DIGITAL FORENSIC LABORATORIES BUSINESS PROCESS MANAGEMENT · Digital Forensic Laboratories Business Process Management: ... FTK Forensic ToolKit, ... Digital Forensic Laboratories

DIGITAL FORENSIC LABORATORIES

BUSINESS PROCESS MANAGEMENT R E D U C I N G B A C K L O G S & T U R N A R O U N D T I M E S

ALISTER THORNTON MCVEIGH

Research proposal for

Masters of Science (Cyber Security and Forensic Computing)

School of Information Technology and Mathematical Sciences

University of South Australia

Digital Forensic Laboratories Business Process Management: Reducing Backlogs & Turnaround Times

i

Table of Contents 1 Research problem ........................................................................................................................ 1

1.1 The problem .......................................................................................................................... 1

1.2 Main question ....................................................................................................................... 1

1.3 Sub questions ........................................................................................................................ 1

1.4 Explanation of the main and sub questions ..................................................................... 1

2 Literature review ......................................................................................................................... 3

2.1 What is digital forensics? .................................................................................................... 3

2.2 Background ........................................................................................................................... 3

2.3 Significance ........................................................................................................................... 6

2.4 Proposed solutions ............................................................................................................... 6

2.5 Research gap ......................................................................................................................... 7

2.6 Business process management ........................................................................................... 7

3 Research methodology ............................................................................................................... 9

3.1 Validating digital forensic process models ...................................................................... 9

3.2 Applying business process management to digital forensics ........................................ 9

3.3 Structure ................................................................................................................................ 9

4 Research schedule ..................................................................................................................... 10

5 Proposed Table of Contents ..................................................................................................... 11

6 References ................................................................................................................................... 12

Table of Figures Figure 1 Number of cases and exhibits per case is rising each year, derived from Turnbull,

Taylor & Blundell (2009) ..................................................................................................................... 4


ii

List of Acronyms CODIS COmbined DNA Index System

CSF Critical Success Factor

CSI Crime Scene Investigation, a popular crime drama series which frequently

showcases unrealistically instantaneous forensic analysis

DFL Digital Forensic Laboratory

FTK Forensic ToolKit, a forensic analysis tool developed by AccessData Corp.

Gb Giga byte, 1,073,741,824 bytes

HTML Hyper Text Markup Language, file format for storing and transmitting web

pages

JSON JavaScript Object Notation, a common data storage format

LEA Law Enforcement Agency

MSG Message—file extension of an email stored as a plain text file

PST Personal Storage file, used to store user data by Microsoft Outlook

including email messages

Tb Tera byte, 1024 Gb

XML eXtensable Markup Language, a common data storage format


1

1 Research problem

1.1 The problem

This research aims to develop solutions to the problems of long backlogs and turnaround

times in digital forensic laboratories.

1.2 Main question

How can a digital forensic laboratory reduce its backlog and turnaround time through process

improvement?

1.3 Sub questions

1. What criteria constitutes efficiency and effectiveness for digital forensic laboratories?

2. What issues do digital forensic laboratories face that impact on their efficiency and

effectiveness?

3. What is the effective framework in use in digital forensic laboratories, as derived from

their as-is processes?

4. How can business process management techniques be applied to a digital forensic

laboratory processes to improve their efficiency and effectiveness?

1.4 Explanation of the main and sub questions

1.4.1 What criteria constitutes efficiency and effectiveness for digital forensic laboratories?

This question will establish what criteria the digital forensic laboratory itself uses to determine

whether it or its processes are efficient or effective. In order to determine whether or not a

process has been improved, it is necessary to determine what the criteria are for measuring

that change and what the goals of process improvement are, to balance trade-offs. As an

example, a process might be consider to have improved efficiency if the cost to perform it was

reduced with only a slight increase in the time required however, if speed is the highest

priority then the efficiency would have been reduced.

Whether a process is effective is more difficult to determine still, as this is a question of what

the goals and priorities are for the process. As a process may involve multiple participants

who have different roles or are in different departments, opinions may vary on what the

precise goal of the process is. These can vary as a result of different objectives of individual

participant and how extensive their knowledge of the entire process is.

