A practical and robust approach to coping with large volumes of data submitted for digital forensic examination

Digital forensic triage is poorly defined and poorly understood. The lack of clarity surrounding the process of triage has given rise to legitimate concerns. By trying to define what triage actually is, one can properly engage with the concerns surrounding the process. This paper argues that digital forensic triage has been conducted on an informal basis for a number of years in digital forensic laboratories, even where there are legitimate objections to the process. Nevertheless, there are clear risks associated with the process of technical triage, as currently practised. The author has developed and deployed a technical digital forensic previewing process that negates many of the current concerns regarding the triage process and that can be deployed in any digital forensic laboratory at very little cost. This paper gives a high-level overview of how the system works and how it can be deployed in the digital forensic laboratory. Crown Copyright (C) 2013 Published by Elsevier Ltd. All rights reserved.