance on this can be found at
Section 75 covers IIC
So with all that in mind, this is the way I see triage tools being used most effectively
All items are seized by officers from an address.
Items are then triaged using a pre-configured pack specific to the offence.
The results are used to identify whether an item is MORE LIKELY to contain the evidence we need.
We then take a subset of these exhibits (the highest scoring ones) for a full forensic exam.
The others can be examined at a later date if necessary or evidence on another exhibit suggests something of use will be on one of them.
This approach is most likely to be used for jobs where the intelligence is very generic (CEOP referrals being a key candidate – this IP download/uploaded IIC on this date/time to this site). Even in these types of jobs, the triage pack would have to look for encryption tools, cleaning tools and connected devices, not just indicators of IIC.
If we are looking for evidence to present at interview whilst waiting for the exam to take place, I would argue that this is no longer in the realms of triage, we are then in the realm of “previewing”.
As Steve alluded to, triage is often seen as a “magic bullet” to cut backlogs, often by those with little (read NO) technical experience. This is why it gets such a hostile reaction from many examiners who get annoyed by Officers and Management who believe what we do can be replaced by a piece of software.
Sorry this has been so long, I've been controlling the triage software in our HTCU so while I've seen and am keen to promote it use where possible, it needs to be controlled. Also sorry if any of this has come across as offensive to anyone, I apologise as its not meant to be.
i am glad you mention your definition of triage. what you and i are taking about are distinct things (with a bit of interplay for sure).
in all things law enforcement should seek to be as minimally intrusive as possible. to me this also includes NOT taking every computer in the house if you do not need to. the computers to leave behind are determined by a mix of interview and live response/triage (even to the point of turning a machine on). for example. if there is a PC in grandma's room that is password protected and no one else has access to, i should NOT be taking it if it has nothing to do with the reason i am there in the first place.
I can use osTriage and look at just the registry tabs and determine whether a computer is "of interest" within a few seconds with an accuracy in the high 90s.
from what some seem to advocate, its a "take everything and sort it out later" approach. that doesnt scale well at all and is overly intrusive to the people in a residence that have nothing to do with the crime being investigated. Now if i cannot determine a computer is irrelevant i am going to take it, but if i can look at a PC and eliminate it i am going do it and leave it behind.
now every examiner is different, but osTriage does provide more information to investigators than you will normally get back from a "full exam" in almost every case (at least based on the exam reports i have seen) you will also get information not seen in exams as well. In both cases it will be in a format that is much more useful for an investigator.
i disagree that triage is not determining what to leave behind. thats one of the tenants of triage (or at least as it relates to live response). there has been massive success (at least in the US in a wide variety of cases) in doing triage this way. i liken taking everything to the old school and IMO outdated approach of wiping drives before imaging to them and "dont change anything ever" approaches so many of the old guard FEs still cling to.
in many cases, for most crimes, using a tool like osTriage can indeed replace the need for a full forensic review. in fact many districts at the local, state, and federal levels, are getting charges off of what osTriage is telling them and doing PC arrests vs waiting 6 months to continue the investigation.
of course you always have to do your due diligence for production of CP and other related evidence for different crime types, but i feel confident good live response/triage produces information that is on par or exceeding full exams in a fraction of the time.
if you havent tried osTriage, give it a whirl. it may just change your mind. if you try it and find it wanting, id like to know that too so i can make it better.
thanks for the discussion! good stuff!
Eric, with all due respect ) , you are now starting to play on words.
Let us set aside the "name" of the tool which may (or may not) be accurate or the etymology or meaning of the word "triage", let's for the moment call it neutrally "the tool".
The questions are still the same and they are simple enough
Question #1
Is it enough that on a PC/device "the tool" is run and provides a "negative" to avoid seizing (and later "fully" examine) it?
1.a Yes.
1.b No
Question #2
Since "the tool" is pretty much automatic/automagic/smart/intelligent (please put here the appropriate attribute) WHO should operate it?
2.a Anyway a fully trained digital investigator, ideally the same one that would later make if needed the "full" examination.
2.b Any officer with a basic specific training. <- (without any offence intended a "trained button pusher")
2.c Any officer with a basic generic familiarity with PC's/Softwares <- (again without any offence intended an "untrained button pusher")
Question #3
Since "the tool" is accurate (your words) "in the high 90s", can it be used without further "full" examination to go to Court directly? (or if you prefer, isn't "accuracy in the high 90s" the same level of accuracy of a full examination? or again is "accuracy in the high 90s" ENOUGH?)
3.a Yes
3.b No
Question #4
While in the case of a full examination, the actual digital investigator is testifying in court and "certifying" that the examination was "thorough", "as complete as possible" and "conforming to policies, guidelines and state of the art", WHO does that for "the tool"?
4.a The software firm that makes/sells it
4.b A given national or international organization/certification entity (if you choose this, WHICH one)
4.c Someone else (please specify)
Can you please just answer to the above questions ?
jaclaz
1. a. but its not that it proves a negative, but rather shows a lack of positive hits and therefore relevance to an investigation.
2. b. for training you are talking half a day max assuming they have some basic general computer skills/have been trained in their types of investigation outside computers.
