I love getting out and meeting our customers, and people who I think our technology could help. This means I meet a lot of people working in law enforcement, and specifically in units dealing with Child Sexual Abuse and Exploitation. This is not a career choice that people make for money or glory. This is something people are driven to do by a desire to make the world safer for children, and inhospitable for those who prey on them. This is a job people want to do properly, and I couldn't agree with them more. Supporting this mission, even just as a software vendor, is a privilege and a responsibility.

Investigators recognise that any triage activity, whether it's scrolling through a suspect’s pictures to see what you can find or using a special purpose tool, is going to be a compromise. For some, this draws into question whether triage is a useful step, or whether it introduces a risk of missing vital evidence. Missing evidence that could safeguard a child or convict an offender is, of course, a disastrous outcome and one that no-one wants to risk. So should modern rapid triage techniques have a place in this kind of investigation at all?

First do no harm

Every customer we work with had a process in place before we meet them. These processes vary widely. Some agencies dealing with serious cases are able to deploy significant forensics resources on-scene every time they serve a warrant. Other agencies rely on detectives to serve warrants and "bag and tag" digital devices for later analysis in a lab. In every case agencies are doing the best with the workload and resources they have available, and have designed these processes to balance risk in their investigations.

We have a number of former police forensic analysts in our customer success team. When we start working with a new customer this team works to support them in fully understanding our technology and adapting that process to use modern rapid triage effectively. We help our customers put in place updated processes on the principle of "Do no harm". The new process should offer opportunities to get evidence faster, make better decisions, and direct resources. It should never result in a situation where a child is put in danger or an offender slips through the net as a result of the triage process. The "fail safe" if triage doesn't find anything should be to revert to the existing process exactly as it stood before.

A waste of effort?

This approach often gives rise to the question "If we're doing all the steps from the existing process anyway, isn't triage just a waste of time?". That depends on whether timing is important.

If every person involved in an accident is going to be seen in the emergency room anyway, why triage? The answer is that the person with a serious bleed needs to be seen immediately or they will die, while the person with whiplash can safely wait a little longer. The ultimate outcome of triage is that everyone is still seen, but the sequence of events matters.

The same applies in digital forensic triage. Our customers tell us that by getting evidence fast they can act fast, and those actions can make a big difference to the course of an investigation.

Timing matters

In one case fast action saved a child who was being actively trafficked. Their previous process involved sending equipment to a lab for analysis. Without triage, that child would have been moved on before they could be rescued.

In another case triage showed that not only was the father in a family accessing triage CSAM, a teenage son was too. This led to an interview with the son that identified him as a victim of contact abuse and enabled immediate safeguarding and support. Their previous process would not have uncovered this for days or weeks, leaving a vulnerable teenager unsupported and at risk.

In each case the existing process would have found the same things we pointed to at triage (as well as many things we didn't), but getting that fast initial look at devices had, in the opinion and experience of the officers concerned, a profound impact on outcomes.

Trade-offs in risk

We always start with a "first do no harm" approach at the investigation level, but as customers become more familiar with our capabilities (and limitations) some choose to take a broader view on risk that includes the work they are not doing.

For example, some customers have a significant backlog of cases where they have intelligence sufficient to get a search warrant, but lack the digital forensics capacity to carry out those investigations. They see opportunities to carry out more investigations if they could seize fewer devices on each case. They see that when they seize every electronic device at an address, many of them tie up lab time without yielding anything useful - especially when they belong to partners, children or room-mates. Appreciating this they look at how they can build risk based approaches to reducing the number of devices seized, often incorporating Cyacomb as part of that process.

This can free up capacity in the lab to take on more investigations, or allow lab-based expertise to be focussed efficiently on detailed work. It also reduces collateral intrusion (loss of privacy arising from searching devices belonging to people who have committed no crime) and the victimisation of people who have done no more than share a home with an offender. Where a suspect is arrested on suspicion of child related offences, their family members are in a horrific situation already. Depriving them of the devices they use to socialise, connect and work can only make an already horrific situation worse.

Any such trade-off has to be at the discretion of officers. It should never be as simple as "a clear triage result means no further action" for a device or person, as we emphasize in our training. However if an officer has no concerns and thinks family members are low risk after interacting with or interviewing them and triage gives a clear result, is clogging up the lab with these devices "just in case we missed something" a better outcome than leaving that capacity to take on another investigation?

That is not a question we, as a vendor, can ever answer. We can only ever support that conversation with transparency about both the capabilities and limitations of our tools. However, we recognise that in some situations it may be reasonable to trade off the risk from the investigations NOT being carried out due to lack of capacity against the risks of missing something in

Digital triage does no harm

Digital Forensics Triage, correctly deployed, does no harm.  It takes an existing process and creates new opportunities some of which can save lives.  At worst triage identifies nothing, and the investigation falls back to whatever that process was before. 

For organisations already suffering under severe constraints and struggling to cope with the corresponding risk, triage can offer alternative trade-offs between time spent on individual cases and the number of cases processed.  There is no "one size fits all" approach to quantifying these risks, but Cyacomb works with customers to ensure an appropriately high level of rigor in implementing any such trade-off.

“Cyacomb Examiner Plus is super easy to use and the ability to scan multiple devices at once saves my team time on scene. It definitely helps us to prioritize devices which ultimately saves us time, potentially weeks"

- Southern Californian Agency

If you'd like to explore how Cyacomb can help save you time so you can save lives, please get in touch. 

Email - sales@cyacomb.com 

Call - +1 214-218-0630 (US) | +44 131 608 0195 (UK & EU)

Trial - request a trial.