Making The Case For Triage: Transforming Your Digital Forensics For Smarter Investigations

The following transcript was generated by AI and may contain inaccuracies. Richard Frawley: All right everybody. Good day and thank you for joining. Thank you to Carahsoft and Jack for having us here and hosting this webinar. Happy to be here as I know everybody’s got choices and you made the choice to be here and listen to me for the next 50 minutes or so. I do appreciate that. Let’s get into what we’re going to be talking about today. Today is all about making the triage decision, transforming your digital forensics for smarter investigations. We’re going to cover a lot of ground in a short amount of time — less than an hour. After a brief introduction, we’re going to cover a few things. Why triage matters. How can it be utilised as a process? Where is it best utilised? We’ll cover triage types, how they help streamline your triage process, and along with that, determining your overall goals. How are you going to execute your plan? What are you looking for? What are your overall goals? What decisions need to be made? Then finally, at the end, we’ll talk about the uniqueness of your case, how to put that to work for you, and then we’ll end with a questions and answer session. Jack had mentioned there’s a Q&A box there. Please put your questions in there. I am monitoring that. If something really comes up that I need to answer at the time, I may take care of it then, but for the most part, we’re going to take care of those at the end. Get The Latest DFIR News Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month. Unsubscribe any time. We respect your privacy - read our privacy policy. There have been times where I have talked a little bit too much and we’ve run out of time, but I will personally answer any question that comes in if for some reason we don’t get to it. Now a little bit about me. I’m Rich Frawley. I’m the Director of Training here at ADF Solutions. I’ve been here for 10 years now, going into my 11th year with ADF Solutions. Prior to that, I was with the Milford Police Department up in Connecticut for 23 years, 17 of those years as a forensic examiner and investigator. If you do the maths, it brings you back to the turn of the century, if you will, when I started my forensic career within law enforcement. The late 1900s, early 2000s — that puts me in the dinosaur era as far as digital forensics goes and those who are still here in the discipline. I had a very great career. It was hard to leave, but for all of you in law enforcement who are maybe working your way through or up there close, you start to know when it’s time. And there are a lot of other factors that get you to leave this job rather than, “Hey, I really like it and could do this for the rest of my life.” I worked a whole bunch of cases. Let’s say 60–70% of it was ICAC related, especially back at the beginning. That’s just never gone away, that’s never stopped. But I worked all different cases — homicides, embezzlements, threatenings, harassments. A couple of my favourites were an identity theft and jury tampering case, which was really awesome. I had some government corruption fraud, and what really put that whole case together was a copy machine with some drives in it running a Linux operating system. I was able to get a lot of information out of that copy machine that was in a city hall. Not where I was — I’m not giving away who it was — but it was a great case. I did a lot of work for a lot of different places, as you can imagine, when this was all evolving and starting up. I was one of only two labs here in Connecticut doing a lot of work, so I did a lot of work for other agencies and towns in the area. So that’s me. Maybe a little bit too much about me, but we’re going to get through this and start working through poll number one. There are going to be four polls. If you want that CPE credit, we’re going to need you to answer these. Do you currently utilise a triage solution, yes or no? Simple answer. We’ll go through the different types of triage. What I’m looking for is whether you do it or you don’t, really, at this point. Triage could be as simple as you go in, you take a look at something and say, “Yeah, there’s something on here, we’re gonna take it.” Or, “Hey Grandma, let me see your pink iPad. Yeah, there’s nothing on here, Grandma. You can keep it.” That could be considered a triage. Or you’re in the lab and you’re pulling things out of the box — this was from the suspect’s room and all this was from other parts of the house. Let me go through these first. That’s similar to a triage as well. So it looks like here that not bad — 86% to 14% yes and no. That’s great. If I had done this poll 20 years ago, 2006 or previous, that would’ve been drastically different. That’s how far we’ve come with how much data there’s been and where we’ve gone as far as forward thinking. Why Triage Matters Richard Frawley: You’ll learn a little bit about how I was