The same process may also have different goals depending on when or what stage in the

broader process it is performed in, what it is performed on, to whom the outputs are given

and other factors.

The criteria for efficiency and effectiveness will be established though a survey and compared

with those found in the literature review.


2

1.4.2 What issues do digital forensic laboratories face that impact on their efficiency and

effectiveness?

This question will establish what the issues are that hinder a digital forensic laboratory from

being efficient or effective, as defined by sub question 1. To determine whether process

improvement can the reduce backlog or turnaround time, the issues that are in the process or

affect the process need to be identified so they can be resolved. Information for answering the

question will be primarily sourced from the survey, with supporting information drawn from

the literature review.

1.4.3 What is the effective framework in use in digital forensic laboratories, as derived from

their as-is processes?

This question will establish what the current framework in the digital forensic laboratory is.

It is necessary as in order to conduct process improvement, the as-is state must be known first.

Information will be gathered through process mapping, using the survey data.

1.4.4 How can business process management techniques be applied to a digital forensic

laboratory processes to improve their efficiency and effectiveness?

This question will establish in what ways business process management techniques can be

used to improve the efficiency or effectiveness of a process and therefore whether they can be

used to reduce the backlog and turnaround time of the laboratory as a whole. An answer will

be found by creating a new framework using business process management techniques. This

will be a modification of the process determined by sub question 3 that resolves the issues

identified by sub question 2.


3

2 Literature review

2.1 What is digital forensics?

Initially, digital forensics’ scope was limited to law enforcement investigation of crimes

committed with or on computers and has since expanded to include investigations, by both

law enforcement and commercial firms, of any digital device that can be manipulated for

criminal purposes or have evidenced stored on it (Kohn, Eloff & Eloff 2013).

For the purposes of this research, digital forensics will be defined using Willassen and

Mjølsnes’ (2005) definition of digital forensics as “the practice of scientifically derived and

proven technical methods and tools towards the after-the-fact digital information derived

from digital sources for the purpose of facilitating or furthering the reconstruction of events

as forensic evidence” (Kohn, Eloff & Eloff 2013). This is a slight alteration to Palmer’s (2001)

generally accepted definition that does not require digital forensic investigations always be

criminal investigations, allowing it to be applied to other situations such as commercial

investigations (Kohn, Eloff & Eloff 2013).

Under the definition, digital forensics’ primary purpose is to reconstruct the events to

determine a root cause from analysis of digital media. This is done in such a way that the

evidence produced would be admissible in court.

2.2 Background

2.2.1 Brief history

Digital forensics was first used during the 1970s primarily for investigating financial fraud

(Garfinkel, SL 2010; Kohn, Eloff & Eloff 2013). In its infancy, investigators had to contend with

a considerable diversity of different hardware and file formats without the support of formal

investigative processes, training or purpose built software and so had to adapt file recovery

tools to their needs (Garfinkel, SL 2010). As storage capacities were quite small at this time,

analysis was easier and perpetrators had to make heavy use of printouts, limiting the need for

digital forensics (Garfinkel, SL 2010).

During the ‘Golden Age’ between 1999 to 2007, computing largely standardised on Microsoft

Windows XP, a small number of relevant file formats and IDE hard drives for storage, which

allowed digital forensic investigators to be competent while knowing very few systems

(Garfinkel, SL 2010). This period coincided with a rapid uptake in computer use in society and

an accompanying increase in evidence being stored on digital media, leasing to a surge in

digital forensic research, professionalisation, tool development and training programs, both

professional and academic (Garfinkel, SL 2010; Overill, Silomon & Roscoe 2013; Turnbull,

Taylor & Blundell 2009).


4

Much of the progress gained in the previous decade is becoming increasingly irrelevant as the

computing landscape evolves, with Casey, Ferraro and Nguyen (2009), Garfinkel (2010) and

Gogolin (2010) predicting a crisis for digital forensic laboratories in the near future. A number

of factors have contributed to this state of affairs.

