Digital forensic triage is morphing into evidential methods akin to the streamlined reporting processes that we see in DNA etc and is giving the impression to the untrained that an OS triage report or its ilk may be used in court to support charges without any experienced oversight.
The arguments being discussed here can be defined by whether you agree that this is good practice or not. Having used all of the major OS Triage tools, I do not agree that they alone are robust enough to support charging without proper review or oversight.
3. a. this happens routinely without *need* of a full forensic exam here in the USA across a wide range of departments. charges are regularly filed based on triage results alone
The legal standard required for filing charges in criminal cases in the US is probable cause - a very low standard. It may be sufficient for prosecutors who don't know any better to base a filing decision on triage results, but if they are taking those cases to court and expecting to prove a case beyond a reasonable doubt (the standard for conviction in US criminal cases) without a full forensic examination of the evidence then they are fools.
It's clear from your posts in this thread that you are trying to sell a tool. I get that. However, your premise that a triage tool should be used in all cases to determine whether a device should be seized pursuant to a search warrant is not based in the reality of criminal investigations. No investigator with several hours of training in any triage tool is going to be able to craft sufficient search terms or other data points for that tool to absolutely determine whether evidence exists or not on that device 100 percent of the time. Even forensic examiners with many years of training and experience have difficulty sometimes finding evidence with full forensic examination of evidence.
I'll admit that cases today involve much more data than they did when I started doing criminal investigations involving digital evidence more than a decade ago. The idea that digital forensic investigations should be reduced to push button operations by untrained cops isn't any more realistic now than it was back then. In my opinion, triage tools operated by untrained individuals in order to determine what gets seized pursuant to a search warrant is a mistake of the highest order.
Have you ever used osTriage? if so, what version?
The legal standard required for filing charges in criminal cases in the US is probable cause - a very low standard. It may be sufficient for prosecutors who don't know any better to base a filing decision on triage results, but if they are taking those cases to court and expecting to prove a case beyond a reasonable doubt (the standard for conviction in US criminal cases) without a full forensic examination of the evidence then they are fools.
In utah charges are filed all the time based on triage results AND devices are left behind that arent of interest. in many of those cases a trial isnt necessary because of the volume of evidence recovered on scene.
Additionally, a lot of assistant US attorney's advocate and in fact want triage/LR tools to be used for many of the reasons i have already discussed. I have spoken to a room full of AUSAs on several occasions about osTriage and its capabilities on several occasions at national conferences. It is taught yearly at their training. It is discussed in their newsletters.
The official ICAC training curriculum teaches the use of osTriage as its primary tool for on scene use.
The list goes on and on.
When it comes to a trial, you would almost always follow up with additional info and exhibits, but do you really think showing a jury browser history in X-Ways, Encase, or FTK is somehow better than doing it with any other tool?
*What* tool finds evidence isnt as important as if the tool is doing so *correctly*.
It's clear from your posts in this thread that you are trying to sell a tool. I get that. However, your premise that a triage tool should be used in all cases to determine whether a device should be seized pursuant to a search warrant is not based in the reality of criminal investigations. No investigator with several hours of training in any triage tool is going to be able to craft sufficient search terms or other data points for that tool to absolutely determine whether evidence exists or not on that device 100 percent of the time. Even forensic examiners with many years of training and experience have difficulty sometimes finding evidence with full forensic examination of evidence.
if by "sell" you mean give it away to law enforcement for free, then yes. All my software is, and always will be, free. In fact, its in use by 1000s of LEOs in over 65 countries around the world.
I guess the hundreds of search warrants i have personally participated in as well as the 1000s of warrants where my software has been used do not fall into the "reality of criminal investigations." Bummer.
