The triage approach is growing more popular day by day in the field of computer forensics. The name has been derived from the emergency medicine terminology – triage is the process of determining the priority of patients’ treatment based on the severity of their condition. In the field of computer forensics the term triage refers to selecting and collecting data that is crucial from the perspective of the particular case. In other words, the methodology focuses on classification of the information prior to the time-consuming process of data copying.
Triaging makes it possible to substantially limit the time required to capture and analyse the data, reduce the data volume and in effect, considerably cut down on the costs.
How does triage work?
Before collection, an expert configures special software from the viewpoint of the requirements of the ongoing investigation – it is the expert that determines the criteria based on which the data are classified as important. Triage software may be configured to target data according to the file type, size, modification date or certain key content.
Following such configuration, the software (stored on an external drive) is attached to the USB port of each of suspect computers. After that, the triage tool searches out the relevant data based on predetermined criteria and captures it. The fact that the software is first configured by an expert makes it possible to automate the process – the tool can be used by a person with only basic training in the field.
The expert decides what kind of data will be collected at the stage of triage software configuration. It is possible either to capture individual files that fulfill specific criteria from a number of computers or to select specific computers for traditional full collection.
Triage in practical terms – an operation conducted by the Silesian Police
An operation carried out recently by the Silesian Police is a good example of how to apply the triage methodology in practice. The employees of a certain company were downloading illegal content from the internet. The company owned over 100 computer stations. The police – with the assistance of IT specialists – used the triage methodology to isolate 10 computers for full analysis. Thus, the number of data to be examined was reduced by 90%. If the police applied the traditional approach, capturing data would take much more time and the company’s operations would be temporarily paralysed.
Triage and live forensic
A combination of the triage methodology and live forensic (work on a live system) is especially interesting. Even though live forensic violates the golden rule of computer forensics which requires that the investigator should avoid any interference with the targeted data, it allows access to the resources that are unavailable after the computer is turned off and collected off-line, such as the data stored in the cloud, encrypted data or RAM memory contents. In some situations – for instance when the system cannot be shut down, because the hard drive is encrypted and the master decryption key is not available – live forensics may become the only method to employ.
It should be added that evidence material obtained from live computer systems constitutes a new standard, and the judiciary is getting more and more accustomed to dealing with it. Nonetheless, one should keep in mind that all activities taken by the investigator on a seized computer must be closely documented. Employing well-recognized, dedicated triage software enables companies to present the right documentation and by implication, helps deliver credible evidence.
Triage – advantages
To recapitulate the above, the triage methodology makes it possible to:
- reduce the data volume and the time required to collect and analyse data;
- use the support of personnel that is not highly skilled (expert knowledge is required at the stage of tool configuration and analysis);
- effectively resolve the issue of securing large number of computers;
- gain access to more data sources, such as transitory data, external resources and encrypted information,
- substantially cut down on the costs and the time of the investigation.