Faced with a preponderance of high capacity digital media devices, forensic investigators must be able to review them quickly, and establish which devices merit further attention. This early stage of an investigation is called triage and it is a chief part of evidence assessment; see [1, Chap. 2]. In this paper we present a digital forensic device, which we named SEAKER (Storage Evaluator and Knowledge Extraction Reader), which enables forensic investigators to perform triage on many digital devices very quickly. Instead of imaging the drives, which takes hours, SEAKER does a search for files with names that conform to pre-established patterns. The search is done by mounting the devices in read-only mode (to preserve evidence) and listing the contents of the device. Unlike imaging, this approach takes minutes rather than hours. Also, SEAKER’s hardware consists principally of a Raspberry Pi (RP) and so it is very inexpensive—this is crucial in this era of budgetary constraints; see . Once SEAKER has identified media devices of interest, those can be confiscated for further investigation in a lab. But devices that do not have hits can be left at the scene. This has two principal benefits: forensic examiners can concentrate on those devices that are promising in terms of evidence for the given investigation, and devices without hits are not confiscated from legitimate users.
Triage Digital evidence assessment Automation Raspberry Pi Storage forensics Digital evidence and the law Digital evidence preservation
This is a preview of subscription content, log in to check access.
This work arose from a fruitful collaboration between SoCal HTTF (Southern California High Technology Task Force, Ventura County) and CSUCI (California State University at Channel Islands). We are very grateful for the opportunity to work on such an interesting and eminently applicable problem. We are especially grateful to Senior Investigator Adam Wittkins who facilitated this collaboration. The SEAKER development work was undertaken as a final project for a graduate course in Cybersecurity at CSUCI (COMP524: “Cybersecurity”). The first and third authors were students in this course, and they emerged as leaders of the project, but we are very grateful for the contribution of the rest of the class (in alphabetical order): Geetanjali Agarwal, Nick Avina, Jesus Bamford, Jack Bension, Apurva Gopal Bharaswadkar, Amanda Campbell, Christopher Devlin, Nicholas Dolan-Stern, Manjunath Narendra Hampole, Mei Chun Lo, Christopher Long, Clifton Porter, Deepa Suryawanshi, Mason U’Ren and Zhe Zhang (see http://soltys.cs.csuci.edu/blog/?p=2713).
Hart, S.V.: Forensic Examination of Digital Evidence: A Guide for Law Enforcement. U.S. Department of Justice (2004)Google Scholar
Hitchcock, B., Le-Khac, N., Scanlon, M.: Tiered forensic methodology model for Digital Field Triage by non-digital evidence specialists. Digit. Investig. 16, S75–S85 (2016)CrossRefGoogle Scholar
James, J.I.: A survey of digital forensic investigator decision process and measurement of decision based on enhanced preview. Digit. Investig. 10, 148–157 (2013)CrossRefGoogle Scholar