Skip to content

Digital Forensics

Is the Push-Button Forensic Reckoning Coming?

By Justin Tolman Forensic Subject Matter Expert and Evangelist | October 16, 2024

"The art of forensics is dying." 

Those of us who have taken the time to learn the 'bits and bytes' of forensics often get into our echo chambers and discuss the coming digital forensic apocalypse because the current meta prefers speed of button pushing over "knowing how it all works." But, will that reckoning ever happen?

"I only look at pictures, videos, and chats." How many resonate with this statement? Maybe none of the readers here, but it is a common sentiment from investigators I interact with at conferences, webinars, and meetings. 

Back in 2010 I spoke with two officers who worked digital forensics in the US Army. They highlighted the main investigative difference between the Army and Law Enforcement: the Army only needed actionable intel. Does this approach in 2010 sound so different from any other exam today?

Caseloads and backlogs have led to a fire-and-forget process of portable cases, reader reports, or native exports being sent to out-of-lab reviewers who are tasked with finding "actionable intel". These reviewers often have very little forensic experience and sometimes barely any computer knowledge. 

While this may be alarming, if forensic examiners in the lab, and non-forensic reviewers with a portable case, can push a button and get the evidence necessary to appease the courts, secure a breach, or prevent litigation does 'knowing how it all works' matter? Prosecutors focus on evidence such as pictures, videos, and chats as they are often the most actionable sources of information. 

The point of limitation is the point of adaptation. Until push-button forensics is a limitation to the success criteria of a given community, there won't be adaptations to the way that community operates.

Most people will do the least amount of work necessary to complete a task at the quality the subject requires. I believe investigators will always work to the highest quality, but quality may not mean deep dive. 

So, is the reckoning coming? Probably not anytime soon. At every level of the system and in every digital forensic vertical, fast actionable intel is preferred to deep dive analysis.

During university breaks I worked for a large irrigation construction company which built center pivot systems for large farms. One summer a service tech messed up his shoulders jet skiing, and so my job was to be his hands wiring up (cold) systems. He had the understanding, I had shoulders that worked. 

Sometimes you just need someone to turn the screwdriver. 

It's not hard to find social posts on LinkedIn blaming software vendors for the forced migration of the digital forensic community to the push-button era and dilution of the forensic analyst. 

The chicken and her egg have entered the chat.

We live in a society and in that society the vendor's role is to build software that people are willing to pay money for. If the forensic community is only willing to spend money on push-button solutions, then push button solutions will be built. 

Training Beyond Push-Button Forensics

The ability to "close some cases with the push of a button and some light reading" is now foundational to most digital forensic procedures. A benefit of this push-button review system is a lower skill-gap, allowing newer forensic examiners or investigators to work cases effectively. Combine an investigative mindset and software that allows them to view digital evidence clearly, cases are closed quicker.

"Knowing how it all works" doesn't matter, until it does.

Many (all?) of us have closed cases that the "button" couldn't. The learning of "how things work" will come with time, training, and practice. The trap with early success is that an investigator becomes comfortable at the button pushing depth and dives no deeper. If the investigator can avoid the trap of complacency then as they seek new knowledge they will most likely face the next challenge.

Supervisors that see cases being closed, "cases won", and backlogs managed; so training is not budgeted or approved. As an examiner I had this experience. Myself and my fellow examiners had asked for Cellebrite training at various times through the years which was denied. The reason: "You are already using the software and have testified in court just fine. We aren't going to pay for that."

Push-Button forensics becomes an issue when the training stops. This includes both software-vendor and general-forensic knowledge training. I can always pick out someone who hasn't got the general-forensic training they need by the support tickets they submit to their software vendor. 

One risk of relying on push-button reviews by less forensically trained users is their inability to identify the need for, and locate, the relevant context of the information they are reviewing. On a recent episode of FTK Over the Air, Rob Fried emphasized the human element and the importance of context, stating, "There's a bigger picture that may need to be discussed. If I don't have the knowledge to ask the right questions, to be intuitive and inquisitive, I'm not going to be able to effectively assist my client." 