2.2.2 Issues in digital forensics

Digital forensics is different

Compared to other forensic evidence, digital evidence is very fragile as it can be easily altered

even just by observing it; examples include alteration of file’s last modified or last accessed

timestamps, automatic deletion of data on solid state drives by powering them on and remote

wipe of mobile devices (Bell & Boddington 2010; Cantrell et al. 2012; Gogolin & Jones 2010).

Additionally, digital evidence is often not well understood or trusted by the courts, with

judges and prosecution still having a limited understanding of technology (Gogolin & Jones

2010). Digital evidence’s fragility, lack of trust and a belief that not preserving all media will

leave a case open to legal challenge have combined to overly prioritise evidence capture and

preservation over analysis speed (Richard III & Roussev 2006). Together, this has resulted in

extensive backlogs and long turnaround times as substantial resources are wasted on

preserving all media, without pre-processing exhibits to determine their evidentiary value

(Casey, Ferraro & Nguyen 2009; Gogolin & Jones 2010; Hunton 2010).

Increasing workload

Whereas previously only a single computer needed to be analysed for each case, now multiple

exhibits per case are common with SAPOL averaging 4.38 exhibits per case in 2007-08, while

the number of cases per year is also rising (Figure 1) (Turnbull, Taylor & Blundell 2009).

Figure 1 Number of cases and exhibits per case is rising each year, derived from Turnbull, Taylor & Blundell (2009)

0.00

1.00

2.00

3.00

4.00

5.00

0200400600800

10001200140016001800

1999

/200

0

2000

/200

1

2001

/200

2

2002

/200

3

2003

/200

4

2004

/200

5

2005

/200

6

2006

/200

7

2007

/200

8

Exh

ibit

s p

er C

ase

No

. of

Exh

ibit

s

Exhibits Exhibits per Case

0.00

1.00

2.00

3.00

4.00

5.00

050

100150200250300350400450

1999

/200

0

2000

/200

1

2001

/200

2

2002

/200

3

2003

/200

4

2004

/200

5

2005

/200

6

2006

/200

7

2007

/200

8

Exh

ibit

s p

er J

ob

No

. of

Job

s

Jobs Exhibits per Case


5

This is exacerbated by the rising storage capacity of the exhibits which has resulted in the

growth from averages of 84 Gb per case in 2003 to 559 Gb per case in 2011, according to the

FBI’s annual reports (Roussev, Quates & Martell 2013). As digital forensic laboratories often

duplicate media before analysis, and a 3 Tb hard disk can take more than 11 hours just to

acquire, traditional frameworks for digital forensics are becoming infeasible as increasing data

set sizes outstrip the capacity to analyse them in a timely fashion (Roussev, Quates & Martell

2013).

Increasing difficulty

Digital forensic investigators again have to deal with diverse combinations of hardware,

operating systems and file formats (Garfinkel, S 2012). Previously, digital evidence was

primarily located on a single desktop or notebook computer with a removable hard drive

using a standard interface, for which there were well developed and reliable methods for

preserving and analysing the evidence stored on it (Garfinkel, SL 2010). Now, evidence can

also be found on many other devices including mobile phones, tablets, GPS devices, game

consoles, digital cameras, e-book readers and digital CCTV systems many of which have

proprietary or customised operating systems that may be designed to protect their intellectual

property (Garfinkel, S 2012; Garfinkel, SL 2010; Gogolin 2010). As many of these exhibits

employ non-removable storage or proprietary hardware interfaces, it is often infeasible to

completely preserve the evidence as the system must be powered on and/or modified to

acquire the data (Garfinkel, SL 2010).

Investigators must also analyse many different file formats, including those from the millions

of mobile applications available and those from web services such as Facebook and Google,

which often change the structures of their JSON and XML files (Garfinkel, S 2012; Garfinkel,

SL 2010). This requires regular retraining to deal with however limited resources and time

pressures mean this is not often achieved (Gogolin & Jones 2010).

