The medical profession maximises the number of lives that can be saved using Triage. Can lessons be learnt in the context of Digital Forensics?
It would be nice to imagine that when a police investigation requires input from digital forensics it can have as many experts as it needs, instantly, with no time pressure to get results, giving the opportunity to analyse every byte, every artefact, through the skilled eyes of a fully trained analyst.
But what if we miss something?
In the real world, where the demand for digital forensics is growing exponentially, this level of thoroughness isn’t possible but any alternative approach raises the question “what if we miss something?”.
This question acknowledges that anything less than an exhaustive investigation creates risk – which is of course true. However, we believe that we need to see risk as something to be managed rather than as a threat – as other professions have already been forced to do.
Triage in Medicine
Doctors have long faced the issue of balancing risk, especially those working in accident and emergency departments, on the battlefield, or responding to crisis situations.
A doctor’s natural desire may be to treat the patient in front of them immediately and as comprehensively as possible – not doing so generates risk to the patient. However, the medical profession has also recognised the cost of treating one patient thoroughly, when other nearby patients could by dying from lack of care.
The concept of Triage has its origins in this world, describing the process of making sure that those who are beyond help and those with minor injuries don’t distract from those who need urgent lifesaving attention.
Understanding the Limits of Systems
I think most of us also understand that any finite system becomes unsustainable, especially when under pressure, if informed limits are not placed on the depth and thoroughness of activity it performs.
Imagine you are otherwise healthy and turn up at accident and emergency having tripped and injured your wrist. You probably expect that the care you receive might involve an examination, maybe an x-ray, a bandage or cast, and some advice on how to stay comfortable. I think most of us would be surprised if the doctor decided to take a full medical history, blood tests, CT and MRI scans, cognitive function tests, test our balance, and otherwise try to explore every possible neurological and physiological cause for the fall.
This is because we intuitively understand that such a response, while thorough, would be disproportionate. While in a minuscule minority of cases such thoroughness might change lives by detecting serious illness early, this would be at the costs making healthcare utterly unaffordable (at least to all but a privileged few – forget any national health system).
Limits in Digital Forensics
Many of the same challenges and opportunities exist in digital forensics. There are insufficient resources to do the most in-depth possible investigation of every byte on every device, but this is also not likely to be an appropriate response of the majority of cases.
The Digital Forensics Strategy is therefore a vital tool for ensuring that scarce resources are allocated appropriately and, by taking account of both swift initial investigation and contextual information, triage can play a key role in ensuring that the strategy is proportional.
Decisions on Risk Need Data
Risk can be quantified in the medical domain because statistical information on outcomes is available.
Corresponding data seems to be lacking in the digital forensics domain, predominantly due to a lack of study. Academic publications on digital forensics tend to focus on techniques and processes, and there is little material exploring, for example, the relationship between what triggered an investigation, the digital evidence found, and the outcome. This may be in part because of the sensitive nature of the data, although the anonymisation techniques developed in healthcare could perhaps offer a solution.
Most investigators we meet have a strong intuitive understanding of where risk lies. For example, many investigators tell us that certain types of intelligence tend to result in corresponding offences being discovered, but don’t have access to any data to support this.
Similarly many investigators tell us that the bigger the backlog the greater the risk that something lies undiscovered that could reduce harm, but there is little to quantify this either.
We believe gathering data on risk levels associated with different investigations, artefacts and techniques could be a huge opportunity to drive positive change.
The Risk Balance
Whether or not risk can be quantified as well as in the medical profession, the principles of balancing risk between the current investigation (equivalent to an individual patient) and the backlog (equivalent to a waiting room, or the other survivors of a major incident) remains vital.
The digital forensics strategy can take control of this risk by ensuring appropriate prioritisation and proportionate use of resources on each investigation.
Tackling Risk in Digital Forensics
There are many researchers, practitioners and suppliers working to help digital forensics teams get smarter about risk, from better triage to more powerful analysis tools and more comprehensive case management.
Cyan Forensics plays a role in this area – specialising in rapid triage in CSE and CT investigations. Our tools highlight key evidence quickly and help avoid building up backlogs of low-risk devices.