Evidence Talks' CEO sees training as key to effective digital triage
These systems unlock the door to a mass of data which can be rapidly identified, analysed, organised and presented as evidence. Like all significant advances in technology, their value is more readily understood and enjoyed with the benefit of training.
Applied by corporate executives and police forces alike, the rapid onset of digital triage techniques has created a step change in the investigative approach of compliance and law enforcement communities.
A report from the Digital Forensic Investigation Group at University College Dublin observed in 2010 that “digital forensic triage is a rapidly growing and highly automated area”. Since that report, the pace of change has continued to increase. David Kovar, an industry expert based in the USA and the former CEO of 1SAR International Search and Rescue, has identified the three drivers of this trend as technical innovation from the provider community, the financial benefits available to users from the speed and efficiency of digital forensic triage and the growing volume of digital evidence with a consequent effect on case backlogs.
Few doubt the potential value of the techniques but as Access Data reported “Digital investigations are no longer the exclusive domain of highly trained experts”. For some this has raised disquiet, best expressed by the UCD report as “potential deterioration of expert knowledge and over-reliance on automation” and “a less thorough level or quality of investigation”.
According to Elizabeth Sheldon (right), Director of ADS Aerospace, Defence and Security Industry in the UK, Chair of the Covert Technologies Supplier Forum and CEO of Evidence Talks, effective training is the answer to these concerns.
Systems such as Evidence Talks’ SPEKTOR, for example, are designed specifically for use by non-technical investigators, and allow front-line police, enforcement officers and corporate security staff to quickly preserve and automatically examine data stored on computers, servers and mass storage devices. To aid the flexibility of operations the system uses standard removable USB devices as ‘collectors’ so as many targets as identified can be processed simultaneously.
As with all new systems and techniques, rapid deployment and maximum value are the twin objectives of users. In order to facilitate both, Elizabeth Sheldon advises that training is taken up as part of the familiarisation process. “Look for a range of training programmes tailored to the specific objectives of the customer”, she said “including a ‘train the trainer’ option. This should deliver system familiarity plus all the configuration details required to set up, train and run your entire team. For customers who want to roll out a programme with ultimate control over timings and minimal disruption to workloads, it’s becoming a more and more popular choice.”
Evidence Talks’ approach starts with an Introduction to Triage course, aimed at those organisations which need to work from a position of virtually zero knowledge. There is the opportunity to grasp general principles and best practice. The role and scope of digital forensics is explained before attendees learn what can and cannot be done, how to maximise evidence acceptance, build integrated procedures and crucially how not to damage evidence.
More comprehensive programmes offer an intensive course over two days, moving from core concepts and basic analysis, through deployment, forensic imaging to advanced analysis including modules on key word lists and hash matching – the technique used to identify complex and unstructured data that has a degree of byte-level similarity. Critically, the courses are designed and delivered for non-technical investigators rather than forensic experts resulting in a ‘force multiplier’ effect for organisations.
Over the duration of the course the focus turns to practical issues of system administration and settings, moving on to networking, remote access and data management, before finishing with a scenario-driven practical example.
While the fundamentals and applications of digital triage training have many common elements, Elizabeth Sheldon advises clients to seek a solution that most closely matches the environment in which users will operate: “On the basis of our experience with different sectors we offer separate triage training courses for corporates and for law enforcement. The ETL Certified Digital Training (CDT) has been developed for the corporate sector and offers access to a substantial level of forensic knowledge from our trainers, along with practical case study sessions fine-tuned to the particular market sector in which they work. In law enforcement we give officers a formal digital triage accreditation and the skills to deploy it successfully. It provides them with the tools, skills and standard operating procedures to perform digital triage in compliance with ACPO best practice and the ISO17025 requirements.
“The undoubted benefits available from digital triage of accuracy, cost effectiveness and speed of deployment need not carry any associated risk when comprehensive training is available as part of a customer support programme.”