Why Automation in Digital Forensics?
As examiners and investigators already know, the exponential growth of casework is daunting. As devices get smaller and storage sizes get bigger, forensic labs are seeing the effects of these growing data hauls. The International Data Corporation (IDC) predicts the world’s collective digital data to grow to roughly 175 zettabytes (that’s approximately 175 billion terabytes!) by the year 2025. The time and human effort it now takes to examine these devices thoroughly creates backlogs and expenses that are almost unavoidable.
Automation in digital forensics casework can help alleviate some of these issues, but unfortunately it is often misunderstood. The intent of automation is not to undermine the need for skilled examiners, but to empower and enable them to focus on the important casework that requires advanced knowledge of digital forensics. Even with the implementation of automation, the need for skilled examiners is not going away! In fact, it’s estimated by the U.S. Bureau of Labor Statistics that job growth in the digital forensics field will have grown by 28% between 2016 and 2026. Automation helps to better utilize the resources that you have available in your forensic lab, both human and machine. Here’s how:
1. Alleviate Backlogs
The repercussions of having significant backlogs means that labs must prioritize the cases they work, resulting in “lower value” cases being put on the backburner. There is a hidden, suppressed demand of tackling those cases that are being temporarily thrown to the wayside, but many times investigators are effectively being trained not to submit lower priority cases which are sitting at the back of the queue.
There is much missed opportunity to efficiently process and surface valuable artifacts that will easily and rapidly bring those cases to an effective close. The implementation of automation in these cases can uncover some of those artifacts, allowing examiners to efficiently report on the cases that may otherwise never be investigated due to an overwhelming caseload.
2. Streamline Repetitive Tasks
Regardless of what type of case we are working, it goes without saying that there are processes that we tend to run over and over again. Of course, we aren’t suggesting using ONLY automation in your forensic lab. Using the toolbox approach to processing case data is ideal, which causes examiners to constantly perform the same forensic processes on their case data.
For ICAC examiners, this could mean the repetitive task of moving data out of one tool via a VICS JSON export and into another for deeper analysis and review. For those examiners dealing with major crimes or counterterrorism, much time might be spent dealing with the sheer volume of data that you come across and exporting some of the key items like chats or web history out to different stakeholder groups. In the corporate environment, examiners may spend a lot of time running many of the same scripts in every case and consistent processing with the same software, such as Volatility.
Utilizing automation allows forensic labs to streamline these processes, letting examiners off the hook for menial tasks like “clicking next” time and again. Multiple automation workflows can be implemented, each one customized to suit the needs of the lab and the types of cases that are consistently worked. This allows for examiners to spend their time where its best spent – gaining access to the suspect devices, analyzing the data, and reporting on their findings. This also creates a repeatable workflow helping to ensure that all cases are processed according to the Standard Operating Procedures (SOP) implemented in your lab. Adhering to your SOP can be incredibly important if you have or are seeking formal accreditation, such as ISO 17025.
3. Utilize Machines During Normal Downtime
In forensic labs, we rely on our hardware to work as hard as it can for the fastest processing time possible. If possible, we upgrade our storage drives, RAM, and CPU in hopes that the processing time for our case data decreases dramatically and we can get to our examination as soon as possible. Many times though, examiners are unable to fully utilize this processing power due to downtime between processes.
Unfortunately, examiners cannot (and should not!) work 24/7 to make sure these processes are initiated on weekends or in the middle of night, however utilizing automation can make sure that your hardware is put to use around the clock. When one process finishes, another can be in the queue and immediately executed, regardless of the time of day.
With automation, you can also take advantage of parallel processing, allowing for multiple processing nodes to work simultaneously to run several forensic tools and scripts at the same time! Then, on Monday morning, your skilled examiners can get right to work with the data that has already been processed. In our experience and testing, we found that using automation on a case containing approximately 1.7TB of data reduced downtime by 94%, allowing examiners start reviewing the evidence 2 days sooner.
4. Focus on the ACTUAL Forensics!
Once automation has been utilized to run your routine processes, examiners are now able to dive right into the analysis of the processed data. What is very clear when using automation in a forensic lab is that the need for skilled examiners will never go away, and are arguably even more vital now more than ever. The processed data will still need an expert’s eyes on it because at the end of the day, data is just data until forensic analysis is performed to truly tell the digital story. Automation allows examiners to dedicate more time to analysis and reporting, ultimately enabling them to spend that time building a stronger case. Not only are examiners needed to analyze the processed data, but also to identify any errors that may have occurred during processing. Encryption, unsupported file systems, or even just bad sectors can cause issues with processing, and examiners require the skillset to be able to recognize when a deeper look at the processed data may be required.
The key takeaway is that it is not the forensic examination, analysis, testing, and validating that should be seen as being automated in a forensic lab. It is the menial tasks, the tedious button clicks, and the status bar watching that we want to take off the skilled examiner’s plate so they can then do the deep dive. Ultimately, improving speed and efficiency will help alleviate the backlogs, reduce reliance on outsourcing casework, and make the evidence more quickly available and accessible, without sacrificing the quality of your investigations and forensic analysis in your lab.
Want to learn how Magnet AUTOMATE can help you complete investigations faster by automating repetitive tasks so examiners can focus on the complex problems? Visit the Magnet AUTOMATE page and fill out the form to contact us.