Triage systems are used by police forces to decide which evidence from mobile phones and computers should be analysed

Efforts to speed up police digital forensic analysis must be more efficient, study shows

Efforts by police forces to speed up digital forensic analysis could lead to oversights in evidence gathering and interpretation, a new study warns.

Triage systems are used by police forces to decide which evidence from mobile phones and computers should be analysed. The aim is to address backlogs which delay investigations and court cases.

But new research shows staff and skills shortages can lead to confusion over triage procedures and what can be submitted for analysis, at what stage, as well as the time and resources needed to extract and interpret the data.

In the forces studied, the introduction of triage resulted in a substantial drop in the items sent to digital forensics laboratories, but the number of submissions of items to triage has remained high, and backlogs persist. The growing demand in the examination of mobile exhibits, particularly phones, has made triage processes more challenging.  

The research shows in these forces there continues to be gaps in the infrastructure required to provide officers with up-to-date digital knowledge for effective triage. Only a few of the large number of officers trained will use their skills, and even fewer will perform triage effectively. This creates a risk that officers may equate triage results with evidence that amounts to a guilty verdict.

In the forces examined, senior police officers have been responsible for the management of triage and its outcomes, while also holding full caseloads. This means that oversights can easily occur, which in turn impact on the time digital forensic examiners are required to spend sorting outstanding issues, such as assessing whether devices have been triaged correctly. This leads to bottlenecks in submissions to the digital forensic laboratories and subsequent delays in the processing of cases.

In recent months, in response to the escalating number of mobile devices seized, triage processes have been delegated to Crime Scene Examiners. As they are both forensic specialists and civilian personnel, the danger of losing triage expertise through officers’ lack of availability or capacity has diminished. The study recommends police forces increase investment in research and development and regularly evaluate the most effective ways of accomplishing triage.

Dr Dana Wilson-Kovacs, from the University of Exeter, who led the research, said: “Triage can address the increasing demand for digital devices to be examined, but police forces need to pay careful consideration to how they set it up and run it, the resources they allocate it, as well as the technological awareness of their officers”.

“Triage is often only accomplished because of the commitment of digital forensics practitioners and police officers, rather than a foresight of digital demand. Consequently, the triage process can be less efficient because of the amount of time dedicated to troubleshooting that relates to the prioritisation of exhibits relevant to a case”.

The data, published in the journal Policing, was collected between January 2017 and September 2019 through 120 hours of ethnographic observations of everyday activities - such as the handing in and processing of exhibits -  at four in-house digital forensics laboratories, and forty-three semi-structured interviews with digital forensics specialists and police staff.

Date: 1 June 2020

Read more University News