When the term "triage" is mentioned, it can evoke different thoughts for different people. Most commonly, it refers to a quick method of determining a threshold number of images, videos, or specific keywords to make a straightforward yes/no decision. However, triage has evolved into something much more comprehensive than just a simple yes/no or red-light/green-light scenario. It can be performed on various devices quickly and accurately, allowing for sound initial decisions at the outset of an investigation.
We have several options available for conducting triage, including, but not limited to, a quick "show me" approach, "early case assessment," "critical incident" evaluation, and "intelligent triage." Let's briefly explore each of these methods and their potential applications.
Let's start with the quickest and most commonly used form of triage: the "show-me" triage. This method is particularly effective in child exploitation investigations, where multimedia content and specific keywords can help you quickly locate the data necessary for decision-making. It is mainly utilized on-site during a search warrant or a knock-and-talk situation. This approach helps investigators make swift decisions, allowing them to rule out devices as well as locate them.
The "show-me" triage is fast and often depends on the visual inspection of the investigator or analyst to determine if the multimedia content meets the threshold for seizing the device. However, depending on the tool used, this method can be one-dimensional, may generate false positives, and can leave you uncertain about the findings.
Utilizing a customizable tool can enhance your ability to conduct a quick multimedia and visual search, incorporating case-specific hash values, unique keywords, and artifacts. This approach can lead to user-specific interactions with the multimedia content. An "Early Case Assessment," performed within a "preview" or "scan-only" framework, allows for the rapid visualization of data. You can pause at any moment to report on what you've collected, enabling accurate documentation of your actions and decisions.
If you are a forensic investigator who typically sends devices to a regional lab, early case assessment enables you to gather data directly from the device using Advanced Logical Acquisition. This allows you to continue your investigation while the device is being sent to the lab and you await the results. In some instances, this method can lead to an earlier and more successful resolution of the case.
Consider an investigator who receives a CyberTip related to Child Sexual Assault Material (CSAM), along with unique keywords and hashes pertinent to the case. By employing a triage methodology, the investigator can create customized search parameters, incorporating the Cat 1 Project Vic hashes to scan both computer and mobile devices for relevant data linked to the CyberTip.
Using ADF PRO on the scene, the investigator scans a live Windows computer and also boots a computer using a USB Collection Key loaded with ADF PRO and the customized search parameters. While scanning the computers, the investigator utilizes the license to preview and obtain Advanced Logical Acquisitions from multiple devices.
Through this process, the investigator determines that the live Windows computer is directly connected to the downloading of the material referenced in the CyberTip. Additionally, the scan of the powered-off computer—identified as a Linux machine—also reveals the presence of contraband. All of this is accomplished within a timeframe consistent with the duration typically required for executing a search warrant.
The investigator not only makes on-site decisions faster based on the CSAM discovered but also conducts an interview using the relevant data. Devices deemed irrelevant are cleared and left at the scene, allowing the lab to focus on the devices that are pertinent to the case.
This brings us to the “Critical Incident” triage, where investigators are faced with a large number of devices and need to find specific information, typically related to date, time, or GPS metadata. In these scenarios, a preview can be conducted, allowing multimedia to be sorted and filtered quickly based on specific criteria. This process enables investigators to select only the devices necessary for immediate review. In cases involving victims or witnesses, the data can be collected, and the devices can be returned promptly and efficiently.
In this context, a critical incident occurs in a contained area, leading to the collection of numerous devices to secure any multimedia (pictures and videos) from that day that may aid the investigation. By utilizing the preview function of Mobile Device Investigator (MDI), investigators can quickly view and filter multimedia based on a specific timeframe or geographic location related to the incident. Within minutes, they can collect pictures, videos, properties, integrity hashes, date/times, and device information. This approach allows for minimal intrusion on the devices, enabling them to be returned to the witnesses swiftly.
Triage methods vary in their processes depending on the type of case and the data available upfront. When these methods are combined or customized, they help adapt and respond effectively; this is where intelligent triage comes into play. Intelligent triage refers to an advanced, technology-driven approach to efficiently sorting, prioritizing, and analyzing data from devices in real-time, especially in time-sensitive or critical situations. Unlike traditional triage methods, which often involve extensive data collection followed by lengthy analysis, intelligent triage utilizes smart tools to streamline the process. This allows users to quickly identify and extract the most relevant information needed at that moment.
ADF Solutions has been a leader in digital triage for over 20 years, empowering you to customize, adapt, and effectively manage your cases while filtering out the noise. Our technology enables law enforcement professionals to automate a substantial portion of the evidence collection process, enhancing their confidence in investigations.
Need assistance with your particular use case? Contact ADF today for a quick demo.