Review

MethodsandToolsofDigitalTriageinForensic
Context:SurveyandFutureDirections
VaciusJusas1,*,DariusBirvinskas2andElvarGahramanov1
1 SoftwareEngineeringDepartment,KaunasUniversityofTechnology,StudentuSt.50,
LT51368Kaunas,Lithuania;elvar.gahramanov@ktu.edu
2 ComputerDepartment,KaunasUniversityofTechnology,StudentuSt.50,

LT51368Kaunas,Lithuania;darius.birvinskas@ktu.lt
* Correspondence:vacius.jusas@ktu.lt;Tel.:+37065676159

AcademicEditor:ShuChingChen
Received:7February2017;Accepted:22March2017;Published:28March2017

Abstract:Digitaltriageisthefirstinvestigativestepoftheforensicexamination.Thedigitaltriage
comesintwoforms,livetriageandpostmortemtriage.Theprimarygoalofthelivetriageisarapid
extractionofanintelligencefromthepotentialsources.Thelivetriageraiseslegitimateconcerns.
Thepostmortemtriageisconductedinthelaboratoryanditsmaingoalisrankingoftheseized
devicesforthepossibleexistenceoftherelevantevidence.Thedigitaltriagehasthepotentialto
quicklyidentifyitemsthatarelikelytocontaintheevidentialdata.Therefore,itisasolutiontothe
problemofcasebacklogs.However,existingmethodsandtoolsofthedigitaltriagehavelimitations,
especially,intheforensiccontext.Nevertheless,wehavenobettersolutionforthetimebeing.In
this paper, we critically review published research works and the proposed solutions for digital
triage.Thereviewisdividedintofoursectionsasfollows:livetriage,postmortemtriage,mobile
devicetriage,andtriagetools. Weconcludethatmanychallengesareawaitingforthedevelopers
in creating methods and tools of digital triage in order to keep pace with the development of
newtechnologies.

Keywords:digitalforensic;digitaltriage;livetriage;postmortemtriage;triagetools

1.Introduction
Thevolumeofdataforforensicinvestigationkeepsconstantlygrowing.Thisisaresultofthe
continuingtechnologydevelopmentwhenscaleandboundsoftheInternetrapidlychangeandsocial
networks come to everyday use. The storage capacity expands to new areas when smart phones
becomepartoftheInternetdevicesandcloudstorageservicesareoffered.Thedigitalforensicprocess
isverytimeconsuming,becauseitrequirestheexaminationofallavailabledatavolumescollected
fromthecybercrimescene.Thedigitalforensicprocesscommenceswiththecollection,duplication,
andauthenticationofeverypieceofdigitalmediapriortoexamination.Moreover,everyactiontaken
hastoadheretothelegitimacyrulessothattheobtaineddigitalevidencecouldbepresentedinthe
court.However,lifeisverydynamic,andthesituations,inwhichsomeinformationaboutapossible
cybercrimehastobeobtainedaspromptlyaspossiblewithoutadheringtotherulesoflonglegal
scrutiny,arise.Ofcourse,theinformationobtainedinasuchwaycannotbedirectlyusedinthecourt;
however,aquickaccesstosuchknowledgecanspeedupthefutureprocessofdigitalforensicsand,
issomesituations,canevensavesomebodyslife.Therefore,suchactionsarejustifiable.
Aprocessthattakesplacepriortothestandardforensicmethodologyiscalleddigitaltriage.It
canprovidevaluableintelligencewithoutsubjectingdigitalevidencetoafullexamination.Thisquick
intelligencecanbeusedinthefieldtoguidethesearchandseizure,andinthelaboratorytodetermine
ifamediaisworthtobeexamined.

Symmetry2017,9,49;doi:10.3390/sym9040049 www.mdpi.com/journal/symmetry
Symmetry2017,9,49 2of19

Thetermtriagecomesfromthefieldofmedicine,inwhichitreferstothesituationswhen
because of having limited resources, the injured people are ranked according to the necessity to
receive treatment. Such ranking ensures the achievement of the least damage to patients when
resourcesarelimited[1].
Rogersetal.[2],theauthorsofthefirstfieldtriagemodelincomputerforensics,definetriageas
aprocessofrankingobjectsintermsofimportanceorpriority.Caseyetal.[3]definetriageindigital
forensicsaspartofforensicexaminationprocess.Theforensicexaminationisdescribedasthreetier
strategy consisting of three levels: (i) survey/triage forensic inspection, (ii) preliminary forensic
examination,and(iii)indepthforensicexamination.Thefirststage,inwhichmanypotentialsources
of digital evidence for specific information are reviewed, is alternatively referred to as survey or
triage.Thesameideathattriageispartofforensicexamination,issupportedinlaterworks[48].
Casey [4] underlines that triage is effective for prioritizing, but it is not a substitute for a more
thoroughreview.Casey[5]arguesthattriageisatechnicalprocess,whichcanbeperformedoutside
alaboratorybyprofessionalswithbasictrainingandlimitedoversight.Categorizingdigitaltriageas
a technical process makes it more clear that the information has not undergone rigorous quality
assessmentanditslegitimacyhasnotbeenevaluated.
There are many other definitions of triage, which slightly differ depending on the attributed
qualities[712].Thediversityoftriagedefinitionsreflectsthevarietyoftheviewsandindicatesthe
immaturityofthefield.However,itisnotthemainproblem.Thefocusshouldbedevotedtothe
decisionwhetherdigitaltriageisaforensicprocess.AsCantrelletal.[13]state,Digitaltriageisnot
a forensic process by definition. It is not clear to which definition Cantrell et al. [13] refer. It is
possibletosupposethatitisthedefinitionbyRogersetal.[2].However,otherdefinitionsexist,and
thisstatementisnottrueforallthecases[7,11,14].KoopmanandJames[11],andRoussevetal.[7]
use the term digital forensic triage. If digital triage is not the forensic process, then the term
forensic cannot be used together with the term digital triage, because it misleads. Hong
etal.[14]introduceatriagemodelthatisadaptedtotherequirementsofthelegalKoreansystem.
Consequently, the proposed triage model adheres to the rules of the forensic process. Moreover,
Hong et al. [14] suggest establishing a triage model individually for the legal system of a
specificcountry.
Tosummarizethediversityofviewsondigitaltriage,westressthefollowingfeatures:
1. Digitaltriageisatechnicalprocesstoprovideinformationfortheforensicexamination,butdoes
notinvolvetheevaluationofdigitalevidence
2. The goal of digital triage is to rapidly review many potential sources of digital evidence for
specificinformationandprioritizethedigitalmediatomakethesubsequentanalysiseasier
3. Thetermforensiccannotbeusedtogetherwiththetermdigitaltriageiftheprocessofdigital
triagedoesnotadheretotherulesoftheforensicprocessspecifictothecountry
Digitaltriagecomesintwoforms:liveandpostmortem.Thepostmortemformoftriage,which
isconductedonthedigitalimage,isnotalwaysrecognizedastriage.Wesupposethatbothformsof
digitaltriageareequallyimportant.Livetriageraisesmanyconcerns,becauseitisconductedonthe
livesystem,andthedestructionofthelikelyevidenceispossible.However,livedigitaltriagehas
severaladvantages:
1. Itenablesarapidextractionofintelligencethatcanbeusedforsuspectinterrogation
2. Somedatacanbelostifthecomputerisshutdown
Theprimaryconcerninherenttobothformsofdigitaltriageisthattheevidentialdatacanremain
unnoticed[15].Pollitt[16]arguesthattheprocessofdigitaltriageinthecontextofforensicsisan
admissionoffailure.However,herecognizesthatfornowabetterapproachdoesnotexist.
Moreover,thetermtriagebecomesthecommonwordtoindicatetheinitialandrapidstepin
thedifferentareasoftheforensicinvestigation.Forexample,itisusedintheretailindustry[17],in
theinternetofthings[18],inthefraudofidentityandtraveldocuments[19].
Symmetry2017,9,49 3of19

Wereviewtheresearchworksrelatedtodigitaltriage.Wedividethereviewintofoursections
asfollows:livetriage,postmortemtriage,mobiledevicetriage,andtriagetools.Thelargestsection
isonthetriagetools.Suchabundanceofresearchworkshighlightsthepracticalneedfortriagetools.
Inthenextsection,wereviewthemodelsandmethodsoflivetriage.

2.ModelsandMethodsofLiveTriage
Rogersetal.[2]introducethemodelforthefieldtriageprocessincomputerforensicsandname
ittheCyberForensicFieldTriageProcessModel(CFFTPM).TheCFFTPMhassixphases:planning,
triage, usage/user profiles, chronology/timeline, internet activity, and case specific evidence. Each
phasehasseveralsubtasksandconsiderationsthatvaryaccordingtothespecificsofthecaseand
operating system under investigation. The CFFTPM originates from child pornography cases.
Nevertheless,itisgeneralenoughtobeapplicabletootherpossiblecases;however,themodelcannot
beconsideredastheultimatesolutionforeverycase.Itisalsoimportanttonotethattheproposed
model does not preclude transporting the system to a laboratory environment for a more
thoroughinvestigation.
Cantrelletal.[13]discussaproposedmodelfordigitaltriage.Theproposedmodelisalinear
framework,exceptthepreservationphasethatisaninvestigativeprinciplepreservedthroughoutall
thephases.Thefirstphaseisplanningandreadinessthatoccursbeforetheinvestigationonsite.The
nextphaseisliveforensicthatisincludedasanoptionalstep,dependingontheneedandexpertise,
anditmustoccurpriortothefollowingphasesbecausethevolatilememorycanbelostveryquickly.
Themiddlethreephases:computerprofilephase,crimepotentialphase,andpresentationphaseare
intendedtobeanautomatedprocess,codedasacomputerprogramorscriptusingtheexistingtools.
Thelastphase,triageexaminationphase,isoptionaldependingontheneed.Thetriageexamination
shouldbeanautomatedprocessthatisguidedbytheexaminerusingpredefinedtemplatesspecific
toeachcase.
Hong et al. [14] propose a theoretical framework for implementing a triage model. The
requirementforthetriagemodelistoconsiderthelimitingfactorsoftheonsitesearchandseizure.
Theframeworkconsistsofthreephases:assessment,triagemodel,andreassessment.Theproposed
frameworkisbasedontheassumptionthatreassessmentsareperformedperiodicallyaccordingto
the changes in search and the conditions of the onsite seizure. To establish a triage model, a
questionnairethatconsistsof48questions,whichareprovidedinthepaper,wasprepared;itwas
answered by 58 respondents in total. The paper presents a large discussion of the results. After
assessing the results of the questionnaire, a new triage model is proposed. The triage process is
divided into four steps: planning, execution, categorization, and decision. The properly collected
informationmostlydependsontheexecutionstep.Theexecutionstepprioritizesthefiletypesfor
thesearchaccordingtothreetypesofcrime:personalgeneralcrime,personalhightechcrime,and
corporategeneralcrime.Next,thefilesearchisconductedinthefollowingorder:timelineofinterest;
filename or contentsbased keywords search; and file/directory pathbased search. Another
importantprocedureintheexecutionstepisthedetectionofsuspiciousfiles.Theproposedtriage
model can be applied only to personal computers and it is tailored to the Korean legal system
requirementsfortheprivacyprotection.
Overill et al. [20] propose an attractive idea to introduce triage template pipelines into the
investigative process for the most popular types of digital crimes, enabling digital evidence to be
examined according to a number of prioritised criteria. Each specific digital crime has its own
templateofprioritiseddevicesandthedatabasedonthecosteffectivenesscriteriaoffrontloading
probative value and backloading resource utilisation. The authors declare that about 80% of all
digital crimes in Hong Kong are accounted for just five types of crime. However, they do not
enumeratethesetypesofcrime.Theauthorsstatethattheworkthisfarhasaddressedthesetoffive
digitalcrimetemplates,however,theexamplesoftemplatesforonlytwodigitalcrimesareprovided.
Tobemoreprecise,theyaretheDistributedDenialofService(DDoS)templatediagramandthePeer
toPeer (P2P) template diagram. Moreover, the construction of these example templates is not
discussedindetail.Anadvantageofthetriagetemplatepipelineapproachoverthetriagetoolsisthat
Symmetry2017,9,49 4of19