Issues impeding analysis

In addition to the factors making it more difficult for investigators to analyse evidence, are

issues preventing analysis altogether. Effective encryption is becoming easy to use and

pervasive, with built-in support in many operating systems including Windows, OS X, iOS

and Android preventing investigators from accessing data (Cantrell et al. 2012; Garfinkel, SL

2010). Data may not even be stored on the system, but in the cloud preventing analysis or even

identification (Garfinkel, SL 2010). The potential existence of malware on the defendant’s

system may require a time consuming in-depth forensic examination to determine whether or

not the evidence was created by a remote attacker (Casey, Ferraro & Nguyen 2009). The ‘CSI

effect’ is also contributing to giving courts unrealistically high expectations of forensic

investigator’s capabilities, as these shows give the impression that the work is easy, fast, error-

free and able to easily overcome such obstacles as encryption and overwritten data, all of

which is quite a departure from reality (Garfinkel, S 2012).


6

Forensic tools

Although the now industry standard forensic analysis tools developed during the ‘Golden

age’, such as EnCase and FTK, were suitable to the workloads of the time, they are now rapidly

becoming outdated (Ayers 2009; Garfinkel, SL 2010). These tools are designed to run on a

single workstation and, while FTK can store its database on a second system and EnCase can

manage multiple workstation’s process jobs, no court-tested tool can use multiple

workstations in parallel to analyse a single job (grid computing) (Ayers 2009). With device

capacities increasing every year, current forensic tools are not able to analyse the required

data volumes quickly enough (Clayton 2012; Gogolin 2010; Roussev, Quates & Martell 2013).

Other issues that have been identified with current tools include a lack of reliability,

auditability, ability to repeat results or capability to automate tasks (Ayers 2009). Even if they

could be improved, it has been suggested that the fundamentally file-based architecture of

current tools may be insufficient, as the tools should be focused on finding relevant evidence,

not relevant files; for example, emails may be stored as an MSG file, HTML page, in a PST

archive or a ZIP archive but should all be presented in the same format and location to the

investigator regardless of the original storage format (Ayers 2009).

2.3 Significance

The issues described above are significant due to the impact they have on digital forensic

laboratories’ ability to process cases in a timely fashion, which impacts on the justice system

a whole as investigations are held up, opportunities to apprehend are lost, criminals are able

to remain at liberty and perpetrate further crimes and digital evidence is only available for

serious cases due to limited forensic resources (Casey, Ferraro & Nguyen 2009; Gogolin &

Jones 2010; Kobus et al. 2011). Additionally, defendants may suffer damage to their reputation

while awaiting trial and are without their property while it is held as evidence; for example,

it was 12 months before a teacher accused of accessing pornography during class was cleared

of the charge (Casey, Ferraro & Nguyen 2009).

2.4 Proposed solutions

Richard (2006) calls for faster, automated analysis tools that exploit distributed processing.

Parsonage (2009) calls for better prioritisation of exhibits using triage tools. Hunton (2010)

proposes a framework that integrates digital forensics with the broader investigative process

to allow both to be conducted in parallel and create an information feedback loop. Mislan,

Casey & Kessler (2010) call for better mobile analysis tools that are optimised for on-scene use.

Cantrell et al. (2012) advocates for triage analysis tools to be used early in the digital forensic

process to reduce the amount of resource intensive collection and duplication required. Jones,

Pleno & Wilkinson (2012) propose a process for sampling evidence for illegal images to

expedite the analysis process and reduce exposure to disturbing material.


7

2.5 Research gap

The proposed solutions largely focus on analysis tools that either perform faster or are better

suited in current analysis and investigation needs, or are focused on specific crime types, or

are not applicable to smaller DFLs as in the case of Hunton (2010). None of these solutions

looks at process improvements beyond the changes needed to implement their solution or

only focus on one aspect of the overall process, as Parsonage’s (2009) does. While these can

improve parts of the process, research is needed to improve the process as a whole to make

significant headway in resolving the backlog and turnaround time problems. Looking only at

individual aspects of the process can only achieve limited improvements, although those may

be used as part of improving the whole.

Current frameworks are reactive—they try to definitively describe what digital forensics is,

which keeps changing as the field is relatively new. They are largely not proactive, prescribing

how digital forensics should be performed, for a given reason or reasons.

