Jul 172013


The use of automation in digital forensic investigations is not only a technological issue, but also has political and social implications. This work discusses some challenges with the implementation and acceptance of automation in digital forensic investigation, and possible implications for current digital forensic investigators. Current attitudes towards the use of automation in digital forensic investigations are examined, as well as the issue of digital investigators’ knowledge acquisition and retention. The argument is made for a well-planned, careful use of automation going forward that allows for a more efficient and effective use of automation in digital forensic investigations while at the same time attempting to improve the overall quality of expert investigators. Targeting and carefully controlling automated solutions for beginning-investigators may improve the speed and quality of investigations while at the same time letting expert digital investigators spend more time utilizing expert-level knowledge required in manual phases of investigations. By considering how automated solutions are being implemented into digital investigations, investigation unit managers can increase the efficiency of their unit while at the same time maximizing their return on investment for expert-level digital investigator training.

Full text:

James, J. I., P. Gladyshev. (2013) “Challenges with Automation in Digital Forensic Investigations”. p. 17. Computers and Society. Retrieved from http://arxiv.org/abs/1303.4498 [PDF]

Apr 082013

In many police investigations today, computer systems are somehow involved. The number and capacity of computer systems needing to be seized and examined is increasing, and in some cases it may be necessary to quickly find a single computer system within a large number of computers in a network. To investigate potential evidence from a large quantity of seized computer systems, or from a computer network with multiple clients, triage analysis may be used.

The current challenges to conducting on-scene investigations is that each system must be booted and examined in turn, many investigation processes are not automated, multiple boot media may be needed, and there is no centralized point where results can be stored. All of these challenges can make the on-scene investigation process very time consuming if the network consists of hundreds of computers divided over several floors. Prior works had a number of foundational benefits, but still had a number of limitations that did not fit our needs. The approach taken in this work was to redesign an open source, forensically sound PXE environment that meets the following conditions:

  • Clients are able to boot a “forensic” file-system using DHCP, PXE and TFTP
  • Client–server based model: the client and server can communicate with each other
  • Network storage between clients and server, to serve files and store search results
  • Keyword searching in ASCII and UNICODE
  • File hashing and comparing with a centralized hash database
  • Clients are accessible through the server via SSH
  • Client’s local hard disk drives are accessible as a local disk on the server through ATA Over Ethernet (AoE)

This approach is adopted, not to conduct a full digital forensic investigation on-scene, but to conduct digital forensic triage. Triage is a medical term defined as:

A process for sorting injured people into groups based on their need for or likely benefit from immediate medical treatment. Triage is used in hospital emergency rooms, on battlefields, and at disaster sites when limited medical resources must be allocated (Triage, n.d.).

To derive the definition of digital forensic triage, we apply the medical definition specifically to computer forensics, resulting in:

A process of sorting computer systems into groups, based on the amount of relevant information or evidence found on these computer systems (Koopmans, 2010).

Based on this definition, the goal of the solution is not explicitly for exhibit exclusion purposes, but to sort analyzed systems by likely relevance.

The result is a client-server based solution for automation of basic digital forensic investigation processes on many clients over a network (Figure 1).

Automated Network Triage

A Triage server is placed on a network (preferably a network physically separate to the suspect’s network), and clients (suspect computers) are booted into a live environment via PXE or boot disk. They connect to the Triage server, load data and analysis scripts, and begin to conduct analysis on the suspect machine’s connected hard drives automatically. All results are reported back to the Traige server, and any suspicious hits can be investigated remotely using a verity of standard digital forensic investigation tools.

Works cited:

  1. Triage. In: Dorland’s medical dictionary for health consumers; n.d.
  2. Koopmans M. The art of triage with (g)PXE. Dublin: University College Dublin; 2010. p.51

For more information, please see:

Koopmans, M. B., & James, J. I. (2013). Automated network triage. Digital Investigation, 1–9. doi:10.1016/j.diin.2013.03.002