theevidentialrecoveryprocesscanbeterminatedassoonasitbecomesapparentthattheprobative
valuecriterionhasbeenfulfilled.Therefore,thetriagetimecanbeshorterinsomecases.Theessence
oftheproposedtriagetemplatepipelinesisformalizedcommonsense.
Roussevetal.[7]argueandanalyzeforensictriageasarealtimecomputationproblem,which
hasallottedlimitedtimeandresources.Onehourisconsideredtobeanacceptabletimelimitfor
triage.Theauthorsassumethatanincreaseintheperformancecanbeachievediftheacquisitionand
processingstartandcompleteatalmostthesametime.Itmeansthattheprocessingshouldbeasfast
asdatathecloning.Thesuitabilityofthemostcommonopensourceimplementationsandofmost
common forensic procedures to fit into the time constraints is investigated experimentally. The
authorsstatethatthetriageinvestigationcanbecarriedoutinthefieldandinthelaboratory.Forthe
fieldwork,theyconsider8coreworkstationandforthelaboratory,theyconsider48coreserver.The
obtainedresultsshowthatonlyafewbasicmethods,likefilemetadataextraction,cryptohashing,
and registry extraction, can fit into the time budget in the workstation triage. To increase the
performance of the file acquisition, Roussev et al. [7] implement a LatencyOptimized Target
Acquisition (LOTA) scheme. The main idea of this scheme is that the metadata of a filesystem is
parsedtomakeaninversemapfromblockstofilesbeforecloningthetarget.Thisprocedureallows
sequential scanning of blocks and reconstructing the files. The LOTA scheme enables an
improvement of afactor of two for files larger than1 Mand afactor of 100for smallerfiles. It is
recommended to use the scheme in the forensic environment routinely. The authors advocate
employingparallelcomputationstoobtainhigherprocessingrates.
LimandLee[21]describeaunifiedevidencecontainerXeBagforstoringdiversedigitalevidence
fromdifferentsources.TheXeBagcanbeusedforselectiveevidencecollectionandsearchingonthe
livesystem.ThefilestructureofXeBagisbasedonwellknowncompressionfileformats,PKZipand
WinRAR.Torecordforensicmetadata,anExtensibleMarkupLanguage(XML)documentisincluded
additionallyforeachstoredobject.TheXMLformatisapopulardataexchangeformat,therefore,it
enableseasyaccesstothedata.Theauthorsprovideadescriptionofavideosurveillancesystemto
show how its digital evidence is stored and can be retrieved from the unified evidence container
XeBag.
GrierandRichardIII[22]introduceanewapproach,calledsiftingcollectors,forimagingofthe
selectedregionsofdiskdrives.Thesiftingcollectorscreateasectorbysector,bitforbitexactimage
ofdiskregionsthathaveforensicvalue.TheforensicsimageisproducedinanAdvancedForensics
Formatv3[23],anditisfullycompatiblewiththeexistingforensictools.Theselectionoftheregions
that have forensics value is based on profiles. The authors do not expect that the examiners can
preparetheprofilesthemselves,therefore,theprofilesmustbecreatedandstoredinalibrary.The
sifting collectors firstly collect the metadata according to the defined profile. Then they interpret
metadata, determine sectors of interest, and assemble them in the disk order. As a result, their
methodsarenotsuitableforunknownfilesystems.Ifprofilesarenotpossibletodefine,thealternative
proposes to include a person in the scanning loop to decide what is relevant. The implemented
prototypetargetsNewTechnologyFileSystem(NTFS)asafilesystemandusestheMasterFileTable
asitsprimarysource.Theconductedexperimentshowsaspeedupfrom3to13timesincomparison
totheforensicimageacquisitiontoolSleuthkit[24]forthetestcases.Theabsolutevaluesofruntimes
arenotprovided.Theaccuracyoftheregionselectionisbetween54%and95%fortheconsidered
test cases. Faster image acquisition time gives less accuracy. One important limitation of sifting
collectors is their susceptibility to steganography
andantiforensics.
Penroseetal.[25]presentanapproachforfastcontrabandfiledetectiononthedeviceitself.The
approachisbasedonclustersscanning,hashcalculating,andcomparisontothedatabase.Thecluster
sizeis4KiB.ABloomfilterisusedtostoretheclusterhashesofthecontrabandfiles.TheBloomfilter
reducesthesizeofthedatabaseoftheblocklevelMessageDigestAlgorithm5(MD5)hashesbyan
orderofmagnitude;however,itcostsasmallfalsepositiverate.ThedesignedBloomfilteris1GiB
insizeandituseseighthashfunctions.AlargerBloomfilterenablesfasteraccesstothehashesofthe
contraband files. The performed experiment shows that the approach achieves 99.9% accuracy
Symmetry2017,9,49 5of19

scanningforcontrabandfilesinminutes.Somefalsepositivesareencountered;however,theresults
are positive for the existence of all contraband files. The experiment was conducted in legitimate
computing environment. The authors draw a conclusion that this type of case can be further
investigatedinaforensicallysoundenvironment.
TurnbullandRandhawa[26]describeanontologybasedapproachtoassistexaminerledtriage.
Thepurposeoftheapproachistoenablealesstechnicallyintrinsicusertorunatriagetool.Thisis
implemented by collecting lowlevelartifactsandinferencing hypothesesfromthe collectedfacts.
Theapproachisorientedtoautomaticallyderivingeventsfromthebaseoftheforensicsartefacts.A
Resource Descriptive Framework (RDF) is used as the basis of the ontology. The representative
featureoftheapproachisthatthelayeredmultipleontologiesaredesignedoverthesamedataset.
The description of the ontologies used is vague. The authors find some advantages of the RDF;
however, they recognize thataWeb OntologyLanguage(OWL)could provide more possibilities.
The authors suggest that the approach is applicable for the extraction of information from social
networks, though, no evidence of such application can be found in the paper. The implemented
systemtoprovideaproofofconceptconsistsofaknowledgebase,dataingestors,reasoners,anda
visualiser. The visualiser is hardcoded into the used ontology. Neither test, nor real cases are
provided. To conclude, the idea of the approach is attractive, however, the description and the
developmentareimmature.
Hitchcocketal.[27]introduceaDigitalFieldTriage(DFT)modeltooffloadsomeoftheinitial
tasksperformedinthefieldbyforensicexaminerstonondigitalevidencespecialists.Theprimary
goalsofthemodelaretwofold:(i)Toincreasetheefficiencyofaninvestigationbyprovidingdigital
evidence in a timely manner; (ii) To decrease the backlog of files at a forensic laboratory. The
proposedmodelisbasedonRogersetal.[2]andithasfourphases:planning,assessment,reporting,
and threshold. The DFT model has inherent risks associated with it. They are as follows: the
management, training, and supporting tools. The management and ongoing training are integral
partsofthesuccessoftheDFTmodel.Thetoolsmustsupportthemanagement.FortheDFTtowork,
therearethreefundamentalconcepts:
1. DFTmustworkwithasupervisingexaminer
2. DFTmustmaintaintheforensicintegrityofthedigitalevidence
3. ADFTassessmentdoesnotreplacetheforensicanalysis
Therefore,theDFTmodelisnotareplacementforfullanalysis,butispartoftheoverallstrategy
of handling digital evidence. The first version of the DFT model was implemented in Canada six
years ago. The implementation achieved the goals pursued by the model; however, persistent
attentionneedstobeturnedtotherisksassociatedwiththemodel.
Leimichetal.[28]proposeavariationofcloudforensicmethodologytailoredtoaliveanalysis
of RandomAccess Memory (RAM) for Hadoop Distributed File System (HDFS). The aim of the
methodologyistominimizethedisruptiontothedatacenterafterdatabreach.TheHadoopisaJava
implementedsystemdevelopedforUNIXbasedoperatingsystems.Itisamaster/slavedistributed
architectureforstoringandprocessingbigdata.TheHDFSconsistsofDataNodes(slaves),which
storethedata,andNameNode(master)thatmanagestheDataNodes.Themethodologyisoriented
to the acquisition of the NameNode contents of to pinpoint the affected DataNodes. The forensic
analysisoftheDataNodesisoutofscopeoftheproposedmethodology.Themethodologycontains
nine phases: preparation, live acquisition of the NameNode, initial cluster reconnaissance,
checkpointingviaaforensicworkstation,liveartefactanalysis,establishsuspecttransactionsand
map to data block, perform targeted dead acquisition of the DataNodes, data reconstruction, and
report.TotestthevalidityofthemethodologyasmallHDFSclusterthathasonemasterandthree
slaves,wasconfiguredwithasinglescenarioofdeleteddata.Thephaseofdatareconstructionisnot
carriedout.Theexperimentconfirmsthatthemethodologyenableslocatingthedeleteddatablocks.
Liemich et al. [28] discuss the ability to implement the proposed methodology in forensic tool in
compliancewiththeNationalInstituteofStandardsandTechnology(NIST)ComputerForensicTool
Testingcriteria.
Symmetry2017,9,49 6of19