3. a. this happens routinely without *need* of a full forensic exam here in the USA across a wide range of departments. charges are regularly filed based on triage results alone
4. this is not a valid question IMO. the best answer available is c. if i was asked that question on the stand i would say no exam is as complete as possible because i could get more people to look at it, look at different artifacts, by hand, and so the rabbit trail goes. whoever uses the tool would state what they did. if there was some underlying question of how the software works the programs author could be subpoenad perhaps, but in the case of forensics its finding "stuff" that can then be validated with any other tool anyone else wanted to. if you only used triage then it would be the defense who would be reviewing the evidence and then reporting on their findings. triage doesn't fabricate anything that isn't there. it just finds "stuff" quickly makes it available in minutes vs months.
if a tool shows you the contents of a prefetch file that can be validated with any other tool and certainly a hex editor. digital evidence is either present or not. if someone doesn't have the skill to find/access/verify something that is a different story, but that doesn't negate the use of tools by other people.
it would be very difficult to testify that something is, for all users, "conforming to policies, guidelines and state of the art" because those things differ pretty much across everyone. rather a tool is minimally intrusive, its results repeatable on the same evidence, and its impact on a computer can be shown to be consistent. many of the quoted things are agency specific and if a given tool is approved by an agency, then those things would be true.
as i think you mentioned, i dont need to know 100% of everything there is to know about a given system. at some point your return on what you get is far less than the time invested.
Ok so based on your aboveanswers, I have a follow up question
If no items return any relevant hits on exam with "the tool" what happens next?
1. a. but its not that it proves a negative, but rather shows a lack of positive hits and therefore relevance to an investigation.
Sure, but as long as it is enough to avoid seizing the device for later examination, it effectively excludes the device AND thus it does prove - to all practical effects - a negative.
2. b. for training you are talking half a day max assuming they have some basic general computer skills/have been trained in their types of investigation outside computers.
Good.
3. a. this happens routinely without *need* of a full forensic exam here in the USA across a wide range of departments. charges are regularly filed based on triage results alone
Very good, so there is no need for full examination i.e. "the tool" does replace completely the "full" examination (which is perfectly in line with answer 1.a, BTW)
4. this is not a valid question IMO. the best answer available is c. if i was asked that question on the stand i would say no exam is as complete as possible because i could get more people to look at it, look at different artifacts, by hand, and so the rabbit trail goes. whoever uses the tool would state what they did. if there was some underlying question of how the software works the programs author could be subpoenad perhaps, but in the case of forensics its finding "stuff" that can then be validated with any other tool anyone else wanted to. if you only used triage then it would be the defense who would be reviewing the evidence and then reporting on their findings. triage doesn't fabricate anything that isn't there. it just finds "stuff" quickly makes it available in minutes vs months.
if a tool shows you the contents of a prefetch file that can be validated with any other tool and certainly a hex editor. digital evidence is either present or not. if someone doesn't have the skill to find/access/verify something that is a different story, but that doesn't negate the use of tools by other people.
The point was not about "the tool" fabricating anything of course ) , it was about the possibility of it missing *something* that could be found in other ways (i.e. through a "full" examination) and that - according to current policies/guidelines/whatever should be searched for.
Like in your own explaining of my previous example (explanation that was to me very clear) about not "being enough" to find the 3127 images
if a single image is found (or even indications of their presence), its enough to take a computer. with a warrant you can take everything as specified in the warrant
in cp related cases, you have to go thru all images and videos to make sure the subject is not producing cp. it is not enough to just find known images and charge based on that.
About this
it would be very difficult to testify that something is, for all users, "conforming to policies, guidelines and state of the art" because those things differ pretty much across everyone. rather a tool is minimally intrusive, its results repeatable on the same evidence, and its impact on a computer can be shown to be consistent. many of the quoted things are agency specific and if a given tool is approved by an agency, then those things would be true.
My impression was that a large part of being called as Expert Witness is Court is putting one's face behind the presented results, assuring both the Court and the Jury (if any) that besides the actual results, every possible (within limits of course) attempt to gather ALL data has been carried on and that the procedure was done by qualified personnel using the best possible and latest (within limits of course) technology available.
There are threads on the forum about how to dress, about the "opportunity" of having visible tattoos or piercings, about the way to answer questions asked by the Judge or by the counterpart, all of these would make little sense if the only thing that matters is the results of the examination and the written report.
The risk - as I see it - with "the tool" (which of course is exactly the same as the one involved in having the "full" examination carried by not-qualified enough or not-expert enough or "superficial" or "lazy" digital investigator) is not that it fabricates anything, but that it can miss something.
If noone - periodically - tests and somehow certifies "the tool" ( possibly it being a closed source/proprietary software) there is the risk the "the tool" becomes outdated.
On the other hand if "the tool" is Open Source (and even if it is closed source/proprietary) it's behaviour may become "predictable" and one or more of the bad guys (the few technically advanced/knpwledgeable) may find ways to have their illegal activities go undetected by "the tool".
as i think you mentioned, i dont need to know 100% of everything there is to know about a given system. at some point your return on what you get is far less than the time invested.
