Digital Investigation 10 (2013) 8788

Contents lists available at SciVerse ScienceDirect

Digital Investigation
journal homepage: www.elsevier.com/locate/diin

Research summary

Triage: A practical solution or admission of failure

Mark M. Pollitt
Daytona State College, Engineering Technology Advanced Technology Center, 1200 W. International Speedway Blvd., Daytona Beach,
FL 32114, United States

a b s t r a c t
Keywords:
Forensic triage
Backlog
Information security
eDiscovery
Software
Digital forensic process

An experienced investigator, digital forensic examiner, and academic reects on the

strengths and weaknesses of the use of triage. The author argues that the current practice,
while a practical necessity, is a failure of the forensic process and software. It is suggested
that triage be re-imagined as a formal process that can be measured for efciency and
efcacy.
2013 Elsevier Ltd. All rights reserved.

Triage is often understood as a way to maximize the

use of scarce resources by prioritization. In law enforcement, prosecution, and the courts, this is often done by
administrative at. Organizations only investigate and/or
prosecute cases which meet a dened threshold. These are
management and public policy decisions. But for this
article, I wish to focus on triage in a digital forensic
context.
Triage, in this context, is often used to describe attempts
at limiting the volume of data or devices which are
exhaustively examined. As someone who has been both an
investigator and a forensic examiner, I have mixed views of
this practice. I will share some of my thoughts on this
complex subject in this article.
First, we need to further identify just what kinds of
triage there are. One way to limit the amount of data or
devices provided to examine, is to reduce the amount of
data and objects seized or acquired. Arguably, this is what
we do in physical world searches we only seize items
that match our list of items to seize, or that we can
articulate how a given object meets the criteria of the
search. At least thats the theory. In practice, searches are
often done by groups of people (helpers), many of whom
do not know the details of the case, and as a result make

E-mail address: pollitm@daytonastate.edu.

1742-2876/$ see front matter 2013 Elsevier Ltd. All rights reserved.
http://dx.doi.org/10.1016/j.diin.2013.01.002

less than fully informed decisions on what to take. Often,

the default mode is to take it all and let the investigator
sort it out. To be fair, the same thing happens in digital
searches. While this sounds reasonable, there is a core
difference in the pragmatics of this approach. If you seize
le cabinets of documents, courts have been fairly relaxed
about the time it takes to review the documents. Often,
a review is not conducted until much later in the case, or
sometimes not at all. With digital searches, the courts are
being progressively less willing to allow long periods of
time before the examination of the data or its return to the
owner.
One of the most common methods to do this form of
triage is the use of a dedicated boot disk or program which
searches a computer for specic kinds of data, most often
child pornography. Used for the purpose of getting damning evidence, often in the presence of the perpetrator, it is
a very effective technique. And while this method allows
for the seizure of the computer, and a subsequent full examination, it has some limitations. By only looking for the
prima facie evidence, it risks missing important information which supports the details of the crimes commission
or even expands the scope of the investigation. By narrowly
focusing on an expected outcome, we blind ourselves to
potentially greater truths. In the worst case, as happened in
Connecticut, an innocent person is condemned by the
presence of contraband (Pollitt, 2008).

88

M.M. Pollitt / Digital Investigation 10 (2013) 8788

At the core of this approach is the notion of previewing the evidence, whether by software or by eyeball. As
noted above, the former technique may be too restrictive,
while the eyeball approach suffers from the same lack of
a consistent methodology as above, and the requirement
for the owner of the eyeballs to recognize probative evidence beyond the most obvious.
Another form of triage is within the forensic examination process. Examiners have struggled with the problem of
what to look at since the very rst computer forensic examinations. In the early 1990s the foremost computer
forensic training organization was the International Association of Computer Investigative Specialists (IACIS), that
taught its trainees (myself included) that every single le
should be examined. They even went so far as to recommend executing every binary le, in case it was a Trojan
horse program. Today that notion is viewed as absurd, but,
at a visceral level, examiners often fear missing something important. But if we cannot look at everything, what
should we look at? Forensic examiners make judgments
about where to look, and for what, based on experience.
Experienced forensic examiners often make good decisions. However, that judgment process is rarely recorded
and is difcult to articulate, let alone replicate.
Mike Phelan, the late Director of DEAs digital evidence
laboratory, coined the term sufciency of examination to
deal with this problem. By this he meant doing enough
examination to answer the forensic or investigative questions, but nothing more. One of the major tasks of the
digital forensic examiner is to decide what to look for and
where. But this has its own set of problems. Just as the
helpers at a search site may not have a clear understanding of all the dimensions of the case, forensic examiners typically do not have a thorough knowledge of the
case. It simply is not practical to develop this level of
knowledge. In the absence of a solid denition of what
needs to be examined, often examiners will perform examinations of evidence in certain ways, not because it is the
most efcient or effective, but because they always do it
that way, they feel like doing it that way, or sometimes
simply because they can. If you dont have a clear understanding of what you are looking for, how do you know
where to look and when to stop looking?
So, objectively, it would appear that triage is not a particularly good solution to the seizure and examination of
digital evidence. So why has triage become so common that
a special issue of this journal is dedicated to the topic?
Simply because, today we do not have a better approach.
Investigators need the evidence in a timely fashion. They
are more willing to get some useful evidence quickly, than
to wait endlessly for all of the evidence. Examiners, for
their part, are constantly challenged about their backlog,
and the quickest way to reduce the amount of time that
each examination takes is to look at less material. So, triage

is a practical solution for both investigators and examiners.

I can empathize with both positions d I have been there.
But in my current role as an academic, I have the luxury
of looking at the problem from a distance. From that position, the view is of a systematic failure of both the digital
forensic process and digital forensic software. The tools,
techniques and approaches to digital forensics have not
adapted well to the vast increase in digitally stored information, nor to the disparate uses to which humans employ
digital technologies. With a bit of reection, that should not
be surprising. The tools and techniques we use for digital
forensics were designed before Twitter, Facebook, and
smartphones. Our tools are not only data-centric, but
hardware-centric. During the last two decades, users have
become not only information-centric, but part of social
networks.
The tools that we use have not adapted well to these
new user paradigms. Another way to look at the problem is
that where we were, as Farmer and Venema (2005) have
said, focused on the geology and archeology of computers.
We sought to focus on the extraction and interpretation of
data in a historical context. I would suggest that, in the
current computing environment, better paradigms might
be anthropology and sociology. The data is more about
human interaction and interpersonal relationships than on
technology.
But tools have never been enough in digital forensics.
The relationships between the investigators, the forensic
examiners, the attorneys and their respective organizations
have always played a key role in the success or failure of
digital forensics. I should note that while I have used the
criminal justice terminology for the participants, the criticality of the relationships applies equally to the information security or eDiscovery context as well. The successful
collaborations between investigator and examiner (even
when they are the same person) occur when the goals and
objectives of the examination are well dened and understood. Like any scientic or engineering problem, a good
problem denition is key to designing an effective experiment, solution or examination.
Will a re-imagining of our tools and process eliminate
the need for triage? No. But it might allow for a more clearly
focused, well-documented set of criteria for searches, seizures and examination. These criteria can be measured for
efciency and effectiveness. It may allow the community to
have a reasoned discourse on what we do, and how. Triage
might become a scientic process. This might be, yet
another step, toward becoming a mature science.
References
Farmer D, Venema W. Forensic discovery. 1st ed. Addison-Wesley
Professional; 2005.
Pollitt M. Digital orange juice. J Digit Forensic Pract 2008;2(1):546.