Work-in-Progress

A Distributed Triage Model For Digital Forensic Services To State and Local Law Enforcement.

Michael Losavio University of Louisville

Michael.losavio@louisville.edu

Deborah KeelingUniversity of Louisville

Dgwils01@louisville.edu

Adel ElmaghrabyUniversity of Louisville

adel@louisville.edu

Abstract We propose a distributed triage model for digital forensic services to state local law

enforcement. This would permit efficient use of forensic resources by using local law enforcement for basic digital forensic analysis and assigning more complex matters to intermediate and advanced examiners. 1. Introduction The vast bulk of law enforcement is handled at the state and local level in the United States. The Explosion in digital forensics devices in consumer use is matched by the growth in digital evidence in a variety of cases. Yet the costs of training and equipment in the digital forensics domain may be a limiting factor in the use of digital forensics by law enforcement. At the same time, however, there is a growing consumer level expertise in the use and digital systems. This, too, is reflected in the use of digital evidence in legal proceedings without the use of an expert specially qualified by training, education or experience as to digital evidence. These trends may be combined in a triage model of distributed digital forensics services whereby digital evidence may classified by the level of expertise needed in its recovery and analysis and assigned to an investigator according to the expertise level needed and the types of services required. 2. Formatting your paper Investigator expertise, services level and the expertise level needed may be simply classified as 1. Basic 2. Intermediate (Standard) 3. Advanced. Assigning digital evidence acquisition to the appropriate level efficiently allocates forensic services, law enforcement time and prosecutorial effort. This promotes the effective administration of justice at a time when all justice budgets are strained and departments may have difficulty developing specialist forensic expertise. It also avoids a perennial problem for specialist forensic laboratories that may have long delays in analysis that produce delayed trials, dismissed proceedings and wasteful examinations in cases already settled. The trade-off is that triaged examinations and case processing may miss digital evidence of other misconduct due to counter-forensic efforts or lower level of examination resources. Research into patterns of behavior relating to digital evidence by miscreants may help evaluate the extent of this risk.

2009 Fourth IEEE International Workshop on Systematic Approaches to Digital Forensic Engineering

978-0-7695-3792-4/09 $25.00 © 2009 IEEEDOI 10.1109/SADFE.2009.10

36

2009 Fourth International IEEE Workshop on Systematic Approaches to Digital Forensic Engineering

978-0-7695-3792-4/09 $25.00 © 2009 IEEEDOI 10.1109/SADFE.2009.10

36

3. Conclusion

Core issues remain to be resolved if this is to be an effective, formal model of providing digital forensic services. Those issues include

1) Defining skill and expertise levels, 2) Assessing risks and benefits from such a system and 3) Providing appropriate training, equipment and networked support for the model.

Leadership and commitment will be needed for such a model as it requires discretionary decision-making as to the resources to be allocated in a particular investigation.

3737