Montasari[8]extendstheRogersetal.s[2]modelbydividingallphasesintotwostagesand
introducingnewsubtasksintothephases.Thesingleplanningactivityisassignedtothefirststage.
Theplanningshouldbecarriedoutbeforeattendingthesite.Montasari[8]considersmanymodels
of theforensics process, not just triagemodels, becauseaccording to theauthor, thesingle model
proposedbyRogersetal.[2]existsfortheonsitetriageprocess.Theauthorselectsactivities,which
would be appropriate for the triage process, from other models. Therefore, several subtasks are
addedtothemodeloftheforensicsfieldtriageprocess,andthemodelispresentedinamoredetailed
andcategorizedway.Additionally,themodelisextendedbyasetofinvestigativeprinciplesjoined
intoagroupunderthenameofOverridingPrinciples,whichareanadditionalcontributionofthe
paper.Theseprinciplesareasfollows:
1. Topreservechainofcustody
2. Tomaintainanaccurateaudittrail
3. Tomaintainarestrictedaccesscontrol
4. Tomaintainaneffectivecasemanagement
5. Tomaintaintheinformationflow
Peersman etal. [29] present an approach that incorporatesartificial intelligence and machine
learningtechniques(supportvectormachines)toautomaticallylabelnewChildSexualAbuse(CSA)
media.TheapproachemploystwostagesforlabellingtheunknownCSAfiles.Thefirststageuses
the text categorization techniques to determine whether a file contains CSA content based on its
filename. The text categorization applies the following features: predefined keywords, forms of
explicit language use, expressions relating to children and family relations in English, French,
German,Italian,Dutch,andJapanese.Additionally,allpatternsoftwo,three,andfourconsecutive
charactersareextractedfromthefilenames.Thesecondstagegetsthefilesfromthefirstleveland
examines the visual content of images and audio files. The second stage bases the decision on
multimodal features. The multimodal features consist of the following representations:
colourcorrelograms,skinfeatures,visualwordsandvisualpyramids,andaudiowordsforaudio
files.Theconductedexperimentshowsafalsepositiverateof20.3%afterthefirststage.Thesecond
stage reduces the false positive rate to 7.9% for images and 4.3% for videos. The approach is
implemented into the iCOP toolkit [30] that performs live forensic analysis on a P2P network.
Therefore,theproposedapproachisdesignedforaproactivemonitoringactivity.Tolabelthemost
pertinentcandidatesfortheCSAmedia,anexaminercanlogintotheiCOPcanvasthatautomatically
arrangetheresults.Additionally,theapproachcanbeadaptedtotheidentificationofthenewCSA
mediaduringareactiveinvestigation.TheapproachisimplementedintheGnutellaP2Pnetwork.
QuickandChoo[31]developtheideaofdatareductionintroducedin[32].Theauthorspresent
themethodologytoreducethedatavolumeusingselectiveimaging.Themethodologysuggeststo
selectonlythekeyfilesanddata.Windows,AppleandLinuxoperatingsystemsandtheirfilesystems
areconsidered.Aforensicexaminermakesthedecisiontoincludeorexcludeparticularfiletypes.
The decision is based on the data, contained in these file types, relevance to the case. The other
possibilityconsideredforreducingdatavolumeisathumbnailingofvideo,movie,andpicturefiles.
Thethumbnailingsignificantlyreduceslargeimagefiles.Oncethefiletypesareselectedandsome
thumbnails are loaded into the forensics software, the logical image file is created. The presented
methodologycanbeappliedusingcommondigitalforensicstools.Themethodologyisappliedto
test as well as real world data. Many results of the experiments that illustrate the viability of the
methodologyareprovided.Ingeneral,timereductionsobservedare14minonaveragetocollecta
logicalimageandprocessintheInternetEvidenceFinder,meanwhiletheprocessingoffullforensic
imagetakes8h4minonaverage.Thepresentedmethodologycanbeappliedtoeitherwriteblocked
physicalmediaoraforensicimage.

3.MethodsofPostMortemTriage
MarturanaandTacconi[33]summarizetheresearchworks[34,35]deliveredatconferencesand
presentamodelintendedforbothliveandpostmortemtriageusingmachinelearningtechniques.
Symmetry2017,9,49 7of19

Thepresentedmodelconsistsofthefollowingfoursteps:forensicacquisition,featureextractionand
normalization,contextandprioritydefinition,anddataclassification.Forsuchmodel,therearetwo
mainchallenges,thedefinitionofcrimerelatedfeaturesandcollectionofaconsistentsetofclassified
samples related to the investigated crimes. The crimerelated features are defined for two cases
studies,copyrightinfringementandchildpornographyexchange.Guidelinesforusingtheclassifiers
areprovided.Theattentionoftheexperimentismostlydirectedtothecomparisonoftheclassifiers
usedatthelaststageofthemodel.Noconclusionismadeastowhichclassifierisbestsuitedforthe
investigatedcases.Thepresentedstatisticalapproachhasproventobevalidforrankingthedigital
evidence related to copyright infringement and child pornography exchange. However, for this
approachtobeviable,itisnecessarytohaveadeepunderstandingofpossiblerelationsbetweenthe
crimeunderinvestigationandthepotentialdigitalevidence.
McClellandandMarturana[36]extendtheresearchpresentedbyMarturanaandTacconi[33].
Theauthorsinvestigatetheimpactofthefeaturemanipulationontheaccuracyoftheclassification.
The weights are assigned to the features. Two approaches are used for assigning weights to the
features, automatic and manual. The automated feature weights are quantified using the
KullbackLeiblermeasure.Themanualweightsaredeterminedonthebasisofthesurveyeddigital
forensic experts contribution. The Nave Bayes classifier is used for the experiment. The only
improvementisachievedinthechildpornographycase.
Horsman et al. [10] extend the ideas presented in [37] and discuss a CaseBased Reasoning
Forensic Triager (CBRFT) method for retrieving the evidential data based on the location of the
digitalevidenceinthepastcases.TheCBRFTmaintainsaknowledgebaseforgatheringtheprevious
experience. Each location on the system stored in the knowledge base is assigned an evidence
relevancerating(ERR),whichisusedasthepriorprobabilitiesintheBayesianmodeltodetermine
thepriorityofaparticularlocationforsearching.Themodelenablescalculatingaprimaryrelevance
figure(PRF)foreachlocation.Thesearchiscarriedoutintwostages:inthefirststage,onlylocations
with a PRF above 0.5 are used, while the second stage is optional. If the examiner suspects that
additional evidence can exist, s/he proceeds to the second stage. During the second stage, the
examinerfocusesonidentifyingsimilarpatternsincasesstoredintheCBRFTknowledgebase.The
CBRFTknowledgebasemustcoverenoughcasestoreflectitstargetpopulationcorrectly.Thatis
the first restriction for application of the method. The study focuses on fraud offences and it has
constructed a fraud knowledge base from 47 prior investigations. The experiment shows that the
CBRFTismoreeffectivewhencomparedtoacommercialapplicationEnCasePortable[38],which
usesprecisionandrecallrates.However,anadditionalshortcomingofthisstudyisthatitfocuses
onlyonoffencesoffraud.
BashirandKhan[39]suggestatriageframeworkorientedtoanalyzingandresolvinganattack.
The framework contains the usual steps that belong to a general investigative process. The term
triagereferstoacertainpartoftheframework.Themainideaofthetriageframeworkistocreate
ablacklistdatabasethatcontainsalistofthepreviouslyknownattackswithdetailsonhowtoresolve.
Every attack is characterized by six attributes: identifier, name, description, status, signature, and
then counter measures. The key attribute is the signature that is a placeholder to store unique
signaturesofcyberattacksintheformofMD5hashes.Ifthesignatureofanyoftheaffectedfilesis
foundintheblacklistdatabase,thenitmeansthattheattackisknown.Theanswertohowtoresolve
itisintheblacklistdatabase.However,iftheattackisunknown,thereisnotriageprocess;adetailed
analysisfollows.Theblacklistdatabaseisupdatedperiodicallyonthebasisofthenewknowledge
andnewattacks.
Dalinsetal.[40]introduceacrawlandsearchmethodthatcanbeusedfordigitaltriage.The
proposed method adopts the Monte Carlo Tree Search strategy that is used in games for the
filesystem search, which is called Monte Carlo Filesystem Search (MCFS). The original random
selectionisleveragedwithnonbinaryscoringtokeepguidedsearch.Threefilescoringmethodsare
introduced,eachbuiltonthepreviousone:simplescorer,typeofinterestscorer,andsimilaritybased
scorer. Other customizations are made to deliver better performance: integration of domain
knowledgetoenhanceguidedsearch,useofproprietaryMicrosoftPhotoDNAalgorithmtomeasure
Symmetry2017,9,49 8of19

thesimilarityofimages,andskintonedetectiontoidentifyexposedskinthatisusualcomponentof
childpornography.TheexperimentiscarriedoutonrealdatathatwasobtainedfromtheAustralian
FederalPolice.Thedatapresentedasforensicsimagesarerelatedtothepossessionandonlinetrading
of child pornography. The experiment shows that the proposed MCFS is an effective method for
largerandcomplextreestructuresofthefilesystemhierarchy.Thesearchefficiencycanbeimproved
byaroundathirdcomparedtouninformeddepthfirstsearch.However,theintegrationofdomain
knowledge and skin tone detection scoring showed lower results than expected. An additional
investigation is necessary to improve these customizations. In general, the improved proposed
method is promising, since many performance limitationsarise due to the complicatedfilesystem
design[7].
Fahdietal.[41]investigatethepossibilityofutilizingtheSelfOrganisingMap(SOM)technique
toautomaticallyclusternotableartefactsthatarerelevanttothecase.ASOMisaneuralnetworkthat
generatesamappingfromthehighdimensionalinputdataintoaregulartwodimensionalarrayof
nodesbasedupontheirsimilarityinanunsupervisedmanner.Theapproachisbasedonusingthe
metadatafromseveralsources,suchasthefilesystem,email,andInternet,astheinputintotheSOM
clustering. Moreover, theapproach is orientedat the investigation of the suspects systems rather
thanthevictimssystems.Severalpreprocessingoptionsareemployedbeforetheapplicationofthe
approach.Theseoptionsincludethecreationofthefilelist,expandingcompoundfiles,datacarving,
entropytestforencryption,andknownfilesearch.Theresultsofdatacarvingarenotincludedinto
thefilelistoftheSOM.Datacarvingshouldnotbedeployedduringtriage,sincedatacarvingtends
togeneratealotofdataduetohighfalsepositiverates[7].Theexperimentshowsthattheuseofthe
approachasatriagetoverifytheexistenceofthenotablefilesallowsidentifying38.6%ofnotable
filesatacostof1.3%ofnoisefiles.Itispossibletoexpandthenetworksizetoincreasethepercentage
ofthenotablefiles,however,atthecostofpickingupmorenoisefiles.Mostoftheanalysistakesa
relativelytrivialamountoftimeforsmalldatasets(severalGB);however,ittakesanhouronaverage
toprocessalargedataset(0.5TB).Theappealoftheapproachisthattheonlyexaminerinteraction
requiredinthisprocessiswhenselectingthecrimecategory.Theapproachcanbeabuildingblock
withfurtherresearchandrefinementtoprovideatriagetoolforinvestigatingsimplerandtechnically
moretrivialcasesthatrepresentalargeproportionoftheforensicexaminersdailyactivities.