As there is no widely accepted framework, best practices or processes, there is an opportunity

to develop one (Cantrell et al. 2012; Chaikin 2006; Hunton 2010; James & Gladyshev 2013;

Kohn, Eloff & Eloff 2013; Selamat, Yusof & Sahib 2008). Although there are many published

frameworks, these have been developed with the goal of reactively describing the digital

forensic investigation process more accurately as this new forensic field’s methods and scope

changes (Kohn, Eloff & Eloff 2013; Selamat, Yusof & Sahib 2008).

However, they are not evidence based in that they are not based on the processes as they are

actually performed, instead they use each other as their basis, e.g. Kohn, Eloff & Eloff’s (2013)

Integrated Digital Forensic Process Model was “…based on the six SFPMs discussed in the

previous paragraphs.”, not on observation of digital forensic practitioners.

Likewise, such models are not based on or trying to develop best practice but instead develop

a uniform approach and/or standardised terminology. This is eloquently captured by Hunton

(2010) (citing Pollitt (2007) and Selmat et al. (2008)) when he says that “many of the existing

models can be seen to build upon each other by extending earlier approaches with the aim of

becoming more complete and robust.”, rather than prescribing improvements.

2.6 Business process management

In the forensic science domain, there has been a recent move towards adopting business

methodologies—in particular process mapping—as a basis for improving the efficiency and

effectiveness of the laboratory; an example of this is the FORESIGHT project, which seeks to

create benchmarks and standardise terminology in forensic research, so that best practices can

be determined and implemented (Houck et al. 2009).

Process mapping is a method of visually defining all the actions performed to produce a given

output and the relationships, dependences and flow of information between those actions. By

mapping the current process, it can then be discussed, analysed and improved.


8

Michigan State Police’s CODIS (COmbined DNA Index System) Unit used process mapping

to successfully reduced their backlog from 10 years to under a year, and increasing matches

from evidence left at crime scenes to known criminals by nearly a factor of ten (Thorsen 2005).

Similarly between 2010 and 2011, Louisiana State Police’s Crime Laboratory reduced its

turnaround time from 227 days to 59, and its total backlog from 749 cases to 152 in part due

to performing process mapping (Richard & Kupferschmid 2011).

Lean methodology is the systematic removal of wasteful or non-value adding processes to

increase efficiency and process cycle times and decrease costs (Näslund 2008). Six sigma’s

purpose is to decrease variability in a process to reduce defects, thereby eliminating waste

and increasing customer satisfaction and financial results (Näslund 2008). This is achieved

using statistical methods to identify where fluctuations occur and then eliminating root causes

(Näslund 2008). Combining lean and six sigma allows firstly to remove wasteful processes

with lean, exposing issues that could benefit from a six sigma approach (Smith 2003). To apply

lean six sigma, an understanding of the as-is process is required which process maps provide.

As part of its DNA Backlog Reduction Program, the US National Institute of Justice

demonstrated their support for lean six sigma by authoring funding for its implementation in

two forensic laboratories in 2011, another two in 2012 and six in 2013 including:

San Francisco Police Department Criminalistics Laboratory (CA)

Department of Emergency Services and Public Protection, Division of Scientific

Services, DNA/Forensic Biology Section (CT)

Forensic Services Bureau Crime Laboratory (FL)

Department of Forensic Biology, of the Office of Chief Medical Examiner (NY)

Allegheny County Office of the Medical Examiner, Forensic Biology Section (PA)

Monroe County Crime Laboratory (NY)


9

3 Research methodology

3.1 Validating digital forensic process models

Within the digital forensics discipline, a number of frameworks—abstract representations of

how the digital forensics process could be performed—have been proposed which can be seen

to successively build on each other to resolve identified weaknesses, becoming more complete

and robust (Hunton 2010, p. 386; Kohn, Eloff & Eloff 2013). However, it is unknown whether

these models are effective or efficient, as there is no evidence of them having been

implemented in or derived from actual DFL business practices. As a result, there is an

opportunity to undertake research in order to determine if, or to what degree, these models

describe actual business processes used in a DFL. This can be undertaken linking each process

in the DFL's process map to corresponding processes in the frameworks, and validating

whether resolving these discrepancies would result in reduced backlogs and turnaround

times.

