In my final case as a Police Digital Forensic Analyst, my search team recovered 43 devices capable of containing child sexual abuse material (CSAM). There was no possibility of examining all of these devices with my suite of digital forensic tools in the time we had on-scene, so everything was seized and brought back to the lab for full forensic examination.

When I eventually got to them (there was the ever-present case backlog to contend with) it took weeks to image, carve and examine everything in detail. At the end of this lengthy process, I had waded through many terabytes of data and finally established that only 2 of the 43 devices (a laptop and an external hard drive) contained CSAM and I was able to progress the investigation.

Just consider for a moment, the time spent examining 41 devices that ultimately, were irrelevant to the investigation.

Gotta get it all!

Investigations involving digital evidence have traditionally focused on the approach of collecting every piece of data available. The mindset behind this is understandable, the more data we can gather the better our chances of finding the evidence we need to support a conviction in court, right?

However, in modern law enforcement, where investigators often need to make time critical decisions on who is a suspect, what digital devices to seize, or what safeguarding measures to implement, this ‘take it all’ approach is becoming increasingly challenging.

Over Collection – Getting Lost in the Noise

The volume of digital data available today can easily become overwhelming. From computers, smartphones (and their plethora of social media applications) to cloud storage, smartwatches, and IoT devices, data is everywhere we look. Traditionally, the fear of missing that crucial piece of evidence has driven law enforcement policies to instruct investigators to collect everything available to them and sort through it later. The mindset was simple, take it all, analyze it all, then make a decision. But examining multiple terabytes of data is always going to be time consuming and many investigations do not have the luxury of time. Yet Investigators can find themselves struggling with the sheer volume of data which can result in missed opportunities, delays in the investigation and even additional harm to vulnerable victims. The ‘take everything’ approach has turned from a solution into a risk of missing vital evidence amidst the noise.

Some Decisions Can’t Wait

In an operational environment, time is paramount. Law Enforcement Officers must make quick decisions that can have significant consequences. For example, deciding to arrest and remove a threat to the public, removing a potential victim from harm, re-arresting an offender on bail/parole, or allowing entry to a country at a border. These decisions need to be made on-scene, often with minimal information. The traditional ethos of exhaustive data collection simply does not align with the exigencies of modern Law Enforcement. A paradigm shift is needed.

Smart decisions in real time

Modern time-sensitive digital investigations need to focus on ‘what is happening at this moment’ and require a fresh approach that is no longer driven by exhaustive data collection and analysis, but by the need to ‘enable smart decisions now’. This is particularly critical when dealing with, national security, threats to public safety and vulnerable individuals.

This approach should focus on providing investigators with the tools and processes they need to make informed decisions as quickly as possible. Instead of getting stuck in the sheer volume of data, the emphasis should be on identifying the most relevant information at that time and using it to make smarter investigative decisions.

Enabling the process

The future of digital investigations lies in enabling a process-oriented approach. The process is simple, ‘collect only what you need to make a decision now’. The time-consuming search for every piece of data will still have its place in complex, long-term investigations, but for real-time law enforcement, this is a luxury that can’t always be afforded. We need to stop treating data like riches to stockpile and instead view it as a tool that serves the decision-making process.

Cyacomb Digital Triage

Cyacomb’s origins are based firmly in operational law enforcement and many of us are former law enforcement personnel and digital forensic analysts, so when we design and build tools to help law enforcement, we know what we’re talking about.

We fully understand that modern smart, decision-oriented digital forensics does not require every byte of data, it requires the ‘right data, right now’, and ground breaking technologies such as Cyacomb’s Examiner digital triage tool, that uses patented Contraband Filter technology, can find that ‘right’ data in seconds and present it in a meaningful way ‘right now’ while still on-scene and can truly be the difference between success and failure.

Had Cyacomb Examiner been part of my digital forensic toolbox on the case I discussed at the start of this piece, I have no doubt that instead of the ‘take it all and examine it later’ approach, I could have quickly identified the those 2 devices containing vital evidence amongst the noise of the 41 other devices, and the large amount of irrelevant data they contained, while still on-scene. Instead of being forced to wait weeks to have the right information to progress the investigation, not to mention all the associated risks that delays can create, the process of collecting only what I needed at that time would have driven smart investigative decisions right there and then.

If you would like to hear how our users are benefitting from our tools, read some of our Customer Stories today. You can also sign up for a free 21-Day Trial to test the technology for yourself. You can also contact sales@cyacomb.com for any any other questions.