Investigation Delayed Is Justice Denied: Proposals for Expediting Forensic Examinations of Digital Evidence
There is an urgent need to reduce the growing backlog of forensic examinations in Digital Forensics Laboratories (DFLs). Currently, DFLs routinely create forensic duplicates and perform in-depth forensic examinations of all submitted media. This approach is rapidly becoming untenable as more cases involve increasing quantities of digital evidence. A more efficient and effective three-tiered strategy for performing forensic examinations will enable DFLs to produce useful results in a timely manner at different phases of an investigation, and will reduce unnecessary expenditure of resources on less serious matters. The three levels of forensic examination are described along with practical examples and suitable tools. Realizing that this is not simply a technical problem, we address the need to update training and establish thresholds in DFLs. Threshold considerations include the likelihood of missing exculpatory evidence and seriousness of the offense. We conclude with the implications of scaling forensic examinations to the investigation.
Keywords: digital evidence; digital forensics; ethical considerations; forensic best practices; forensic science; in-depth forensic examination; laboratory management; survey forensic examination; triage forensic inspection
Document Type: Research Article
Affiliations: 1: Johns Hopkins University, Information Security Institute, Wyman Park Building, 3400 North Charles Street, Baltimore, MD. 2: Technology Forensics, LLC, Waterbury, CT. 3: Stroz Friedberg, LLC, Boston, MA.
Publication date: November 1, 2009