3.2 Applying business process management to digital forensics

There is an opportunity here to apply process mapping and lean six sigma techniques to

digital forensics and determine whether it can be successfully used to improve the process

workflow to address the backlog and turnaround time issues, as it has with DNA forensics.

3.3 Structure

The first phase of this research will be an extensive literature review focusing on the issues in

digital forensics that have caused the backlog issue, the proposed solutions including the use

of tools and process models which can operate in parallel rather than sequentially, and

solutions to similar problems in other forensic disciplines which could potentially be applied

to digital forensics.

The second phase will be data collected from structured interviews, which will take place at

the participant's usual place of work and take at most one hour. To demonstrate the existence

of the problem using quantitative, first hand evidence, a sanitised copy of the laboratory’s

database will be requested to show the development of the backlog and turnaround time

issues. This data will also be used to illustrate the expected increasing complexity of casework

through the increase in the number and size of exhibits.

The third phase will focus on analysing the data collected, using the results to develop a

evidence based, prescriptive framework with an emphasis on efficiency. Finally, the proposed

framework will be validated by expert digital forensic practitioners, to determine whether it

would solve the research problem if implemented.


10

4 Research schedule

TASK MAR APR MAY JUN JUL AUG

SEP Due

Week 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31

Project plan

Ethics application

Research proposal

Ethics approval

Research 1 - Survey

Research 2 - M@RS

CH3 Research methodology

CH2 Literature review

CH1 Introduction

CH4 As is model

CH5 Proposed model

CH6 Conclusion


11

5 Proposed Table of Contents Abstract

Table of contents

List of figures

List of tables

CH 1 Introduction

o Motivation

o Problem

o Question

Sub questions

CH2 Literature review

o Define

Digital forensics

Process mapping, RACI, 6o

o Issues in DF

o Proposed solutions

CH3 Research methodology

o Process mapping (as-is)

o Informal interview, map, follow up

CH4 ‘As-is’ model

o Process maps, explanations

o Model

o Opportunities for improvement

CH5 Proposed model

o Description

o Validation

CH6 Conclusion

o Results

o Future work

o Conclusion

References


12

6 References Ayers, D 2009, 'A second generation computer forensic analysis system', The Proceedings of the Ninth

Annual DFRWS Conference, vol. 6, Supplement, pp. S34-S42.

Bell, GB & Boddington, R 2010, 'Solid State Drives: The Beginning of the End for Current Practice in

Digital Forensic Recovery?', The Journal of Digital Forensics, Security and Law, vol. 5, no. 3, p. 5.

Cantrell, G, Dampier, D, Dandass, YS, Niu, N & Bogen, C 2012, 'Research toward a Partially-

Automated, and Crime Specific Digital Triage Process Model', Computer and Information Science, vol. 5,

no. 2, pp. 29-38.

Casey, E, Ferraro, M & Nguyen, L 2009, 'Investigation Delayed is Justice Denied: Proposals for

Expediting Forensic Examinations of Digital Evidence', Journal of forensic sciences, vol. 54, no. 6, pp.

1353-1364.

Chaikin, D 2006, 'Network investigations of cyber attacks: the limits of digital evidence', Crime, Law

and Social Change, vol. 46, no. 4, pp. 239-256.

Clayton, J 2012, 'Investigation into a Digital Forensics Triage Tool using Sampling, Hashes and Bloom

Filters', School of Computing, Edinburgh Napier University, Edinburgh, UK.

Garfinkel, S 2012, 'Lessons learned writing digital forensics tools and managing a 30TB digital

evidence corpus', Digital Investigation, vol. 9, pp. S80-S89.

Garfinkel, SL 2010, 'Digital forensics research: The next 10 years', Digital Investigation, vol. 7, pp. S64-

S73.

Gogolin, G 2010, 'The Digital Crime Tsunami', Digital Investigation, vol. 7, no. 1–2, pp. 3-8.

Gogolin, G & Jones, J 2010, 'Law Enforcement's Ability to Deal with Digital Crime and the

Implications for Business', Information Security Journal, vol. 19, no. 3, pp. 109-117.