4.TriageofMobileDevices
Mislanetal.[42]discusstheonsitetriageprocessformobiledevices.Thefollowingstepsare
suggestedforanonscenetriageinvestigationofmobiledevices:
1. Initiatethechainofcustody
2. Isolatethedevicefromthenetwork
3. Disablethesecurityfeatures
4. Extractthelimiteddata
5. Reviewtheextracteddata
6. Previewtheremovablestoragemedia.
All the steps are discussed in details. The process of the investigation should be well
documentedinordertovalidatetheresults.Themobiledevicetechnicians,whoarelessexperienced
astechnicalexaminers,shouldperformtheonsitetriage.Thebasicrequirementsfortheautomated
onsitetriagetoolsareoutlined.Topresentshortly,theyareasfollows:simplicityofuse,audittrail,
and access control. The legal allowances of the United States to examine mobile devices are
consideredaswell.
Wallsetal.[43]introduceaninvestigativetoolDEC0DEforrecoveringinformationfrommobile
phoneswithunknownstorageformats.Themainideaisthatthedataformatsfromknownphone
models can be leveraged for recovering information from the new phone models. The evaluation
focusesonfeaturephones,i.e.,phoneswithlesscapabilitythanthatofsmartphones.TheDEC0DE
takesthephysicalimageofamobilephoneasinput.Itisthefirstlimitationofthetool,becausethe
imageisnotitsconcern.Thesecondlimitationistheassumptionthattheownerofthephonehasleft
Symmetry2017,9,49 9of19

thedatainplaintextformat.Thenextshortcomingisthattheextractedresultsarelimitedtoaddress
booksandcalllogrecords.Thecontributionofthepaperisatechniqueforanempiricalmobilephone
data analysis. The used technique consists of two stepsremoval of known data and recovering
information from the remaining data. The latter step is called an inference process. Block hash
filteringaccomplishesthefirststep.Thesecondstepadaptsthetechniquesfromnaturallanguage
processing,namelythecontextfreegrammar,andusesprobabilisticfinitestatemachinestoencode
typicaldatastructures.TheViterbialgorithmtreatsthecreatedfinitestatemachinestwice.Finally,
thedecisiontreeclassifierisusedtoremovethepotentialfalsepositive.Thedevelopmentisbased
onthefourfollowingmodels:Nokia3200B,LGG4015,Motorolav551,andSamsungSGHT309.The
performanceofDEC0DEsinferenceengineisevaluatedagainsttwometrics,recallandprecision.
Theconductedexperimentonthephonesthathavenotbeenseenpreviouslyshowsanaveragerecall
of93%andprecisionof52%foraddressbooks,andanaveragerecallof97%andprecisionof80%for
calllogs.
Marturanaetal.[34]discusstheapplicationofmachinelearningalgorithmsfordigitaltriageof
mobilephones.Thetriagestageisintroducedbetweenthestagesofacquisitionandanalysis.The
extracted data are firstly preprocessed in order to clean data, remove redundant attributes, and
normalizedata.Severalclassificationalgorithmsareusedtoshowtheabilitytoclassifywhethera
mobilephonewasusedtocommitapedophiliacrime.Theattentionisdevotedtotheperformance
oftheclassificationalgorithms.Theresearchisthefirststeptowardsthepostmortemforensictriage
ofmobilephones.
Varmaetal.[44]presentasystem,calledLIFTR,forprioritizingtheinformationrecoveredfrom
Androidphones.Theinitialdataforthesystemisaforensicimageextractedbyarecoveryengine.
ThreerecoveryenginesDEC0DE[43],BulkExtractor[45],andStrings,acommonUNIXutilityfor
identifyingstingsofprintablecharactersinafileareusedasthesuppliersoftheforensicimages.
Therefore,theLIFTRshouldoperateinconcertwiththerecoveryengine,asitaugmentstheresults
obtainedbytheengine.Thebasicideaisthattherecoveryenginereturnsmanyunrelateditemsto
theinvestigatedcrimeresults,sinceitdoesnotconsiderthesemanticsbehindtherecoveredcontent.
Varma et al. [44] explore the filesystem of the Android phones and learn the rules of storing the
information.Theseruleslearntandthefeedbackfromtheexaminerformthebasisforinformation
prioritizing.Theexaminerlabelstherelevantinformationunitsoftheinvestigatedcrimeatthepage
level.Thelabelingtakesseveraltimesanditisperformedinthecycle.Alltheinformationisranked
basedonacombinationoftheexaminersfeedback,theactualcontent,andthestoragesystemlocality
information.Totestthevalidityoftheapproach,theopensourceprototypeofthesystemLIFTRis
implemented. The LIFTRs ranking algorithm is evaluated against 13 previously owned Android
smartphones.Moreover,thesetincludesninephoneswiththeYaffsfilesystem[46].Toimprovethe
results,theauthorswroteaspecialYaffsparsertoidentifytheexpiredpagesthatareimportantto
the information relevance. The experiment shows that the LIFTR ranking improves the score of
standardinformationretrievalmetricfrom0.0toanaverage0.88.
Guidoetal.[47]introduceadifferentialacquisitiontechniquethatcanbeusedforforensicimage
acquisitionofmobiledevicesfortriagepurposes.Theadvantageofthetechniqueintroducedisits
runtimethatisseveraltimesfasterthanothercomparedcommercialtoolsortechniques.Themain
ideaistousetheprecomputedbaselinehashes.Therefore,thehashesoftheunknownblocksareonly
sent to the server. The prototype named Hawkeye is implemented. The Hawkeye uses MD5
algorithmforhashing.Severalotherimprovementsareimplementedtoobtainlessruntime.Theyare
asfollows:threading(10threadsbydefault)andcomparisonfunctionofthezeroblock.TheHawkeye
runsonAndroiddevicesintherecoverymode.Theexperimentisperformedwith16GBSamsung
GalaxyS3smartphone(Samsung,Seoul,SouthKorea).Theacquisitiontechniquesofthetoolcanbe
appliedtootherplatforms,suchasiOS(AppleInc.,Cupertino,CA,USA)aswell.

5.TriageTools
We only review the tools that are presented in research papers. Such tools are usually not
commercial.
Symmetry2017,9,49 10of19

RoussevandQuates[12]assumethatdigitaltriageisconductedinthelaboratoryenvironment.
Thepurposeofdigitaltriageistoidentifythemostrelevantartifacts.Thespeedandreliabilityare
critical for digital triage; these requirements are imperative for building triage tools. The authors
demonstratetheuseoftoolssdhashandsdhashddtogeneratesimilaritydigestsforthepurposesof
digitaltriage.Thefirsttool,sdhash,isanopensourcetool[48].Thesimilaritydigestsareintendedto
solvethetwofollowingproblemsofcontentcorrelation:resemblanceandcontainment.Theoverall
processoftheapplicationisquitesimple;thesimilaritydigestsaregeneratedforalltargetsandall
queries.Thequeriesarethensystematicallyappliedtothetargets.Theresemblanceofdataisdetected
atthebitstreamlevel,andparsingorunderstandingofthedatabeingprocessedisnotnecessary.
For the experiment, the authors use 1.5 TB of raw data that consist of many disk images, RAM
snapshots, network captures, and four Universal Serial Bus (USB) devices. The investigation of
Windowsmachinesiscarriedoutandthreecasesareinvestigated.Ittakes180mintogeneratethe
similaritydigests.Thetotaltriagetimefortheinvestigatedcasesis110minandextra90minforthe
additionalfilehashingtopreparethesimilaritydigestsofthetargets.Aswesee,thepreparationfor
the triage takes significantly more time that the triage itself. However, the digest formation can
proceedinparallelwiththeacquisitionprocess.Theproblemofthemethodistohavetheidentified
targets as informative as possible, since the method is based on the content resemblance and
containment.
CantrellandDampier[9]presenttheimplementationoftheautomatedphasesinthepartially
automateddigitaltriageprocessmodel[13].Theimplementationiscarriedoutonthebasisofseries
ofscriptscomprisedoforiginalandopensourcetoolswritteninPerl.TheLinuxdistributionCAINE
[49] installed to a USB drive is chosen as the development and testing environment in order to
providesomeformofbootmediaandtoincorporatefullonsitecapability.TheWindowsregistryis
obtainedbyusingtheopensourcetoolRegRipper[50].Thefinalreportisprovidedintheformof
HyperTextMarkupLanguage(HTML)pages.ThetoolisimplementedtosearchtheWebbrowser
historyforInternetExploreronly.Theinitialtestingisdoneonaseriesof300GBdrives.Theruntimes
arenotprovided.
Limetal.[51]introduceaLiveDataForensicSystem(LDFS)designedtocollectandanalyzelive
dataforMicrosoftWindowsbasedsystems.TheLDFSconsistoftwoseparatetools,LDFScollection
and LDFS analysis. The LDFS collection system gathers volatile and nonvolatile data such as:
memory dump, page file, web browser artifacts, instant messaging services clients, Windows
Registry,andfilesystemmetadata.ThedistinctivefeatureoftheLDFScollectionsystemisthatitcan
decode encoded BuddyBuddy, Yahoo, and MissLee messenger clients chat logs. The physical
memorydumpanddumpofallactiveprocessesareperformedbymeansofthirdpartyapplications.
Thefocusofchoosingtheseapplicationsisbasedontheleastchangestotheinvestigatedsystemby
thetool.TheXMLcollectionreportholdsallthecollecteditemswiththeirMD5andSecureHash
Algorithm1(SHA1)hashvalues.TheLDFScollectionsystemistestedagainstfivedifferenttypesof
Windows OSs (Microsoft, Redmond, WA, USA). Several experiments are conducted to test the
performanceofthesystem.Thelargestcollectiontimedoesnotexceed49min.TheLDFSanalysis
module has the capabilities for analyzing all the collected data; however, it has not been fully
implementedyet.Limetal.[51]arguethattheinputdataanditstrustworthinessareofparamount
importanceintheliveforensicsanalysis.However,itisnotclearwhetheranydefenseagainstthe
subversionofthecollectionprocessisimplementedintheLDFScollectionsystem.
Caseyetal.[52]discusstheneedforandpossibilitiesofhoningthedigitalforensicprocessesto
obtainthetimelyresults.Manytasksintheforensicprocessesarenotresourcelimited,andrethinking
theoverallorganizationoftheforensicprocessescanassuregreaterimprovementsthanconsidering
the tasks separately. Therefore, improving the complete forensic process is oriented towards two
areas,namely,dismantlingthebarriersbetweenthetasksoftheforensicprocessandprovidinguseful
informationtosupportthekeydecisions.Theeffortsdiscussedinthispaperfocusonprocessingdata
fromthreeprimarysources:(i)filesystems,(ii)malware,and(iii)networktraffic.Manytriagetools
analyze the filesystems. The analysis reveals that the main bottleneck in this process is the disk
Symmetry2017,9,49 11of19

