Knowing where to start, what to triage and how to triage … simplified.
Gaining entry into a suspect’s house or location is only the start for a digital forensics investigator, next comes the laborious task of identifying all the digital devices spread across the household.
Previously, our investigator was limited to using software that seemed to require a university degree to operate, and couldn’t be run or monitored by just anyone. In addition, due to the price of the software, the number of licences were limited and hence the suspect devices selected for analysis would be limited. But not any more, ever since the investigator and their team got equipped with S21 Discovery.
With S21 Discovery, the investigator and her colleague were able to collect all the various hard drives, USBs and other media, connect them to a multi-port write blocker and simply run S21 Discovery across all drives simultaneously. S21 Discovery processed thousands of files per minute, by comparing the files against Project VIC (or CAID, its UK variant) data, checking for keywords, suspicious software (such as encryption, peer-to-peer and anti-forensic applications), and even processing the files for nudity.
Results showed inside a very simple user interface in real-time, even producing an audio alert, which enabled the investigator to move between rooms, leaving scans running unattended. Videos were also identified and able to be analysed in real-time, sliding across the video without any pre-processing or frame extraction.
Once illicit media was identified on a device, the investigator was able to stop the scan on that device, and produce a report detailing all the findings for a full investigation later at the station. On one particular device, CSAM media was found that was first generation (files created by a suspect and not known in the S21 Global Alliance Database or Project VIC databases), thus revealing local abuse of a victim inside the household. The victim was able to be supported immediately, with the suspect arrested and held, thus preventing further abuse.
S21 Discovery’s low cost, and simple deployment allowed more devices to be processed on scene; providing the investigator with more confidence of their findings. In addition, deploying multiple databases alongside functions which detect first-generation media changed how triage is done, with S21 Discovery’s dynamic workflows ensuring that key areas are scanned first.