Houck, MM, Riley, RA, Speaker, PJ & Witt, TS 2009, 'FORESIGHT: A Business Approach to

Improving Forensic Science Services', Forensic Science Policy & Management: An International Journal,

vol. 1, no. 2, pp. 85-95.

Hunton, P 2010, 'Cyber Crime and Security: A New Model of Law Enforcement Investigation',

Policing, vol. 4, no. 4, pp. 385-395.

James, JI & Gladyshev, P 2013, 'Challenges with Automation in Digital Forensic Investigations', arXiv,

Dublin, Ireland,

Jones, B, Pleno, S & Wilkinson, M 2012, 'The use of random sampling in investigations involving child

abuse material', The Proceedings of the Twelfth Annual DFRWS Conference, vol. 9, Supplement, pp. S99-

S107.

Kobus, H, Houck, M, Speaker, P, Riley, R & Witt, T 2011, 'Managing Performance in the Forensic

Sciences: Expectations in Light of Limited Budgets', Forensic Science Policy & Management: An

International Journal, vol. 2, no. 1, pp. 36-43.


13

Kohn, MD, Eloff, MM & Eloff, JHP 2013, 'Integrated digital forensic process model', Cybercrime in the

Digital Economy, vol. 38, pp. 103-115.

Mislan, RP, Casey, E & Kessler, GC 2010, 'The growing need for on-scene triage of mobile devices',

Digital Investigation, vol. 6, no. 3, pp. 112-124.

Näslund, D 2008, 'Lean, six sigma and lean sigma: fads or real process improvement methods?',

Business Process Management Journal, vol. 14, no. 3, pp. 269-287.

Overill, RE, Silomon, JAM & Roscoe, KA 2013, 'Triage template pipelines in digital forensic

investigations', Triage in Digital Forensics, vol. 10, no. 2, pp. 168-174.

Parsonage, H 2009, 'Computer Forensics Case Assessment and Triage -- some ideas for discussion',

viewed 31 March

2014,<http://computerforensics.parsonage.co.uk/triage/ComputerForensicsCaseAssessmentAndTriag

eDiscussionPaper.pdf>.

Richard III, GG & Roussev, V 2006, 'Next-generation Digital Forensics', Communications of the ACM,

vol. 49, no. 2, pp. 76-80.

Richard, M & Kupferschmid, TD 2011, Increasing Efficiency of Forensic DNA Casework Using Lean Six

Sigma Tools, Louisiana State Police Crime Laboratory, LA, United States.

<https://www.ncjrs.gov/App/Publications/abstract.aspx?ID=257166>.

Roussev, V, Quates, C & Martell, R 2013, 'Real-time digital forensics and triage', Triage in Digital

Forensics, vol. 10, no. 2, pp. 158-167.

Selamat, SR, Yusof, R & Sahib, S 2008, 'Mapping process of digital forensic investigation framework',

International Journal of Computer Science and Network Security, vol. 8, no. 10, pp. 163-169.

Smith, B 2003, 'Lean and Six Sigma–A One-Two Punch', Quality Progress, vol. 36, no. 4, pp. 37-40.

Thorsen, WC 2005, 'Value Stream Mapping & VM', SAVE International 45th Annual Conference, SAVE

International.

Turnbull, B, Taylor, R & Blundell, B 2009, 'The Anatomy of Electronic Evidence - Quantitative

Analysis of Police E-Crime Data', 2009 International Conference on Availability, Reliability and Security,

pp. 143-149.

http://computerforensics.parsonage.co.uk/triage/ComputerForensicsCaseAssessmentAndTriageDiscussionPaper.pdf%3e

http://computerforensics.parsonage.co.uk/triage/ComputerForensicsCaseAssessmentAndTriageDiscussionPaper.pdf%3e

http://www.ncjrs.gov/App/Publications/abstract.aspx?ID=257166%3e

Documents

DIGITAL FORENSIC LABORATORIES BUSINESS PROCESS MANAGEMENT · Digital Forensic Laboratories Business Process Management: ... FTK Forensic ToolKit, ... Digital Forensic Laboratories