Input/Output(I/O)speeds.Usingtheresultsoftheanalysis,Caseyetal.[52]providethefollowing
guidelinesforthetriageorforensicdataextractiontoolstoimproveefficiency:
1. A tool can simultaneously deliver data into multiple extraction operations and create the
forensicduplicate
2. Atoolcanstoreextractedinformationinboth,theXMLformatandSQLitedatabase
3. A tool should provide a userfriendly interface to facilitate the viewing, sorting, and
classificationoffiles
Additionally, tool developers have to consult about each step of the development with their
customers.Forthemalware,themainsuggestionisthatthetoolshouldfirstlydeterminewhetherthe
filehasbeenseenbefore.Next,theautomaticmalwareprocessingtooldevelopedbyDefenseCyber
CrimeCenter(DC3)ispresentedasanillustrativeexample.However,nosuggestionsareprovided
forthenetworktraffictools.ThesuiteoftoolsPCAPFAST,developedbyDC3,isprovidedasthe
exampleoftherightnetworktraffictool.
Garfinkel [45] extends the research work presented by Garfinkel et al. [53] and introduces a
forensic tool bulk_extractor devoted to the initial part of an investigation. The base of the
bulk_extractor is the analysis of bulk data. The bulk_extractor scans raw disk images orany data
dumpforusefulpatterns(emails,creditcardnumbers,InternetProtocol(IP)addresses,etc.).Ituses
multiplescannerstailoredtothecertainpatternsandheuristicstoreducefalsepositiveresultsand
noises. The identified patterns are stored in feature files. When processing is complete, the
bulk_extractorcreatesafeaturehistogramforeachfeaturefile.Toimprovethespeedofprocessing,
thebulk_extractortakesadvantageofavailablemulticorecapabilities.Itdetectsanddecompresses
thecompresseddata.Alotofattentionisdevotedtothedecompressionofdata.Thisfeatureisnot
usualfortriagetools,becauseitconsumesalotofprocessingtime.However,thefeatureisveryuseful
for the forensic tool. The performance of the bulk_extractor is compared to the commercial tool
EnCase.Theresultsindicatethatthebulk_extractorextractsemailaddressesfromtheforensic42GB
diskimage10timesfasterthanEnCase,andittakes44min.Theprocessingtimeofthebulk_extractor
isbetween1and8hperpieceofmedia,dependingonthesizeandcomplexityofthesubjectdata.
Theprocessingtimedoesnotmeetthetriagerequirements.Thebulk_extractorissuccessfullyapplied
to250GBharddiskdrivesintworealcases.Theprocessingtimeis2.5hforthefirstcaseand2hfor
thesecond.Ingeneral,thebulk_extractorisnicetohave;however,itisnotatriagetool.
KoopmansandJames[11]introduceanautomatednetworktriage(ANT)solutiondesignedfor
clientserverenvironment.Thepurposeofthesolutionistosorttheanalyzedsystemsbytheirlikely
relevance to the investigated case. The ANT is developed on the basis of the Preboot eXecution
Environment(PXE)protocolandiscomposedofanetworkserverthatrunsvariousservices,andthe
clients,whicharethesystemstobeanalyzed,inaphysicallyisolatednetwork.TheANTserverboots
a suspected computer viaa network. The authors provide many technical details that explain the
specific stepswhat software to use and how to boot the seized computers. The interface is
developedinPersonalHomePage(PHP)programminglanguage.Thedatafortriageareasfollow:
1. Alistofkeywordstosearchfor
2. Alistofpreferredfilenamesorextensions
3. Alistofpreferreddirectories
4. Ahashdatabasethatcontainsthehashesoffilesofinterest
5. Ahashdatabaseindexfile
Threerealcasesofthelikelihoodthatthesuspiciouscomputersactuallyposethreatarevery
successfullyinvestigated;theruntimesofthethreecasesarewithin10min.Theruntimesarevery
short,however,itisnotclearwhytheyaresoshort,andanexplanationisnotprovided.Moreover,
Horsmanetal.[10]statethathashingandkeywordsearchingapproachescanlimittheeffectiveness
ofdigitaltriagebecausetheyaretoorestrictive.ThelimitationsoftheANTsolutionarethefollowing:
thereisnopossibilitytobootfromtheexternalsourceandencrypteddatacouldnotbeanalysed.
MoserandCohen[1]discusstheuseoftriageinquiteadifferentcontextthanthetraditional
criminalcaseinvestigationanincidentresponse.TheauthorsconsidertheuseoftheGRRRapid
Symmetry2017,9,49 12of19

Response (GRR) system. It is an agentbased open source distributed enterprise forensics system.
MoserandCohen[1]overviewthecomponentsoftheGRRsystem.Amoredetaileddescriptionof
theGRRsystemisavailableelsewhere[54].Thismethodlowersthetotaltimecostoftriageanalysis
bydistributingthistasktothesystemagents.Themainattentionisdirectedtowardsthereliability
of agents. Constant monitoring of used resourcesmemory and central processing unit (CPU)
ensuresthereliabilityofagents.Theinvestigationconsistsofthreephases:planning,collection,and
analysis.Theexperimentiscarriedoutonmanycorporateworkstationsandlaptops.TheGRRagents
areinstalledonthesecomputers.Thegoaloftheexperimentistoexaminetherepresentativecasesof
atypicalenterpriseinvestigationperformedbyanincidentresponseteam.Fourcasesareanalyzed.
Themajorityofagentspickupartifactsinthefirstfewminutesafterthestart.Nevertheless,theGRR
continuesrunningto24hso,ifthemissingmachinescomebackonlinelater,theartifactswillstillbe
detected.Thecaseoftheautorunkeycomparisonrequiredanextensivemanualanalysis,therefore,
improvementisnecessaryforsuchcases.
ShawandBrowne[15]arguethatadigitalforensictriagehasbeenconductedonaninformal
basisforseveralyears.Theauthorsintroducetheconceptsofadministrativeandtechnicaltriage.The
administrativetriageassessesthecircumstancesofanewcasebeforestartinganexaminationofthe
evidence. Shaw and Browne [15] discuss and summarize the weaknesses of digital triage. The
enhancedpreviewingissuggestedasanalternativetodigitaltriage.TheLinuxforensicdistribution
CAINE[49]installedonacompactdisc(CD)ischosenasabasefortheimplementation.Thebootable
CDisremasteredtoincludetheexistingopensourceforensictoolsandtoaddnewanalysissoftware.
A highlevel overview of system work is presented. The possibilities to deploy the enhanced
previewing in the digital forensic laboratory are analyzed. The weaknesses of the enhanced
previewingareasfollows:thecasemanagementbecomesmorecomplicatedandthesystemisnot
suitabletothefielduseatall.TheauthorsdoubtwhethertheEnhancedPreviewingprocessisa
subsetoftechnicaltriageorwhetheritisadistinctprocessonlylooselyrelatedtotechnicaltriage.
Weareinclinedtostatethattheenhancedpreviewingisnotasubsetoftechnicaltriage,becausethe
processing time of the enhanced previewing would bequitelong.We base our conclusion on the
provideddescriptionofthesystem.
Shiaelesetal.[55]reviewthreeopensourcetriagetoolsandsuggestthewaystoimprovethem.
TheTriageIR,TR3Secure,andKludgetoolsaretestedforvariousMicrosoftWindowsversions.There
iscurrentlynomatureframeworkforpracticallytestingandevaluatingtriagetools,however,the
authors do not suggest a framework and evaluate the tools in their best way imagined. The first
principletoassessistheaccesstovolatiledata.Thenextprincipletoassessistheadherenceoftools
toforensicprinciplesensuringtheadmissibilityofthecollectedevidencetothecourt.Anexperiment
shows that no single considered tool is better than others. All the tools have their strengths and
weaknesses. The solution is to preferably have several tools and maintain a profile of the tool
capabilities.Therecommendationsforimprovingthetoolsareasfollows:
1. Thetoolsshouldbemademoreadaptable,eitherdynamicallyormanually
2. DisablingPrefetchonWindowssystemswillresulttolesssystemalterations
3. The tools should record and undo all registry changes, which they perform to the
examinedsystem
4. ThetoolsshouldcollecttheInternetactivityartifactsthatbelongtoallknownbrowsers
Woodsetal.[56]presentanopensourcesoftwareforautomatedanalysisandvisualizationof
diskimagescreatedaspartoftheBitCuratorproject[57].Thegoalofthepresentedsoftwareisto
assistintriagetasks.Thedataforanalysisisobtainedfromopensourceforensictoolsfiwalk[58]and
bulk_extractor [45]. The fiwalk tool recognizes and interprets the content of filesystems that are
contained in disk images, and produces an XML report. The bulk_extractor tool reads the raw
contentsofthediskimageandreportsonvariousfeatures.TheBitCuratorreportingtoolsproduce
PortableDocumentFormat(PDF)reportsonfilesystemandforeachfeatureseparately.Ifdataentry
datasetsarelarge,itispossibletoconfigurethereportingtoolstoproducethereportforasubsetof
thefilesystemorasubsetoffeatures.Thetimerequiredtomanageagivendiskimagewithforensic
toolsfiwalkandbulk_extractoriswithintherangeoftensofminutes.Thelimitingfactorintermsof
Symmetry2017,9,49 13of19

