InfoSec Reviews – Digital Triage Forensics

Book Title: Digital Triage Forensics

Subtitle: Processing the Digital Crime Scene

Authors: Stephen Pearson and Richard Watson

Publisher: Syngress

Date of Publishing: July 2010

ISBN(13): 9781597495967

Price (UK&US price – full price, not discounted price): £36.99,   $59.95

EBook Verison: Kindle edition available £26.36

URL of Publisher Site: Syngress

URL of Amazon UK web page: Digital Triage Forensics: Processing the Digital Crime Scene

URL of Amazon US web page: Amazon.com

The title, ‘Digital Triage Forensics’ caught my eye, as the subject of ‘triage’ is frequently discussed in relation to digital forensics and written about by many people, especially in such a rapidly changing discipline. The proliferation of digital devices, seized in connection with criminal and civil proceedings, coupled with the need to access intelligence and evidence from these devices within a reasonable timeframe, means a triage approach is rapidly becoming a necessity rather than a purely academic subject. This is especially true where intelligence may be lost, or critical evidence may be deemed inadmissible, because of the delay between seizure and analysis (or the inappropriate handling of evidence by untrained staff).If the subtitle, ‘Processing the Digital Crime Scene’, leads you to believe that this book is a guide to the principles and objectives of digital triage forensics, however, you may be disappointed. This is an extremely specialized book, written mainly for (and about) members of the US armed forces’ Weapons Intelligence Teams operating in Afghanistan and Iraq, acting as a guide to the equipment and forensic applications used by them to perform digital triage forensics.The first three chapters, comprising 56 pages, discuss how insurgents use digital devices, including mobile phones, when manufacturing and deploying improvised explosive devices (IEDs).  Some uses, such as a means of detonating an IED, are widely known, whilst others, such as insurgents taking photographs as proof of the atrocity that they have committed, are less well known to those of us who are unfamiliar with the modern battlefield.  In the challenging environment in which the Weapons Intelligence Teams operate, effective triage is particularly important because any delay between seizure and analysis can result in the loss of actionable intelligence; the authors describe this as intelligence that can be acted upon within 12 to 72 hours, where in the worst cases mishandling could result in the loss of military personnel or civilians.The text relies heavily on military acronyms that, notwithstanding the inclusion of a glossary, make reading hard work for anyone unfamiliar with military jargon.  There are also some noticeable spelling/printing errors, such as figure 1 in the introduction (this one is particularly noticeable) as it is intended to demonstrate the benefit of digital triage forensics as a means of accessing vital information at an early stage. The last two chapters, spanning two hundred pages, contain a description of the digital triage forensic model used by Weapons Intelligence Team members, as well as a description of the equipment they use to perform this role.  The model is based on a paper the paper published by the United States Department of Justice, ‘Electronic Crime Scene Investigators Guide: A Guide to First Responders’, and is similar to all other triage models that I have seen. It consists of five stages that the authors describe as follows:Preparation – of the person conducting the process, including on-the-job training/experience and familiarity with equipment.Collection – the gathering of digital evidence in a manner that will be acceptable for the judicial process. Examination (first triage stage) – ensuring that the integrity of the original evidence is maintained.Analysis (second triage stage) – identification of actionable intelligence as well as evidence that tends to show the guilt or innocence of a suspect.Reporting – in a manner that is understandable by the audience for which it has been prepared.The two triage stages are designed to identify the items that will yield actionable intelligence, and following these stages, the discovered items will be submitted to the forensic laboratory for further analysis. The triage process is also intended to eliminate non-yielding items that do not require further analysis. There is a ‘Quick and Dirty Guide to Digital Forensics’ in chapter 4 which contains information, such as the binary numbering system, cluster sizes, the ASCII table, file-system dates and times, validation of forensic tools and processes, and the ethics of digital forensics. Whilst these subject areas are all relevant to anyone with an interest in digital triage forensics, each subject is dealt with too briefly for anyone who wishes to learn, and are too basic for anyone who already has some knowledge of the subject.

The bulk of this book is a description of the tools provided to military Weapons Intelligence Teams, followed by a step-by-step account of how the tools should be used to process digital media and mobile phones. This will certainly be of value to the target audience, who will have access to the hardware and software tools discussed, but of little interest to anyone using different tools to perform digital triage forensics.

The authors clearly have a lot of experience working in the field of digital forensics for law enforcement and the military, and they have developed a training program for Weapons Intelligence Teams. In Digital Triage Forensics, they have written a book that will be of interest for anyone involved in battlefield forensics and in particular, aspiring Weapons Intelligence Team members. However, the book is light on forensic fundamentals and the text suggested methodologies are so specialized that this book is unlikely to appeal to digital forensic practitioners working in other areas.

Marks: 3 out of 5

***