Digital Investigation 27 (2018) 1e2
Contents lists available at ScienceDirect
Digital Investigation
journal homepage: www.elsevier.com/locate/diin
The knowledge management gap in digital investigations
Digital investigations are straining under competing demands to
respond rapidly to the growth in cybercrime, to following method-
ical scientific practices, and to protect privacy. Mistakes in digital
investigations are gaining more attention, and raising criminal jus-
tice concerns particularly in the UK. A House of Lords inquiry is
assessing concerns about digital forensics, the Attorney General's
Office is addressing disclosure concerns related to digital forensics,
and the Forensic Science Regulator is advancing accreditation of
digital forensic service providers.
Many of the current problems in digital investigations boil down
to inadequate knowledge management. This is a complex chal-
lenge. There are multiple forms of interdependent knowledge to
be managed, including procedural, technical, investigative, scienti-
fic, linguistic, behavioral, crime analysis and forensic intelligence. In
addition, there are multiple knowledge producers and consumer,
including police, digital forensic specialists, criminal intelligence
analysts, attorneys, and judges. To cover all of these areas and
stakeholders there is a need for multiple knowledge management
strategies in combination.
Defining roles and responsibilities
Ten years ago, in the Journal of Forensic Sciences (Investigation
Delayed Is Justice Denied), we proposed a three-tiered approach to
conducting digital forensic examinations:
1. Survey ⁄ triage forensic inspection: Targeted review of all available
media to determine which items contain the most useful evi-
dence and require additional processing.
2. Preliminary forensic examination: Forensic examination of items
identified during survey⁄triage as containing the most useful
evidence, with the goal of quickly providing investigators with
information that will aide them in conducting interviews and
developing leads.
3. In-depth forensic examination: Comprehensive forensic exami-
nation of items that require more extensive investigation to gain
a more complete understanding of the offense and address
specific questions.
The focus of this strategy was to reduce backlogs in laboratories,
and did not specify the forensic requirements for each of the three
levels. Defining the level of knowledge and quality assurance
needed to perform each type of forensic examination helps clarify
many hotly debated issues relating to digital investigations. As I
stated in “Differentiating the phases of digital investigations” (Vol
19):
“This distinction can help reduce the risk of privacy violations by
clarifying that individuals who are only trained to perform technical
https://doi.org/10.1016/j.diin.2018.11.001
1742-2876/© 2018 Elsevier Ltd. All rights reserved.
processes should not go beyond their expertise and attempt to evaluate
digital evidence. This distinction can help international efforts to
improve digital investigations and forensic science by clarifying which
activities require the rigorous quality controls of a laboratory environ-
ment, and which do not. At an organizational level, evaluation of dig-
ital evidence can be integrated with existing forensic laboratories,
while technical processes can be kept separate to serve both investiga-
tive and forensic needs. Standards and guidelines that are being devel-
oped by ASTM and SWGDE could be organized to cover technical
processes and evidence evaluation distinctly. ENFSI has started down
this road with their guideline for evaluative reporting in forensic sci-
ence. Even when a single person is responsible for generating investi-
gative leads, handling crime scenes, and addressing probative
questions, conscious separation of each phase helps ensure that appro-
priate processes and oversight mechanisms are employed.”
This divide-and-conquer strategy raises some challenging ques-
tions about current digital forensic practices. Should survey ⁄ triage
forensic inspections be accredited under ISO 17025, or is a lesser
requirement more fitting? Should results of preliminary forensic
examinations performed by non-scientists be accepted as evidence
in court? Should non-scientists be permitted to perform in-depth
forensic examination?
Systematic knowledge reuse
It is not feasible for digital investigators to be familiar with, or
even aware of, every kind of digital trace. To avoid information be-
ing overlooked or misinterpreted, it is necessary to use a systematic
mechanism for capturing, codifying and reusing knowledge. The
Hansken system developed by the Netherlands Forensic Institute
and presented previously in this Journal is designed for this pur-
pose. New modules can be developed, tested, validated and added
to the system to extract information automatically and make it
available in all future digital investigations. An added advantage
of the Hansken system is that its data model is strongly aligned
with the evolving CASE standard. Hansken is geared towards case
investigations in The Netherlands, but the NFI is working on making
it widely available for casework, research and knowledge sharing.