doing this way back when and where I started, but why does triage matter? A couple of things I had just said. You’ve got a box full of stuff and it’s just bagged and tagged, and now it’s up to you to decide what’s relevant and what’s not relevant. On-scene triage of devices cuts down that backlog, even if it’s at a very minimum, to go through and reduce the amount of devices that are coming back to the lab confidently. That’s what this whole thing is about — you want to make sure when you’re out there, it’s done confidently, reducing what’s going back. Making sure you’re determining which ones are the right devices or the most important devices. This was the suspect’s phone. This is the victim’s phone. This is a hard drive that was found under the mattress. This is a thumb drive that was found under the pillow. This is a NAS that was up in the closet. And they contain A, B, and C — yes, those are the things that are going to go first, right in line. Unless I’m going to do a couple more steps as I get farther out into the house, maybe we go a little deeper into what we’re looking for. But determining those devices that are important, that are relevant. Determining what’s in the room or what is the main device being used, whether it’s a phone or a computer. Is that the one that they’re using? There’s going to be a lot of information on that, and using that towards an interview. Grabbing specific pieces of information off that device and putting them at that person on scene solves a lot of issues. We’re going to talk about that in a couple more slides. In the lab, working through that backlog — say you go into your closet and you grab your next case and it’s full of drives and phones and laptops. Depending on who did the search warrant, whether it came from another town, whether it’s yours, whether somebody else did it and brought it back, and you as the lab had nothing to do with it. You get a box full of drives and you have no idea what they came out of. Determining was it a storage device, a second drive, how many were in one computer? Did they belong together? All that type of information. Triage helps with that, determining the correct lane for that device. Which way is this going to go? Which one goes first? Which one goes second? Which one goes third? Which one am I looking at? Maybe you didn’t do a triage on scene, you’re doing it in the lab, and you’re getting barked at to release some of these devices. I used to hate having to do those because it was a lot of red tape. You were moving things around, you were looking at stuff that wasn’t relevant, and then it would sit there for another two weeks while all the paperwork had to go through court. What it all comes down to is: why is triage important? Because you’re going to make decisions. It all boils down to why are we doing this? Why are we using this tool? Why are we looking at this data? Because I need to make a decision. Why is that decision important? Are you looking to get this person off the street today? Do you have enough in your investigation before you hit the house to say this person doesn’t need to be out there anymore, or you’re worried about them being hands-on? Getting to the device and getting an interview and having information to use right away is important. Again, 60–70% of my cases were child exploitation and it was really the driving force, and still is, behind triage when you’re in the law enforcement perspective and looking at on-scene type cases. Breaches in corporate — there’s a different mindset there where it’s important and it needs to be done. But child exploitation is the main driving factor for just so many devices, so much to do, such a heinous crime. Getting to the information, knowing what’s what, and making decisions quickly. Getting people off the street, not getting it stuck in backlog, making decisions upfront, knock and talks — that’s really where I started with my triage way back. I talked about this in other webinars, but it really was one of the first cases where I saw the value and it meant something. It was a knock and talk involved with Operation Avalanche, which started in 1999 and was still going on. I think it was 2001 when I worked with another agency on these tips that came out of Operation Avalanche. There wasn’t enough probable cause based on what they had. They took down a server, and the gateway into the material on that server was both — you paid for the gateway, but it got you into adult material and it got you into child exploitation material, but you couldn’t decipher what was what at the time they did this. So we would be doing knock and talks. I had two great investigators that would go in, start talking about why they were there, what was going on. They wanted to clear them. While they were doing the interview, I was hooking up and doing a triage of the machine, looking for what was on there. Nothing was on there — all adult. Thank you very much for your time. We’re on our way. But there were the ones you walk into