It's fast becoming the norm that criminal and civil investigations centre on data stored in digital devices used by individuals and businesses.
This may seem like a straightforward case of taking data from the devices and wading through it, but digital forensics present their own set of unusual and developing challenges, according to Dr Bradley Schatz.
Schatz has put 18 years of computing expertise and research into developing new methods to rapidly acquire relevant information for investigations.
He has developed the Advanced Forensics File Format (AFF4) - together with Simson Garfinkel of the US NIST and PyFLAG forensics and log analysis graphical UI developer Michael Cohen - as open source, and is pushing for the format to become the standard in forensic imaging.
According to Schatz - who is presenting at this week's AusCERT conference on the Gold Coast - the problem is that devices that store important data are now ubiquitous, and the amounts of information on them is rising exponentially.
It means digital investigators are having to make choices about which ones to analyse, given the impractical amount of time it would take to acquire and analyse content on all available systems.
Schatz is called on as an independent expert in trials around Australia. He says data is often acquired under difficult circumstances, meaning digital investigators need to make decisions fast.
“Search warrants now involve numerous devices in the family home, and investigators need to quickly assess what contains relevant data and what doesn’t. Given their intrusiveness, they are high pressure environments,” Schatz told iTnews.
“At one warrant execution on a family home, the children were clearly distressed by the intrusion.
"While all involved were sensitive to this, the children needed to be moved to other carers, and family life was significantly impacted. We were there late into the night."
Adding to the time pressure, warrants and court orders contain time limits.
The current approach by investigators, according to Schatz, is to triage - to identify only the most important devices and leave the rest behind.
"[But] the problem with these approaches is that the investigator has limited ability to do continued analysis beyond their pre-programmed features. Their output is used to base the decision of seizing the device, or not seizing it," he said.
He argues that a better approach would be for analysts to use tools that have immediate visibility of the data to perform this triage, allowing the investigators to choose in real-time the devices that are relevant, making the entire process faster and more efficient.
“It’s not just about speedier imaging, but about not having to wait until imaging is done," Schatz said.
"Being able to analyse while you image, and based on that analysis, and choosing to collect only the most important data."
Schatz says using a file system better suited for forensic work - specfically AFF4 - can accelerate this analysis.
The tool allows analysts to work with multiple streams of data of the same volume, with support for metadata, signatures and cryptography.
“Ultimately this will enable investigators to preserve more evidence, and of a higher quality,” Schatz argues.
“Widespread adoption of a forensic approach that preserves all evidence that the investigator uses to base their decisions on is a win for reproducibility and third party scrutiny, which is fundamental to forensics."
Dr Schatz will present on AFF4 and his case for a new standard in forensic imaging at AusCERT's 2016 conference on the Gold Coast this week.