timeistheBitCuratorreportingtoolsthatmayhavetoprocessanextremelylargeXMLfilesystem
report and text feature reports. The BitCurator project freely distributes these reporting tools in a
varietyofwaysforthepractitionersandresearcherstouse.
Baggilietal.[59]presentafivephase,multithreadedbootabletoolForensics2020forforensics
triage.ThetoolisloadedfromabootableWindowsPreinstallationEnvironmentusingaUSBstick.
Phasesproceedinsequence,however,whilethetoolisworking,theexaminercaninteractwiththe
tooltoseetheresultsuptothatpointandtorequestcertaintypesofdata.Thefirstphasecollects
logicalfilesandtheirmetadata.ThesecondphaseanalyseseveryimagefortheExchangeableImage
FileFormat(EXIF)data.Thethirdphaseexploresandclassifieseachfilebasedonitsheader.The
fourthphaseparsesexecutablefilesforauditandthreatpurposes.Thefifthphasehasheseachfile
andtakesthelongesttimeofallthephases.Theexperimentiscarriedouttoassesstheefficacyanda
forensicsoundnessofForensics2020.Insum,26.33TBofdatafrom57computersareanalyzed.The
totaltimerequiredtocompletetheprocessis10,356s.Thetoolmakescertainchangestothehard
drive; however, the changes are greater in number than those of similar Linuxbased tools. Two
lessonscanbelearnedfromthedevelopmentofForensics2020.Firstly,amultithreaded,multistage
toolallowstheexaminertointeractwiththeevidencewhilethesystemisperformingtheforensics
processing. Secondly, the mounting of the hard drive by a bootable tool has influence over the
perceptionoftheforensicsoundness.
Haggerty et al. [60] propose an approach to automate the visualization of quantitative and
qualitative email data to assist the triage of digital evidence during a forensics investigation. The
quantitativeinformation,whichisretrievedfromtheemail,referstothenetworkeventsandactor
relationships.Thequalitativeinformationreferstothebodyoftheemailsthemselves.Theauthors
havedevelopedaTagSNetsoftwaretoimplementtheproposedapproach.Thesoftwareprovides
twoviewsanetworkoftheactorsandatagofkeywordsthatarefoundintheemailbodies.Both
views are interactive in that the forensics examiner may move the actors and text around. The
experimentiscarriedoutontheEnronemaildata.Theaveragetimetoprocessandvisualizeemail
dataisabout10min.However,thevisualizationisnotaimedatansweringtheinvestigativequestions;
itonlyaidstheforensicsexaminertotriageemaildatamorequicklythaninthemanualmode.
Vidasetal.[61]describeafreeforensictool,OpenLV,whichcanbedeployedinthefieldandin
the laboratory. It is noteworthy that over the past years it has been used under the name of
LiveView.Theinterfaceofthetoolisorientedtotheexaminerswithlittletraining.TheOpenLV
asksforconfigurationandcreatesavirtualmachineoutofaforensicimageorphysicaldisk.The
virtual machine enables booting up the image and gains an interactive environment without
modifyingtheunderlyingimage.Thetoolnativelysupportsonlythedd/rawimageformat.Other
formatsrequirethirdpartysoftwarethatcanbeintegratedintothetool,whichisWindowscentric,
and a limited Linux support is added. Additionally, the OpenLV aids to remove the barrier of
passwordsfor Windows users. The authors claim that OpenLVaims to meet the demandfor an
easytousetriagetool,however,neitheranexamplenorareferenceisprovidedforhowOpenLVis
usedfortriagepurposes.
Conwayetal.[62]discussadevelopmentofaVirtualCrimeSceneSimulator(VCSS)thatcan
perform a live triage of digital devices. Training is important for the law enforcement officers;
therefore,thetoolwillhaveafieldofitsapplication.TheVCSSisanopensourceproject,anditis
implemented as game playing, where Unity3D [63] is chosen as the base platform. The virtual
environmentincludesathreedimensional(3D)representationofahousewithfourrooms,ahallway,
andoutsidescenery.Thecrimesceneryhasasetofthefollowingitems:furniture,varioushardware
devices,andanavatarforinterrogation.Thefollowingingameactionsarepossible:liveexamination
ofthevariousdigitaldevices,interrogationoftheavatar,andotheractionsrelatedtothecrimescene.
ThefulldeviceinteractionisimplementedonWindowsversiononly.Thetrainercanaddnewlogic
bymodifyingtheexistingJavaScript.Thelawenforcementofficersfromadevelopingcountryused
theVCSSfortraining.Theparticipantshighlyevaluatedtheeducationalpurposeoftheapplication.
Hegarty and Haggerty [64] present the SlackStick approach to identify files of interest for
forensicexamineronthelivesystem.Theapproachisbasedonthesignaturesofthefiles.Tocreate
Symmetry2017,9,49 14of19

thesignatureofthefile,ablockwithintheoriginalfileischosen,whichmaybefromanywherewithin
afile,exceptforthefirstandthelastblocks.Severalpredeterminedbytesarechosentorepresentthe
file.Thenumberofbytescanbechosenbybalancingthetradeoffbetweenthefalsepositivesand
falsenegatives.Thehighernumberofbytesdecreasesthelikelihoodoffalsepositives.TheSlackStick
software written in Python under Slax operating system (Software Manufacturer, City, State,
Country).runsfromanexternaldevice.SlackStickreadsthememoryblocksonthetargetmachine
sequentially to generate block signatures for comparison with the signature library. If a match is
found,areportthatincludesthematchedsignatureandthephysicallocationofthefileinthestorage
mediaisgenerated.Theyconductedanexperimentinwhichittookadozenofsecondstoanalyze
1GBpartitionthathas2194JPEGimages.Signaturesaregeneratedbyselecting11byteswithinthe
secondblockofeachtargetfiles.Neitherfalsepositivesnorfalsenegativesarefound.Asthenumber
ofsignaturesincreases,nomeasurableimpactonperformanceisobserved.
Further,vanBeeketal.[66]introduceadevelopmentofthedistributeddigitalforensicsystem
HANSKEN[67]thatisthesuccessoroftheoperatingdigitalforensicsystemXIRAF[68].Thegoalof
HANSKENistospeedupthecomputationsofbigdata.Thethreeforensicdriversforthesystemare
asfollows:minimizationofthecaseleadtime,maximizationofthetracecoverage,andspecialization
ofthepeopleinvolved.Thesedriversjustifythebuildingofthedistributedbigdataforensicplatform.
To mitigate the threats associated with a big data platform, the development of the system
HANSKENisbasedoneightdesignprinciples.Theyareenumeratedintheorderofthepriority:1.
Security,2.Privacy,3.Transparency,4.Multitenancy,5.Futureproof,6.Dataretention,7.Reliability,
and 8. High availability. The first three principles are sociological; meanwhile the other five are
businessprinciplesanddefinethesystemboundaries.Thesystemusesitsownforensicimageformat.
The authors justify the need forits own format; however it could be the limitation of thesystem,
especially for the future development. The system HANSKEN stores the data compressed and
encrypted.Theencryptionofdataensuresarestrictedaccesstoit.Theprocessofextractingdatafrom
aforensicimagestartsassoonasthefirstbitsoftheimageareuploadedtothesystem.Suchapproach
acknowledgestherightorganizationoftheforensicprocessestoimprovetheefficiencyoftheforensic
investigation. The authorsadmit that triageis a valuableapproach for ordering the processing of
images,notforleavingimagesunprocessed.Suchformoftriageisplannedtobeincludedintothe
system HANSKEN. The system is implemented on the Hadoop realization of MapReduce. The
systemHANSKENwasplannedtobeputintoproductionattheendoftheyear2015.
Koven et al. [69] further explore and develop the idea of email data visualization [60]. The
authors present a visual emailsearch tool InVEST.Firstly, the tool preprocesses the emaildata to
createindexesforvariousemailfields.Theduplicateinformationandjunkdataareexcludedfrom
indexing. Next, the user starts the search process with defined keywords. The search results are
presented in five different visual views. The visual views enable better understanding and
interpretingofthesearchresultsaswellasfindingtherelationshipsbetweenthesearchentities.The
diverse views show different relationships between search entities and present the contextual
information found within these results. All the views support the possibility to refine the search
results usingfilteringandexpanding. The process of filteringand expanding is iterativeuntil the
searchissuccessful.AnexperimentiscarriedoutontheEnronemaildataset.Twocasestudiesare
successfullyinvestigated.Kovenetal.[69]usedthetermtriageinthetitleofthepaper.Theterm
triageisusedinthesenseofatool,whichallowsselectingasubsetoftheemailsthatarerelatedto
aparticularsubjectfromthewholeemailset.However,thetimespenttoselectcanbequitelong.The
process of selecting the subset of the email is interactive heavily involving the user. The authors
presentanexamplethatthetimetomakethediscoveryandexplorationincludingtheskimmingof
atleast30ofthediscoveredemailswasapproximately1h.Therefore,theuseofthetoolintriage
processisquiteunlikely,unlessthedatacapturedisonlyinformofemail.