and right away it’s coming up. Okay, we’ve got something here. Now we’ve got contraband. With some of them, it was really easy. They were downloading it, they were deleting it, and expecting that if we came — and that’s why we got the okay to look at the computer. A quote from the suspect, as I’m showing one of the other investigators what I found, he was sitting there smoking a cigarette and he happened to look over the screen and he turned to the other investigator and says, “How many times do I have to delete something before it’s gone?” He was confident when he let us in the house that he deleted it and nobody was going to find it. Just one of the great stories, but this was Operation Avalanche. We went in, we looked, we had a lot of success with those types of knock and talks, not only with Operation Avalanche but other ones that came up along the way. They always come up where you have something that doesn’t rise to probable cause but you want to clear it. CyberTips are a good example. Some of those that come through. Consensual situations where you’re going out and you have reluctant victims or witnesses, or you have somebody — you really want to look at something similar to a knock and talk. Getting in quick and looking for specific information helps you out. That’s why it matters. The CyberTips again — they contain very unique information. And it’s very easy, with a good combination of child exploitation keywords and the small amount of hashes. You don’t need to run the whole Project VIC set in a triage. You don’t want to — it’s going to take too much time. But a very targeted triage based on a CyberTip does wonders, and we’ll talk about that. We need to remember, it’s a starting point. Triage gives you a place to move forward from. You’re not ending the case. You’re not looking to end the case. And that really needs to be the mindset. Some people are just like, “Show me three pictures and I’m out of here. I’ll do the rest of the investigation later.” And then you move up — “I want a little bit more. This person’s dangerous. I want to get them off the street.” But remember, it’s a starting point. You’re not ending it there. You’re not collecting everything. You have the ability to move forward, and whatever you’re triaging is still going to go for that full forensic exam. This isn’t a case of “I did a triage, I can’t do anything else.” You need to remember that you’re looking to get your case jump-started and keep it going. Triage as a Force Multiplier Richard Frawley: Any factor, a process, strategy, that dramatically increases the effectiveness, output, or productivity of an individual or group such that the resulting effect is significantly greater than the proportional input of effort or resources. Because I’m doing this little thing here, I have changed what would’ve happened had I not. Lab backlog is one of the biggest factors. Is the juice worth the squeeze? Is it worth it for me to go out on scene and do a quick triage? Is this something that works when it’s done the right way? Yes. Lab backlog is a nightmare. Some of you may be labs, some of you may be investigators, some of you may be both. I was both. I did a lot on scene, I did a lot in the lab. I had a lot of cases that were mine beginning to end. But lab backlog is a nightmare. Stress, time, stale cases, lost cases because things were sitting in boxes. Some of you may not even experience backlog anymore because it’s gotten so good or because your systems are so well done. But not knowing what device out of that box was the most important, if it was just brought back to you and handed to you — while backlog is one kind of job security, it doesn’t boost efficiency. Wasted time on devices that could have been eliminated prior to getting to you, in a short amount of time with confidence, earlier in the process — just gone. Allowing you as the examiner, the one who’s doing that full-blown forensic exam on that machine, lets you really dig your teeth into it. And not digging in and saying, “Wow, I just spent a lot of time. There’s nothing here.” And moving it on. While that’s important — not taking that away from it — your skills and training and energy are best spent doing that big work. Getting into the computer, the drive, the phone that has all that information on it. And again, that administrative strain — what’s in the box, what goes next? Who’s coming in and telling you this case is more important than that case now? So move it back. Every time a decision is made like that, everybody gets pushed back. Somebody that was looking at two months to get something back is now looking at three months or four months. Lab backlog is just time, money, staffing, stress. Out in the field, the time you’re spending on the bagging and tagging is reduced, maybe not by a lot, but the things you didn’t bag and tag, you left behind — Grandma’s pink iPad, the kids’ phones. That just makes up all that time that was spent in the lab. Multiple force multiplier — I did this on