And I do follow you in this ) , and I find "the tool" and it's approach very valid for a whole range of investigations, but possibly not suited for the CP/IIOC ones, since there is this *need* for absolute certainty (again within limits) that nothing has been left behind.
If the Law (and/or the policies/guidelines) would say that the 90% "guaranteed" by the tool is "enough" there would be no problems whatsoever.
jaclaz
to add to the argument / constructive criticism, some UK forces have the Aceso Kiosk, lets say we had the same for a computer / laptop acquisition.
The non tech police officer has "triaged" the 5 machines, 1 has a hit with IIOC, the suspect is arrested and the 20,000 live CP images are inputted in a kiosk at the station, the Kiosk generates a report based on the IIOC database, aggravating factors (peer to peer s/w etc) and then the suspect is lead for interview…..
Is this fantasy or a potential reality?
That could be a reality but the issue is that such a low level of diligence will result in false/incorrect charges, reputational damage to the investigating agency and appeals that will mean it was more cost effective to do the job to a higher standard in the first place.
That could be a reality but the issue is that such a low level of diligence will result in false/incorrect charges, reputational damage to the investigating agency and appeals that will mean it was more cost effective to do the job to a higher standard in the first place.
ill have to disagree on that. its not like a prosecutor will just wildly go off and file charges without due diligence. they arent going to just look at some report that someone cant explain and be like "yea lets charge this guy!" i just dont see that happening. on the other hand, if i can take a report generated from triage/live response and explain what we have, why not file charges? i can always supersede an indictment later if something heinous is found.
people act like triage/live response is planting evidence or getting it wrong and that only "real/full" forensics can find evidence. Corroborate your findings from triage with X-Ways or whatever you want. You will find that what the "real" tool shows you is the same as a (well written) triage tool.
can you find MORE with a full tool? most likely yes, but the point of triage is not to find/show/process/report ALL (which is impossible) but to find enough to move the case forward sooner than later.
The bottom line is this did the tool (either triage or a 'full' tool) find evidence that is chargeable that meets the comfort level of a prosecutor?
and pfsfsf, i would take it further. with proper search warrant execution you would have the majority of that information BEFORE YOU ASKED YOUR SUBJECT THE FIRST QUESTION. you would have all the answers to your questions and would know whether he is being honest or not.
contrast this to the "take it all and sort it later" and you miss so much opportunity.
ill have to disagree on that. its not like a prosecutor will just wildly go off and file charges without due diligence. they arent going to just look at some report that someone cant explain and be like "yea lets charge this guy!" i just dont see that happening. on the other hand, if i can take a report generated from triage/live response and explain what we have, why not file charges? i can always supersede an indictment later if something heinous is found.
people act like triage/live response is planting evidence or getting it wrong and that only "real/full" forensics can find evidence. Corroborate your findings from triage with X-Ways or whatever you want. You will find that what the "real" tool shows you is the same as a (well written) triage tool.
can you find MORE with a full tool? most likely yes, but the point of triage is not to find/show/process/report ALL (which is impossible) but to find enough to move the case forward sooner than later.
The bottom line is this did the tool (either triage or a 'full' tool) find evidence that is chargeable that meets the comfort level of a prosecutor?
Still, you are flip-flopping with words. 😯
I believe noone in his right mind can imagine that "the tool" plants evidence.
As well noone would believe that on such a delicate matter a prosecutor will charge someone without "enough" evidence.
And you seem like going over and over (and over) on the point that "the tool" has a very high level of accuracy, comparable to that of a "full" investigation (and again noone doubted that *whatever* "the tool" can and will find will always and fully be confirmed by a later "full" analysis).
But the point is still another one.
Is the *whatever* "the tool" can and will find "enough"?
And can a device where "the tool" hs been run without result be excluded from seizure and further analysis?
I.e. can *someone* (again Law, Court, accepted policies or guidelines) state this in a non-equivocal manner?
And will this happen?
If yes, it's fine and dandy, "the tool" should NOT be connected to "triage" but rather to "automated analysis" and we can get rid of a lot of wasted time with the "full" analysis.
.
If no, it's a pity ( , and if there is the *need* to perform anyway a "full" analysis on ALL devices, no matter the results of the running of "the tool", then "the tool" is an actual "triage" aid that may have some use in changing the order in which the "full" analysis is performed.
To repeat myself, the concept of triage is only that of giving a priority in order to examine fully x before y.
Right now "the tool" (unless and until the mentioned statement about it's use is official) represents IMHO a very, very nice, quick tool that may be extremely useful as "double check" when the "full" analysis is performed.
In a perfect world ) , each and every digital investigator would, starting from tomorrow, run "the tool" right before performing a "full" analysis on a device, then provide BOTH reports, underlining the differences (if any) between what was found in the few minutes that took "the tool" to analyze the device and what was found in the several hours needed for the "full analysis" there will be some objective data.
If after a given period of time - let's say six months from now - a few tens, hundreds or thousands such reports (with no or trivial/minimal differences) land on the desktops of supervisors, prosecutors and judges, then probably policies/guidelines will be amended.
jaclaz