6.LessonsLearnedfromtheReview
Tosummarizethefieldoflivetriage,thenoteworthyresearchfocussesareasfollows:
Symmetry2017,9,49 15of19

1. Thestressofarealtimecomputationproblemhavingallottedlimitedtimeandresourcesfor
triage,presentedbyRoussevetal.[7].Theideaisthatanincreaseintheperformancecanbe
achieved if acquisition and processing start and complete at almost same time. The
implementation of the forensic system HANSKEN [66] proves the appropriateness of the
presentedidea
2. Theselectiveimagingapproachestoreducedatavolume,presentedbyGrierandRichardIII[22]
andQuickandChoo[31,32].Thedifferencebetweentheapproachesisinselectingtheregions
thathaveaforensicvalue.GrierandRichardIII[22]statethattheprofilesmustbecreatedand
stored in a library. Moreover, Quick and Choo [32] suggest the idea of thumbnailing video,
movie,andpicturefiles
3. Theintroductionoftriagetemplatepipelinesintotheinvestigativeprocessforthemostpopular
typesofdigitalcrimes,presentedbyOverilletal.[20].However,theauthorsdonotenumerate
these types of crimes and provide only the DDoS and P2P template diagrams without the
discussionofthedetails
4. TheartificialintelligenceapproachespresentedbyTurnbullandRadhava[26]andPeersmanet
al.[29].TurnbullandRandhawa[26]describeanapproachtoassistalesstechnicallyintrinsic
usertorunatriagetool.Peersmanetal.[29]presentanapproachtoautomaticallylabelnew
childsexualabusemedia
Tosummarizethefieldofpostmortemtriage,thenoteworthyresearchfocussesareasfollows:
1. Storing and using the knowledge of the past cases, presented by Horsman et al. [10,37] and
BashirandKhan[39]
2. Theuseofmachinelearningtechniques,presentedbyMarturanaandTaconi[3335],McCleland
andMarturana[36],andFahdietal.[41].Thetrendispromisingbecausesuchtechniquesare
indeedvaluableinmanyresearchareas;however,thepresentedresearchworksareimmature
Tosummarizethefieldoftriageofmobiledevices,thenoteworthyresearchachievementisonly
singleone:
1. The information recovery engine DEC0DE, offered by Walls et al. [43] and the information
prioritizationsystemLIFTR,whichusesthedataobtainedfromDEC0DE,offeredbyVarnaetal.
[44]
Tosummarizethefieldoftriagetools,thenoteworthyresearchachievementsareasfollows:
1. Themethodofsimilaritydigests,offeredbyRoussevandQuates[12]
2. The online GRR Rapid Response system used for incident response, offered by Moser and
Cohen[1]
3. ThemultithreadedbootabletoolForensic2020,whichallowsinteractionoftheexaminer,while
thetoolisprocessingdata,offeredbyBaggilietal.[59]
4. ThevisualizationofemaildataofferedbyHaggertyetal.[60].Kovenetal.[69]presentedan
approachofemaildatavisualization,aswell.However,theprovidedruntimesarequitelong
and,therefore,thetoolisnotsuitablefortriagepurposes
5. TheSlackStickapproachtoidentifythefilesofinterest,whenseveralpredeterminedbytesare
chosentorepresentthefile,offeredbyHegartyandHaggerty[64]
6. ThedistributeddigitalforensicsystemHANSKENthatworksonabigdataplatform,offeredby
vanBeeketal.[66].

7.ConclusionsandFutureDirections
The evolution of modern digital devices is outpacing the scalability and effectiveness of the
digital forensic techniques. Digital triage is one of the solutions to this problem, as it can extract
intelligencequicklyatthecrimesceneandprovidesvaluableinformationtotheforensicexaminer.
Thisformoftriageisknownasthelivetriage.Inasimilarway,suchmethodologycanbeusedina
laboratorytoprioritizetheanalysisofdigitalmediaandtoalleviatetheexaminationbacklog.This
Symmetry2017,9,49 16of19

formoftriageisknownasthepostmortemtriage.Thetermforensicshouldbeusedcarefullywith
digitaltriage,becausetheprocessofdigitaltriagedoesnotalwaysadheretotherulesoftheforensic
process. Moreover, the legitimacy of the process depends on the jurisdiction system of a specific
country. Therefore, the digital triage model must be adjusted individually according to the legal
systemofaspecificcountry.Livetriageraisesimportantlegalconcerns.Sometimes,theprocessof
digital triage in the forensic context is an admission of failure, since important evidence can be
overlooked.However,abetterapproachdoesnotexistfortoday.Tosolvethisproblem,wehaveto
considerdigitaltriageasatechnicalprocessthatprovidesinformationfortheforensicexamination
anddoesnotinvolvetheevaluationofdigitalevidence.
To increase the performance of digital triage when data cloning procedure is involved, data
cloninganddataprocessingshouldstartandcompletealmostatthesametime.Suchapproachis
advancedanditisappliedinsomeforensictools(forexample,thedigitalforensicsystemXIRAF).
Moreover,itmeansthatdataprocessingshouldbeasfastasdatacloning.
The number of mobile devices is increasing quite rapidly. Digital triage of mobile devices is
harderthanthatofdesktopcomputers.Italsoappearsthatduetothenatureofmobiledevices,many
forensicsproceduresmustinevitablyinvolveliveforensicsasthedeviceneedstobepoweredon.To
address this problem, more effective methods for live triage and tools for mobile devices
arenecessary.
Highleveltrainingisrequiredfromtheexaminersonthefield.Itwouldbecosteffectivetohire
a less technically fluent specialist for such job. One possibility to accomplish this is to alter the
softwaretomakeitfriendliertolessskilledtechnicalexaminersortoconstructspecifictoolsthatcan
incorporatetheexpertknowledge.Thecoreconceptofthisapproachisthattheexpertsystemscan
locateandinterpretthelowlevelcomputingartefactsandprovidehigherlevelconcepts.Reducing
theneedtolocateandinterpretthelowlevelartefactsisastilllesserexploredmethodforconducting
digitaltriage.
Anotherdirectionoftheresearchindigitaltriagecouldbeincorporatingintelligenttechnologies,
i.e.,techniquesfromartificialintelligence,computationalmodelling,and/orsocialnetworkanalysis.
Almostnoresearchworksofdigitaltriagethataredirectedatthevastareaofthesocialnetworksare
presented. Furthermore, a new developing area of the Internet of Things is left almost without
attentionaswell.
Largevolumesofdataareavailableforforensicexamination.Sinceeverydesktopcomputerhas
severalprocessors,availableresourcescanbeappliedtospeedupthecomputations.Themethodsof
parallelprocessingarealreadyapplied;however,onlyinsmallquantitiessofar.
Moreover,achallengingresearchdirectionisawaitingtheresearchersattention.Moreprecisely,
itistheimplementationofthealgorithmsintohardware,becausethehardwareinherentlyperforms
thecomputationsfasterthanthesoftware.
Acknowledgments:Weexpressgratitudetoanonymousreviewersforthevaluablecomments.

ConflictsofInterest:Theauthorsdeclarenoconflictofinterest.

References
1. Moser,A.;Cohen,M.I.Huntingintheenterprise:Forensictriageandincidentresponse.Digit.Investig.2013,
10,8998.
2. Rogers,M.K.;Goldman,J.;Mislan,R.;Wedge,T.;Debrota,S.Computerforensicsfieldtriageprocessmodel.
J.Digit.ForensicSecur.Law2006,1,2740.
3. Casey,E.;Ferraro,M.;Nguyen,L.Investigationdelayedisjusticedenied:proposalsforexpeditingforensic
examinationsofdigitalevidence.J.ForensicSci.2009,54,13531364.
4. Casey,E.Triageindigitalforensics.Digit.Investig.2013,10,8586.
5. Casey,E.Differentiatingthephasesofdigitalinvestigations.Digit.Investig.2016,19,A1A3.
6. Venkauskas,A.;Jusas,V.;Paulikas,K.;Toldinas,J.Amethodologyandtoolforinvestigationofartifacts
leftbytheBitTorrentclient.Symmetry2016,8,40.
7. Roussev,V.;Quates,C.;Martell,R.Realtimedigitalforensicsandtriage.Digit.Investig.2013,10,158167.
Symmetry2017,9,49 17of19