scene and now everything’s been able to focus on the devices that matter. Get this case done, get it into court, get this person off the streets if we didn’t already do that. And you’re not only collecting information to make that decision now, but depending on your lab setup or how your agency or department works, you could be collecting information to keep your investigation going. A good example — I worked with another agency on a search warrant. They were allowed to do their triage. They were allowed to grab as much information as they could on scene, short of making images and trying to do a full exam — doing the triage, grabbing the information they need, and then bagging and tagging what needed to go back. Because once that hit the lab, it’s in a queue. And until it’s up next, until it’s being looked at, that investigator gets no more information. So it allows you to continue your investigation from this point forward. You’re not waiting, your case is not sitting there getting stale at the desk and not being worked on. You have the information to keep going. Triage — you’re looking at preservation orders, you’re looking at whether they’re trading with anybody. I’m doing further search warrants for contents from online sources. I’m making decisions, possibly making arrests already with the information I have. So this person is now in the system while that’s still being worked on. The efficiency gains there are awesome. I like this method and I’ve talked to a couple of people who have implemented this. It was forward thinking and I like mentioning this — when I get into this with the scalability and the cost. You as examiners have gone through a lot. A lot of training, a lot of time, a lot of self-training, reading blogs, going to webinars — all on your own time or while you’re working. But you are finding ways to make yourself better, making yourself smarter. You’ve gone through a lot of training. The departments have put you through a lot of training. So your time is best spent solving that case, going through all that data, making those decisions, and leading. You’re top tier. Create a second level below you — maybe they’re not at your level yet, but they’re a forensic investigator, an examiner investigator. They have the forensic knowledge, they have the ability to use the tools, they have the ability to go out and lead the on-scene triage, make sure everything’s done right. And then you have your third operator level that can, once everything’s set and you know what you’re looking for, plug in the keys and start those triages and make sure they’re running right, bagging and tagging and doing that. So you have three levels that can really streamline this whole triage process. It’s almost like you’ve built a feeder system for the lab. The information that’s coming in, the data and the devices that are coming in — it’s a win-win situation. Types of Triage Richard Frawley: Triage, when you break it down, means to break into three. In the medical field, it’s typically those who, if they were helped right now, will survive. Those who are in need of help but can wait. And then those who, no matter what’s done, they can’t be helped. Those are your three — red, green, black, or whatever you want to say. We kind of mimic this. There’s relevant data on that device — yes, we’re going to take it. Yes, there’s hints of evidentiary data. Not the suspect’s, but maybe it was sitting in the corner and hadn’t been used in years. It’s got dust on it, but it’s still going to go. But I know now what lane I’m going to put that in. And then no, this is a negative scan. Grandma can have her iPad back, the kids can have their phones back, their school computers back. Mum could have her work computer back. We’ve cleared all that. Doesn’t need to go in. I used to leave with boxes of stuff way back when. I can’t imagine some of the houses now with a full family, remote work, and school. The amount of devices has to be crazy. I break it down now into the three types of triage that you typically do on scene. Show Me The first is “show me.” Just show me. Show me a picture. Show me two pictures. What’s my threshold? Law says I can’t charge until there’s three images of contraband, and that I’ve validated where they came from. Okay, I need to see one, I need to see two, and I’m taking that computer. I don’t care if that’s it. Or I don’t have any pictures, but it’s loaded with search terms and child exploitation this and that and the other thing. Or I found a chat that’s not right, and it feeds into why we’re there. I’m going to take that. Just show me something and I’m going to bag and tag it. I’m looking to get in, get out, and get to the diner for breakfast. I came in early. I’m not spending a lot of time in this house. I had to wipe my feet on the way out, it was so disgusting. It’s a great start and it really helps with the lab, but a lot sneaks through as well. Sometimes it’s just “show me the suspect’s device. Show me he has it. Show me three