Another forensic framework called Plaso (spawned from log2ti-
meline) developed by Google is open source and freely available,
and has a modular design. Currently, Plaso can extract kinds of dig-
ital traces from a variety of data sources, including mobile devices.
When there is a need to extract information from a new file format,
smartphone app, IoT device or other data source, customized plu-
gins or parsers can be developed, tested and added to the auto-
mated processing. Plaso has an export option directly to Elastic
for searching, filtering and correlating purposes. In addition, a plat-
form call TimeSketch has been developed to support investigative
2 E. Casey / Digital Investigation 27 (2018) 1e2
teams working on data extracted using Plaso. Recognizing the need
to handle large amounts of data, Google has developed a cloud-
based framework called Turbinia to distribute plaso processing.
Plaso has featured in DFRWS pre-conference workshops and Turbi-
nia was presented at DFRWS 2018.
In addition to enabling systematic knowledge codification, such
systems open opportunities for research and development of
advanced analysis techniques.
Community-developed knowledge curation
Early in my career as an information security officer in higher
education, I realized that existing computer security guidelines
and technical solutions did not address all of the needs of the com-
munity. To address the varying needs of institutions with different
resources and circumstances, I was retained by EDUCAUSE/
Internet2 to initiate a community developed knowledge resource
called the “Information Security Guide: Effective Practices and So-
lutions for Higher Education.” The guide is structured to serve the
needs of all types of higher education institutions, and is aligned
with multiple information security industry standards. After more
than a decade of community contributions, coordinated by a volun-
teer editorial board of information security and privacy practi-
tioners, this resource grew into an invaluable resource of
“practical approaches to creating higher education information se-
curity programs and preventing, detecting, and responding to in-
formation security problems in a wide range of higher education
environments.” This guide contains campus case studies, contrib-
uted by members of the community, describing how specific orga-
nizations address particular issues and solve specific problems, and
includes Incident Management and Response.
Knowledge exchange platforms exist specifically for digital in-
vestigations, including online forums and mailing lists. Effective
mechanisms for sharing digital forensic knowledge include confer-
ences and publications such as this Journal.
Forensic case coordinators
The weakest area of knowledge management in digital
investigation is forensic science, which is addressed by the OSAC
Technical Series 0002 document “A Framework for Harmonizing
Forensic Science Practices and Digital/Multimedia Evidence.”
Most digital investigators do not have formal forensic science
training, including formal scientific reasoning and probabilistic
evaluation of evidence. In addition, many digital investigators do
not know about limitations in forensic methods they use, or about
advanced capabilities that exist in digital forensic laboratories.
Other forensic disciplines have faced these same challenges, and
addressed the gap by creating a new role called a “forensic case
coordinator” to provide guidance and expertise throughout the
investigative process. For instance, forensic case coordinators
advise on which sources of evidence and forensic processes could
be most valuable for the case, and what questions to ask specialists
in the forensic science laboratory. The effectiveness of forensic case
coordinators depends on changes in culture, organization and edu-
cation which takes time.
Conclusions
A combination of knowledge management strategies are needed
in order to cultivate a criminal justice system that treats digital
traces effectively, has visibility across criminal activities, and ad-
dresses crime and security more strategically. The importance of
knowledge management in digital investigations is evident from
the many existing efforts to address this need. More coordination
across these efforts might strengthen their effectiveness, but at
least they exist. The more serious problem is the lack of forensic
case coordinators in digital investigations. It will take many years,
if not decades, to fill this gap. In the meantime, there will be unac-
ceptably high case backlogs, missed evidence, unscientific out-
comes, and miscarriages of justice.
Eoghan Casey, Editor in Chief
Digital Investigation