8. Montasari, R.A. Formal Two Stage Triage Process Model (FTSTPM) for Digital Forensic Practice. Int. J.
Comput.Sci.Secur.2016,10,6987.
9. Cantrell,G.;Dampier,D.A.Implementingtheautomatedphasesofthepartiallyautomateddigitaltriage
processmodel.J.Digit.ForensicsSecur.Law2012,7,99116.
10. Horsman,G.;Laing,C.;Vickers,P.Acasebasedreasoningmethodforlocatingevidenceduringdigital
forensicdevicetriage.Decis.SupportSyst.2014,61,6978.
11. Koopmans,M.B.;James,J.I.Automatednetworktriage.Digit.Investig.2013,10,129137.
12. Roussev,V.;Quates,C.Contenttriagewithsimilaritydigests:TheM57casestudy.Digit.Investig.2012,9,
S60S68.
13. Cantrell,G.;Dampier,D.;Dandass,Y.S.;Niu,N.;Bogen,C.Researchtowardapartiallyautomated,and
crimespecificdigitaltriageprocessmodel.Comput.Inf.Sci.2012,5,2938.
14. Hong,I.;Yu,H.;Lee,S.;Lee,K.Anewtriagemodelconformingtotheneedsofselectivesearchandseizure
ofelectronicevidence.Digit.Investig.2013,10,175192.
15. Shaw,A.;Browne,A.Apracticalandrobustapproachtocopingwithlargevolumesofdatasubmittedfor
digitalforensicexamination.Digit.Investig.2013,10,116128.
16. Pollitt,M.M.Triage:Apracticalsolutionoradmissionoffailure.Digit.Investig.2013,10,8788.
17. LopezRojas,E.A.;Axelsson,S.UsingtheRetSimfraudsimulationtooltosetthresholdsfortriageofretail
fraud. In Lecture Notes in Computer Science, Proceedings ofthe 20th Nordic Conference on Secure IT Systems,
Stockholm,Sweden,1921October2015;Springer:Cham,Switzerland2015;Volume9417,pp.156171.
18. Perumal, S.; Norwawi, N.M.; Raman, V. Internet of Things (IoT) digital forensic investigation model:
Topdownforensicapproachmethodology.InProceedingsoftheFifthInternationalConferenceonDigital
InformationProcessingandCommunications(ICDIPC),Sierre,Switzerland,79October2015;pp.1923.
19. Auberson,M.;Baechler,S.;Zasso,M.;Genessay,T.;Patiny,L.;Esseiva,P.Developmentofasystematic
computer visionbased method to analyse and compare images of falseidentity documents for forensic
intelligence purposesPart I: Acquisition, calibration and validation issues. Forensic Sci. Int. 2016, 260,
7484.
20. Overill,R.E.;Silomon,J.A.M.;Roscoe,K.A.Triagetemplatepipelinesindigitalforensicinvestigations.Digit.
Investig.2013,10,168174.
21. Lim,K.S.;Lee,C.Aframeworkforunifieddigitalevidencemanagementinsecurityconvergence.Electron.
Commer.Res.2013,13,379398.
22. Grier,J.;RichardIII,G.G.Rapidforensicimagingoflargediskswithsiftingcollectors.Digit.Investig.2015,
14,S34S44.
23. Garfinkel,S.;MalanD.;DubecKA.;StevensC.;PhamC.Advancedforensicformat:anopenextensible
format for disk imaging. In Proceedings of 2nd International Conference on Digital Forensics, Orlando, FL,
January 29February 01 2006, Advances in Digital Forensics II. IFIP Advances in Information and
Communication,vol.222.Springer,Boston,MA,2006,pp.1327.
24. The Sleuth Kit. Autopsy. Available online: http://www.sleuthkit.org/autopsy/ (accessed on 25 March 2017).
25. Penrose,P.;Buchanan,W.J.;Macfarlane,R.Fastcontrabanddetectioninlargecapacitydiskdrives.Digit.
Investig.2015,12,S22S29.
26. Turnbull,B.;Randhawa,S.Automatedeventandsocialnetworkextractionfromdigitalevidencesources
withontologicalmapping.Digit.Investig.2015,13,94106.
27. Hitchcock,B.;LeKhac,N.A.;Scanlon,M.TieredforensicmethodologymodelforDigitalFieldTriageby
nondigitalevidencespecialists.Digit.Investig.2016,16,S75S85.
28. Leimich,P.;Harrison,J.;Buchanan,W.J.ARAMtriagemethodologyforHadoopHDFSforensics.Digit.
Investig.2016,18,96109.
29. Peersman,C.;Schulze,C.;Rashid,A.;Brennan,M.;Fischer,C.iCOP:Liveforensicstorevealpreviously
unknowncriminalmediaonP2Pnetworks.Digit.Investig.2016,18,5064.
30. iCOP.iCOPToolkit.Availableonline:http://sccsentinel.lancs.ac.uk/icop/?q=content/icoptoolkit(accessed
on25March2017).
31. Quick,D.;Choo,K.K.R.Bigforensicdatareduction:Digitalforensicimagesandelectronicevidence.Clust.
Comput.J.Netw.Softw.ToolsAppl.2016,19,723740.
32. Quick,D.;Choo,K.K.R.Datareductionanddataminingframeworkfordigitalforensicevidence:Storage,
intelligence,reviewandarchive.TrendsIssuesCrim.Crim.Justice2014,480,111.
Symmetry2017,9,49 18of19

33. Marturana,F.;Tacconi,S.Amachinelearningbasedtriagemethodologyforautomatedcategorizationof
digitalmedia.Digit.Investig.2013,10,193204.
34. Marturana, F.; Me, G.; Berte, R.; Tacconi, S. A quantitative approach to triaging in mobile forensics. In
ProceedingsoftheInternationalJointConferenceofIEEETrustCom11,Changsha,China,1618November
2011;pp.582588.
35. Marturana,F.;Bert,R.;Tacconi,S.;Me,G.Triagebasedautomatedanalysisofevidenceincourtcasesof
copyrightinfringement.InProceedingsoftheFirstIEEEInternationalWorkshoponSecurityandForensics
inCommunicationSystems(SFCS2012),Ottawa,ON,Canada,1415June2012;pp.66686672.
36. McClelland, D.; Marturana, F. A Digital Forensics Triage methodology based on feature manipulation
techniques.InProceedingsoftheInternationalConferenceonCommunications,Sydney,Australia,1014
June2014;pp.676681.
37. Horsman,G.;Laing,C.;Vickers,P.Acasebasedreasoningframeworkforimprovingthetrustworthiness
of digital forensic investigations. In Proceedings of the 11th IEEE International Conference on Trust,
SecurityandPrivacyinComputingandCommunications(TrustCom2012),Liverpool,UK,2527June2012;
pp.682689.
38. EnCase Portable. Available online: http://www.guidancesoftware.com/encaseportable (accessed on 25
March2017).
39. Bashir,M.S.;Khan,M.N.Atriageframeworkfordigitalforensics.Comput.FraudSecur.2015,2015,818.
40. Dalins, J.; Wilson, C.; Carman, M. MonteCarlo filesystem search: A crawl strategy for digital forensics.
Digit.Investig.2015,13,5871.
41. Al Fahdi, M.; Clarke, N.L.; Li, F.; Furnell, S.M. A suspectoriented intelligent and automated computer
forensicanalysis.Digit.Investig.2016,18,6576.
42. Mislan,R.P.;Casey,E.;Kessler,G.C.Thegrowingneedforonscenetriageofmobiledevices.Digit.Investig.
2010,6,112124.
43. Walls,R.J.;LearnedMiller,E.;Levine,B.N.ForensictriageformobilephoneswithDEC0DE.InProceedings
ofthe20thUSENIXConferenceonSecurity,SanFrancisco,CA,USA,812August2011;pp.114.
44. Varma,S.;Walls,R.J.;Lynn,B.;Levine,B.N.Efficientsmartphoneforensicsbasedonrelevancefeedback.
In Proceedings of the 4th ACM Workshop on Security and Privacy in Smartphones & Mobile Devices
(SPSM14),Scottsdale,AZ,USA,37November2014;pp.8191.
45. Garfinkel, S.L.Digital media triage with bulk data analysis and bulk_extractor. Comput.Secur. 2013, 32,
5672.
46. Yaffs.Availableonline:http://www.yaffs.net/(accessedon25March2017)
47. Guido,M.;Buttner,J.;Grover,J.Rapiddifferentialforensicimagingofmobiledevices.Digit.Investig.2016,
18,S46S54.
48. sdhashhome.Availableonline:http://roussev.net/sdhash/sdhash.html(accessedon25March2017).
49. CAINE.ComputerForensicsLinuxLiveDistro.Availableonline:http://www.cainelive.net/(accessedon
27March2017).
50. KALITools.RegRipper.Availableonline:http://tools.kali.org/forensics/regripper(accessedon25March
2017)
51. Lim, K.S.; Savoldi, A.; Lee, C.; Lee, S. Onthespot digital investigation by means of LDFS: Live Data
ForensicSystem.Math.Comput.Model.2012,55,223240.
52. Casey,E.;Katz,G.;Lewthwaite,J.Honingdigitalforensicprocesses.Digit.Investig.2013,10,138147.
53. Garfinkel,S.;Nelson,A.;White,D.;Roussev,V.Usingpurposebuiltfunctionsandblockhashestoenable
smallblockandsubfileforensics.Digit.Investig.2010,7,S13S23.
54. Cohen, M.; Bilby, D.; Caronni, G. Distributed forensics and incident response in the enterprise. Digit.
Investig.2011,8,S101S110.
55. Shiaeles,S.;Chryssanthou,A.;Katos,V.Onscenetriageopensourceforensictoolchests:Aretheyeffective?
Digit.Investig.2013,10,99115.
56. Woods,K.;Lee,C.A;Misra,S.Automatedanalysisandvisualizationofdiskimagesandfilesystemsfor
preservation.InProceedingsofthe10thIS&TArchivingConference,Washington,DC,USA,25April
2013;pp.239244.
57. BitCurator.Availableonline:https://www.bitcurator.net/(accessedon25March2017).
58. Fiwalk.Availableonline:http://www.forensicswiki.org/wiki/Fiwalk(accessedon25March2017).
Symmetry2017,9,49 19of19

59. Baggili,I.;Marrington,A.;Jafar,Y.Performanceofalogical,fivephase,multithreaded,bootabletriagetool.
AdvancesinDigitalForensicsX.InIFIPAdvancesinInformationandCommunicationTechnology;Springer:
Berlin/Heidelberg,Germany,2014;pp.279295.
60. Haggerty,J.;Haggerty,S.;Taylor,M.Forensictriageofemailnetworknarrativesthroughvisualisation.Inf.
Manag.Comput.Secur.2014,22,358370.
61. Vidas, T.; Kaplan, B.; Geiger,M.OpenLV: Empowering investigators and firstrespondersin the digital
forensicsprocess.Digit.Investig.2014,11,S45S53.
62. Conway,A.;James,J.I.;Gladyshev,P.DevelopmentandInitialUserEvaluationofaVirtualCrimeScene
SimulatorIncludingDigitalEvidence.InLectureNotesoftheInstituteforComputerSciencesSocialInformatics
andTelecommunicationsEngineering,Proceedingsofthe7thInternationalICSTConferenceonDigitalForensics
andCyberCrime(ICDF2C),Seoul,SouthKorea,October68,2015;Springer:Cham,Switzerland2015;Volume
157,pp.1626.
63. Unity.Availableonline:https://unity3d.com/(Accessedon27March2017).
64. Hegarty, R.; Haggerty, J. SlackStick: Signaturebased file identification for live digital forensics
examinations. In Proceedings of 2015 European Intelligence and Security Informatics Conference,
Manchester,UK,79September2015;pp.2429.
65. SlaxLinux.Availableonline:https://www.slax.org/(Accessedon27March2017)
66. VanBeek,H.M.A.;vanEijk,E.J.;vanBaar,R.B.;Ugen,M.;Bodde,J.N.C.;Siemelink,A.J.Digitalforensics
asaservice:Gameon.Digit.Investig.2015,15,2038.
67. Hansken. Available online:
https://www.forensicinstitute.nl/products_and_services/forensic_products/hansken.aspx(Accsessedon27
March2017).
68. BhoedjangR.A.F.;vanBallegooijA.R.;vanBeekH.M.A.,vanSchieJ.C.;DillemaF.W.;vanBaarR.B.;
OuwendijkF.A;StreppelM.Engineeringanonlinecomputerforensicservice.Digit.Investig.2012,9,96
108.
69. Koven, J.; Bertini, E.; Dubois, L.; Memon, N. InVEST: Intelligent visual email search and triage. Digit.
Investig.2016,18,S138S148.

2017 by the authors. Submitted for possible open access publication under the
terms and conditions of the Creative Commons Attribution (CC BY) license
(http://creativecommons.org/licenses/by/4.0/).