things. Maybe I can make a decision here.” But we’re taking everything else as well. Doesn’t really help. It’s how you work it. Early Case Assessment The other is what I call early case assessment — doing that “show me” but adding some more information into it, some more artefacts, really grabbing the relevant information for what you’re doing. Trying to link the artefacts to the files. Here’s this file that I have. Can I show that it was downloaded through a web browser? Can I show there are recent files showing that it was opened, manipulated? Can I show the path that it’s sitting in — user created? “Big Boy Bob’s Bad Stuff.” The virus didn’t create that folder and put that picture in there. You collect a little bit more artefacts, a little bit more files. You’re really trying to put together your investigation with this triage. You’re not doing everything again. You want it to be quick, but you want to be able to continue your investigation. Maybe you’re going to grab your credentials from browsers. On a live scan you’re going out, the computer’s up and running. It’s a Windows live scan. I can get the credentials off the browsers. That itself is gold because as soon as I’m back at my desk, I’m working on preservation orders for any accounts that may be cancelled or deleted if I don’t take that person off scene right then. Looking for that type of information, making it quick — that’s early case assessment. Critical Incident The third type is critical incident — similar to “show me” because you are looking for something specific, but usually in a critical incident you’re looking for something specific relative to a short time span. I’m looking for something that happened today, in the last two hours. I’m looking for something that happened in the last couple of days. Think critical incident — the Boston bombing, the assassination attempt. People all within a closed area, all with their phones, all videoing. Think of how much evidence is there. You don’t have time to take every single phone and make acquisitions of it, but you may have the time to hook that phone up and look at pictures and videos from that day. Just grab those and some information on that device. Critical incident in a missing person case — before that computer or phone gets trampled, doing a preview on it or doing a scan on it and grabbing the information that may help investigators figure out where that missing person went. Specific to time and location — you can use GPS data, dates and time properties, the DCIM folder with the most recent at the top, browsing history, that type of thing, where it’s focused on date and time. Quick, gives you the information you need. There’s an example. There were 32 phones. They were looking specifically for video that happened within the confines of a certain area within a couple of hours. 32 phones were previewed. Eight phones had the data they were looking for. Those eight phones went on for further investigation and the other ones went back on their merry way with the owners. Critical incident, short amount of time, got the information you need. Planning Your Triage Richard Frawley: Knowing all that, going in — what am I going to do? What am I expecting? How am I going to do this? I like to look at this a little backwards. We all need a starting point. We have our reports. We’re going to go through them. We know our cases better than anybody else. But I want to make decisions. That’s my angle. I’m going out, I’m doing a triage for decisions. What are my decisions? What do I want to accomplish by running this triage? What’s my end goal? What do I need to get to make that decision on scene? I have a child exploitation case. Here’s my subject. He’s the only one that lives in the house. If I get out there, I just want to show that the pictures are on the device and take it. I just want to prove that these pictures are there, so I’m going to run hashes and keywords and look for them. Boom — threshold, we’re out. Knowing that going in makes the rest of the process a little bit easier. What decision do I want to make? What’s my end goal and what do I need to get there? Then you can go back and start looking at how many residents are in the house, how many computers versus mobiles, are there going to be school devices and work devices that are really going to muddy this up. Maybe you have to do a little bit more. While I’m increasing my time on scene, I’m reducing the time in the lab and saving money later on. Or I’m making decisions here where the arrest is going to happen maybe today instead of three months from now or longer. Am I going to do this with a “show me” or an early case assessment? A “show me” for elimination, or an early case assessment and an interview? A lot of times we look at digital evidence as the smoking gun, and it’s nice sometimes to look at it like that. But you know your cases better than anybody else. You know what you’re looking for, you know what you’re putting together. If you start looking at it as “I just need this to confirm A, B, and C, and we’ll do the rest later,” it kind of helps. Using Triage for Interviews Richard Frawley: The early case assessment and then that interview — the interview is a force multiplier as well. If you can get it done on scene with some of this information. I have this computer. I have some images on there. Maybe I have a couple of multiple users, but with a good triage I can put it to this user. I can look at their history. See what they were doing around the time. Quick timeline — when were these downloaded? What were they doing around that time? The interview and what you as police officers are really awesome at is that part of it as well. You’re out here, you’ve got the smarts, but knowing what you’re looking for and being able to talk to somebody about that — “Hey, we’re here because of a CyberTip. You uploaded a picture.” “That wasn’t me.” Yeah, well, who are we laying this on in the house then? Who is your roommate, your son, your daughter, your wife, your husband? Who’s doing this? Who are you putting this on? “Well, it wasn’t me.” Oh, okay. “Other people use my account.” All right, well, I can see when you downloaded this, that somebody was on there paying your Verizon bill. Who pays your Verizon bill? You’re solving these questions. That’s what you’re really good at — knowing the information and asking the questions. A lot of these people aren’t going to put it on anybody else in the house, especially when you start putting it that way. They’re like, “Yeah, all right. Let’s just get out of the house. My kids have had enough, my spouse doesn’t need to see this. Yes, it was me. Let’s move on.” Now you’ve got the data. You’ve got something from him or her and you’re making your decision. Maybe it’s an arrest right there. They’re going, they’re out of the house. And the interviews are also good for making sure, depending on what you’re looking at, the hands-on part of it. We always want to make sure before we leave that house that nobody is in danger. A very important decision that should always be part of these cases is that when I leave that house, nobody is in danger because of that person. Choosing Your Triage Type Richard Frawley: Choosing that type of triage — choosing the “show me,” choosing the critical incident, choosing the early case assessment. “Show me” — your on-scene time is a factor. You don’t have a lot of time. You need to get this done for whatever reason. There’s a million reasons why you don’t have time, a whole day to go out, or four hours to spend at this house on the search warrant. You want to get in, get out, get on with your life, get on with the other cases you have. Number of support personnel — know that firsthand. You have a bunch of people that you can usually take to your search warrants. But for whatever reason, it’s the middle of summer, a lot of other things are going on, not a lot of people to choose from to do the search warrant tomorrow. Other big cases are going on. You’re limited as to who’s going to support you out on scene and you have a low threshold. That’s okay — you don’t have a lot of backlog. Perfect time to use that “show me.” But “show mes” also have to be done the right way. You showed me a picture. Can I validate where it came from? Is it user accessible? Is it something that was grabbed out of unallocated space, or off the computer that was in the bottom of the closet with dust on it and it was in unallocated space and I can’t tie it to anybody? Enough to take it — yeah, absolutely, it’s contraband. But not to make any other decisions and not necessarily make your case feel any better. Things you have to think of when you’re doing just a “show me” — your decisions are kind of limited by what you’re finding. You’re not usually walking out of there with a person. Safety’s not a factor for this person, or the people in the house, I should say. Critical incident — rapid turnaround time. A plethora of devices. A lot of people in a small area that need a quick turnaround time. You need to identify it, collect it, return it. A lot of stress there, but that’s what you’re looking for. That’s your decision. That’s why you’re choosing that. Rapid turnaround time, a lot of devices — identify, collect. You know exactly what you’re looking for and you can go in and get it in a short amount of time. Early case assessment — I want a solid decision-making process. I want my investigation to continue from this point forward. I want to be able to go back to my desk and start putting things together — search warrants, arrest warrants, whatever I can with the information that I have, knowing that the computer’s going to go for that full physical or full examination. I have nothing to worry about, but I have data to get me going. Preservation orders, referrals — from those user accounts you’re finding on there, their social media accounts, their picture storage, bank accounts, cryptocurrency, whatever they’re using and dealing with. And you have reports