Your point about not being able to craft search terms or data points is understood, but thats why the ability to easily supply lists of keywords or hash sets exists. In the case of osTriage, it ships with over 300 keywords associated with child exploitation and millions of hash values. Users can extend this or add entirely different lists of keywords and hashes as their investigative needs dictate.
saying anything with 100% certainty is rarely a good idea, but as i have seen and heard from hundreds of users all over the world for the past 3 years, osTriage enables them to get to a very high level of confidence that what they are looking for either is, or isnt, there.
what i am saying is that a triage/live response tool should *always* be used on a running machine for a wide variety of reasons (active network connections, running software, capturing RAM, detecting active encryption, and TONS more), and one of those many reasons is eliminating a device as being of interest. this is done just about every week on search warrants in Utah with the ICAC. it is not some pie in the sky idea. its reality.
it is overly burdensome on LE and people tangentially related to a subject to simply "Take everything and sort it out later" when in some cases 80% of what would be seized has nothing to do with the crime being investigated. Every case is different but effort should be made to separate the wheat from the chaff to the benefit of both parties mentioned above.
I'll admit that cases today involve much more data than they did when I started doing criminal investigations involving digital evidence more than a decade ago. The idea that digital forensic investigations should be reduced to push button operations by untrained cops isn't any more realistic now than it was back then. In my opinion, triage tools operated by untrained individuals in order to determine what gets seized pursuant to a search warrant is a mistake of the highest order.
Who said anything about untrained? who said people with no training or background in these things is making any kind of decision on what to take? i am talking about the use of triage/LR in task force environments that deal with computers on a routine basis. I am talking about an FE using a triage/LR tool to make better decisions within moments of securing a search warrant scene.
i am not saying triage/LR is *the replacement* for full forensics in every case, but it certainly CAN be for some things (or at least the vast majority of artifacts found in an exam). In fact, at least for osTriage, you will get more from it in 10 minutes than from a typical full exam.
Lets be honest here. a lot of forensic reviews are comprised of pretty much entirely low hanging fruit. How many wildly advanced cases have you had to examine where a person hid their tracks so well it was hard to find what you needed?
every case differs, but child exploitation cases are an excellent example of how triage/LR in the field goes a LONG way to moving the case forward. to suggest otherwise, to me, indicates someone hasnt been involved in those kinds of cases for a long time.
In my experience, the downplaying of triage/LR over "more traditional means" is done by old guard examiners who either do not want to change or somehow fear losing control over their kingdom (I am not saying you are in this boat, but typically a strong resistance to new techniques that are clearly effective typically come from people of that mindset. Moreover, these same people have never even used the techniques being discussed but somehow feel compelled/qualified to argue the cons of such an approach.)
The old way works, but it certainly doesn't scale. the problem will continue to get worse as hard drives and data sets continue to grow.
Deleted
If we sense the defense doesn't want to take a plea we do further forensic analysis.
On what? 😯
I mean, IF "the tool" was used to avoid seizing devices, i.e. was used NOT as a "triage tool" but rather as an "exculpating tool", you won't be able to carry further analysis on those items, you are limited to the items that already resulted "positive" to "the tool" (and I am quite confident that "the tool" is very good ) and you won't find much more evidence through a traditional analysis on the seized devices, the issue is only if - by any chance - "the tool" misses something when it runs and because of this negative result you leave the device in the possession of the suspect).
So all in all we are back to square #1, is this risk of a "false negative" so trifling to be not considered? ?
Or has it been considered by *someone* and this *someone* has issued a corresponding policy/guideline/whatever that has some form of validity in the UK? ?
jaclaz
Deleted
Jaclaz Referring to doing further analysis of the items seized. Regarding not finding more evidence through a traditional analysis, I'd say it all depends on the type of case and what you are looking for. I've really only used triage tools for child exploitation cases and I'd say it all depends on the case as to whether you'd find significantly more evidence. For example, if you case was initiated through means other than peer to peer, such as emails then digging further with other tools may be of benefit. I generally find osTriage gets me everything I need though.
Regarding a false negative with triage software, I have had a few pieces of media that went through osTriage software with child exploitation images that were not identified. Personally, I always use EnCase to preview any media that passes on triage software just in case. To each their own though.
Yep ) , and you are reporting a concrete (IMHO very correct) use of "the tool".
Nothing is excluded, everything is taken into custody and then analyzed, at the first using "the tool" as a quick, automated way to get "the most" and when and if needed followed by a second more "traditional" procedure.
jaclaz