Concepts of automating forensic case management

The forensics community has expended considerable effort in the development of tools in support of digital investigation. The focus has been on the creation and development of tools to capture data for later forensic analysis, or to support forensic analysis in the searching and sorting of large volumes of data for information relating to specific system or specific user activities. There has been more limited effort and success on the development of tools to support case management and less still on the reporting and formatting of evidence for court. The most notable reporting tools being those incorporated into the more monolithic forensic suites used to export or present evidence from those tools. One issue is the wide range of possible requirements for forensic reports dictated by the needs of the case. These different requirements often result in a manual process being used to organize evidence in a consistent manner for review. For instance, each evidence item must be mapped to the correct custodian, with correct item size, correct hash, and correct time. Related attachments have to be created and crosschecked to ensure correct content and position in the report. In large commercial cases, the manual process can prove time consuming and increase the possibility for human error. Details may be retyped in which case best practice may require stringent quality controls including double-checking by additional personnel, increasing cost and effort. This paper reviews some of the current tools for reporting the results of forensic analysis. It outlines a lightweight approach based on the automated creation of folder structures and related a referencing methodology aimed at reducing the possibility of human error. This system, adopted commercially for organizing evidence potentially extracted from a number of different tools, enables multiple investigators to collate and consistently organize information for reporting and review.