that same day. You’ve done a triage, you could put reports together, especially if you made an arrest. They can go into court the next day. You have the information to go along with them. Challenges and Considerations Richard Frawley: What challenges do you face with triage today? Too many devices to process — absolutely, that’s one. Limited time on scene. I don’t have time, there’s too much going on, I don’t have enough — we need to get in and get out and move on. Lack of a standardised workflow — what am I going to do this time? I don’t have a proper procedure for this. We wing it, which isn’t a negative in any way. Difficulty identifying relevant data quickly — what are you using? How are you doing it? Or you’re not, that’s why you’re not doing it. Or you’re using one method that doesn’t cover the three types of triage that you’re looking at. Maybe the tool you’re using is one dimensional. And then staffing constraints really put a lot on that. Too many devices to process — 80%. That’s been like that for a long time. When I started with this, we were looking at drives that were megabytes in size. Now we’re looking at terabytes in size for one drive. And then you add those up — the amount of information is crazy. But the method I choose — what does it do? Just things you’ve got to keep in mind. If you want to implement this, there are questions that need to be answered. What’s the impact to the device? Is the tool I’m using connecting to the device like a phone just like any other tool would? Am I going through the same process? There’s nothing different. I’m not changing anything on there. I’m doing a quick preview of something. Computers — live scans on scene. Computer’s up, it’s running Windows. I can do a live scan of it. We all know the process. I’m going to plug in a USB and Windows is going to say, “Hey, something was plugged in,” and it’s going to log it. Then you execute the program and Windows says, “Hey, you started a program,” and it’s going to log it. Then what happens? What does your tool do? What’s the impact? Does your tool take control and now it’s read only? Absolutely nothing gets changed, everything’s maintained. Metadata, access times — what happens if I view something? What’s the impact to the device? What does it collect? What does it not collect? Very important, especially when you’re working with a triage. You’re typically not looking, unless you’re in the lab, at a full file system on scene for triage. If you’re doing that on scene, it’s a little bit more. I don’t know if I’d call it triage at that point. You’re going to triage the full file system, but it’s going to take a long time to get there. Not saying it can’t be done, but what can I collect? What am I missing by doing this? Just because something’s not there doesn’t mean it necessarily isn’t there. Decisions I need to know, things I need to know before I look at this. Say you’re doing an advanced logical acquisition — they were using Signal to download all their child exploitation material or whatever, making the chat. So that’s not going to be in my logical, but maybe I find something else that helps. But knowing that, okay, that doesn’t mean this device is clear, because Discord’s on there, I can see it. You need to know what does it collect, what does it not collect, and can I validate it when I’m done? Is my tool letting me know where this came from, how it got there, where it got the information from? What database and what tables did it come out of? How can I validate this information without a whole lot of work? Focus on the Uniqueness of the Case Richard Frawley: Coming up to the end here. Focus on the uniqueness of the case. That’s where triage is. I said at the beginning, you’re not looking for everything. You’re looking at case specifics, uniqueness. You want to keep it simple. You’re not doing a deep dive. You’re not putting this in front of the jury at this point. You’re gathering information to make informed decisions. So extract and exploit. You know your case better than anyone. Read the CyberTip, read the reports, read the statements, go through the interviews and make notes. When you were doing your interviews prior to doing this triage — what’s in there? What’s in my CyberTip? What are the usernames that are unique? Now, “Mark Black” isn’t going to be a great search term on anybody’s computer. But a unique username, or something that’s misspelled — I used to love when I was looking for something and I had a screenshot or something from the case, or somebody said something in the case and they go, “Yeah, and this word was misspelled.” That is gold. That is so unique that you’re only going to find it on this person’s computer. Or maybe it came from the victim’s phone. That is gold to me. Case solved. Unique usernames, email addresses before the @ — always pretty unique. No spaces, they really get you what you’re looking for. But if it’s your suspect’s username, it’s going to be all over the computer. So maybe you’re looking for