Extract from Justin Tolman’s article “Is the Push-Button Forensic Reckoning Coming?”
“The art of forensics is dying.”
Those of us who have taken the time to learn the ‘bits and bytes’ of forensics often get into our echo chambers and discuss the coming digital forensic apocalypse because the current meta prefers speed of button pushing over “knowing how it all works.” But, will that reckoning ever happen?
“I only look at pictures, videos, and chats.” How many resonate with this statement? Maybe none of the readers here, but it is a common sentiment from investigators I interact with at conferences, webinars, and meetings.
Back in 2010 I spoke with two officers who worked digital forensics in the US Army. They highlighted the main investigative difference between the Army and Law Enforcement: the Army only needed actionable intel. Does this approach in 2010 sound so different from any other exam today?
Caseloads and backlogs have led to a fire-and-forget process of portable cases, reader reports, or native exports being sent to out-of-lab reviewers who are tasked with finding “actionable intel”. These reviewers often have very little forensic experience and sometimes barely any computer knowledge.
While this may be alarming, if forensic examiners in the lab, and non-forensic reviewers with a portable case, can push a button and get the evidence necessary to appease the courts, secure a breach, or prevent litigation does ‘knowing how it all works’ matter? Prosecutors focus on evidence such as pictures, videos, and chats as they are often the most actionable sources of information.
