U.S. flag

An official website of the United States government, Department of Justice.

NCJRS Virtual Library

The Virtual Library houses over 235,000 criminal justice resources, including all known OJP works.
Click here to search the NCJRS Virtual Library

Investigation Delayed is Justice Denied: Proposals for Expediting Forensic Examinations of Digital Evidence

NCJ Number
229278
Journal
Journal of Forensic Sciences Volume: 54 Issue: 6 Dated: November 2009 Pages: 1353-1364
Author(s)
Eoghan Casey, M.A.; Monique Ferraro, J.D., M.S.; Lam Nguyen, M.Inf.Tech.
Date Published
November 2009
Length
12 pages
Annotation
This paper describes a three-level approach to forensic examinations that will enable digital forensics laboratories (DFLs) to produce useful results in a timely manner at various phases of an investigation, thus reducing the unnecessary expenditure of resources on less serious matters.
Abstract
The first phase of the forensic examination of digital evidence is the survey/triage forensic inspection. This involves a targeted review of all available media in order to determine which items contain the most useful evidence and require additional processing. The second level of the examination is the preliminary forensic examination. This involves a forensic examination of items identified during survey/triage as containing the most useful evidence, with the goal of quickly providing investigators with information that will aid them in conducting interviews and developing leads. The third level of the examination involves an indepth forensic examination. This consists of a comprehensive forensic examination of items that require more extensive investigation in order to gain a more complete understanding of the offense and address specific questions. These three levels of forensic examination extend existing process models for conducting digital investigations that promote the forensic duplication and indepth forensic examination of all media. In addition, this tiered strategy takes into account the Computer Forensics Field Triage Process Model for conducting triage forensic inspection in the field when investigators require immediate results. Each level of examination in the proposed procedure can be performed either in the field or in the laboratory, with DFLs making this decision based on the specific case and available resources. This tiered strategy for conducting forensic examinations is based on the fact that certain cases require significant time and resources; whereas, other cases can be expedited, saving valuable resources. 6 figures and 24 references