someone else’s. Make sure you know when you’re searching for it you’re not going to get a bunch of false positives or a million hits. IP addresses — very unique. Specific statements that somebody’s made. I had a case like that where the victim was saying, “This person said A, B, C.” It’s almost like a misspelling — look for that statement. Crime-specific, unique keywords — child exploitation: PTHC, Lolita, Lola, Hussyfan, LS Studios, Angel Island. All those things that are unique and you can search for. Triage Tools Richard Frawley: My triage tools — are they for computer only, mobile only, or both computer and mobile? I’m just interested in what you have out there. When you’re going in, are you targeting just mobile at this point? Are you doing computer? Or do you have tools to do both when you’re out on scene? I have talked to a lot of people that are like, “Yeah, just everything’s being done on phones.” I find it hard to believe that in this day and age with remote work and kids in school and everything, that the computers aren’t being used as well. But then I talked to others who say, “Yeah, we come across computers at every scene and we’ve got to clear them.” Both computer and mobile — 90%. That’s a great stat. I like that. Consensual Situations Richard Frawley: Good consensual situations — using technology to your advantage. Reluctant witnesses. It falls under the triage, and if you have the ability, you know your case again better than anybody else. Involve the victim. You can involve the victim or the consensual party. Almost use it as an interview. “Hey, I know you don’t want to give me your whole phone. You don’t want to go in the other room. You’re willing to give me A, B, and C from what happened this weekend. But do you mind if we sit here and just go over a couple of things? If I want to make this stick, I really need to know the information about your phone. Can we go in and grab that information?” Talk them through. Let them see what you’re taking, the screenshots. If you have the ability to use them, it’s just a great way to further your case in that triage-type manner. Summary Richard Frawley: Triage is just the beginning. It’s a beginning. You can stop it at any time. Threshold — show me three images. Three images come up in three seconds. I’m done. Triage is targeted. You’re not looking for everything. Show me just all the pictures in the user profile — pictures and videos and web browsing history. Focused — what am I looking for? It’s for decisions. I want to reduce my backlog. I want to make decisions on scene. I want to make an arrest. I want to do preservation orders. I don’t want to sit in line for six months. It’s all about decisions. And it requires thought. It’s not just “let’s go out and triage.” Put some thought into it, look for the uniqueness, and look for everything else that goes along with it. Q&A Richard Frawley: A couple of questions here. How do you decide when triage versus a full forensic analysis is necessary? Great question. I am not going to a homicide scene with my triage gear. That’s an extreme example. It just doesn’t warrant it. You’re taking everything anyway. Serious cases that one misstep can ruin — you never want to ruin a case. It should be done by policy and procedure. Triage is never enough. It’s just to make the decision to get you started on your way. What’s the biggest risk of relying too heavily on “show me”? I like early case assessment. I like grabbing as much information and putting things together in a short amount of time knowing that it’s not the end-all. I feel more confident in “yeah, there’s more on here. Yeah, this is definitely the person or the computer.” Look, I have other things supporting my warrant and supporting the CyberTip. I’m not putting everything on my lab. I’m making confident decisions out on scene. How do you prioritise which devices to triage first in high-pressure, on-scene situations? The way we did it was our ID team went in and they photographed and videoed the whole house. Everybody was brought out to a safe area — all the homeowners, everybody in the house — in one area. Everything’s secured. And then you go in. Somebody’s talking with your suspect. Their room absolutely is first. And what’s on the triage list? High pressure, you need to get in and out because of danger — maybe it’s just a bag and tag. But that room would be the most important. With that, we’re coming up to two o’clock. I want to thank everybody for being here. Thank you for your time. I appreciate it. You all had choices. You chose to listen to me for the last hour and I appreciate it. Again, I’m Rich Frawley. You can see our tool in action if you’d like. Follow us on social media. We’ve got a lot of things coming up, a lot of places to go. I follow up with these with deeper dives into triage and showing things. As a matter of fact, next week I’ve got a demo webinar that we’re running. So you can actually see some of this put into practice. With that, thank you very much.