Push Button forensic review (if utilized correctly) is necessary for the success of current digital forensic investigations, and is an important part of building up the next generation of examiners. Examiners that will eventually join our echo chamber complaining about the next generation of push-button investigators.

Forensics in an Era of Reluctant Change

As my training-supervisor, Allan Buxton, would tell me, "You need to be able to work a digital forensics case with a hex viewer and a notepad." Obviously he didn't want us doing forensics like this, but it conveyed a very clear level of understanding he expected me to have. This saying resonated with me and my approach to digital forensics has really been dictated by this one statement. 

No one is making the argument that we need to make forensics complicated by removing automation, increased functionality, or simplicity from our forensic processes or software. I understand that we are really saying "many examiners are not taking the time to learn the where, why, and how of data recovered at a complete technical level." (Whether that is true or not is debatable.)

The future of forensics is push button, because the future of forensics is mobile forensics.

The future of forensics is push button, because the future of forensics is cloud data collections. 

The future of forensics is push button, because the future of forensics is collaborative review. 

The future of forensics is push button, because it can be. 

Mobile forensics is not only the future of forensics, it is the "now" of forensics. I am suggesting that mobile forensics has (overall) simplified the technical landscape. What percentage of "actionable" evidence from a mobile device is contained within a SQLite database, an XML/pList, a picture, or a video? These are not complex artifacts. 

Are examiners today 'less technical' because the artifacts that they examine are also 'less technical'? If someone can build a successful case with only "pictures, videos, and chat",  is it worth the time to dig around in Biome data?

As security (including encryption) continues to get better, cloud data (warrant returns) will represent a larger part of the 'digital' evidence a case has in the future. There is nothing inherently technical here. This is review in its purest form. 

Collaborative Review should be the future for any agency working digital forensics. Without it, they won't keep up. I think it is important to define the vocabulary we use in the industry so that we can create structures around them that will make us successful. (Note: while I was writing this, Brett Shavers released a part two blog on a related topic. Check it out.) Of all the titles thrown around in the digital forensic industry, I believe we can condense them all down into two categories: Examiner and Reviewer. There will be many reviewers to few examiners. 

We need reviewers to find actionable evidence, identify a face in a picture, relevant content within a document, or context within a chat conversation with the push of a button. The examiner is "on-call" to prepare that data for review, answer any questions the reviewers have, or if necessary take the deep dives when evidence isn't readily available at the surface level, and ultimately validate the tools and processes used throughout the digital investigation.

About FTK’s Interface

FTK installs with two interfaces. Smart Review is designed for reviewers who need data fast. This interface is designed for the investigator who just needs "pictures, videos, and chat." Our Core interface provides Examiners with deep dive capabilities such as Hex view, comprehensive filter creation, and more features designed around the Examiner skill set.

Conclusion

I want to recognize the perspective from which I wrote this article. Most of my direct interaction with the community is at conferences. These conferences are typically built around training. The rest of my contact typically comes from my education webinars, YouTube, or Podcast. All sources of information to "get better" at the job. 

The Future of Forensics can be push-button because I see thousands of individuals every year striving to "get better" and know more.

About the Author

Justin Tolman has been working in digital forensics for 12 years. He has a bachelor’s degree in Computer Information Technology from BYU-Idaho and a master’s degree in Cyber Forensics from Purdue University. After graduating he worked as a Computer Forensic Specialist with the Ohio Bureau of Criminal Investigation and currently works as the Forensic Subject Matter Expert and Evangelist at Exterro. Justin has written training manuals on computer and mobile device forensics, as well as (his personal favorite) SQLite database analysis. He frequently presents at conferences, on webinars, produces YouTube content, and hosts the FTK Over the Air podcast. 

Sign Up for Alerts

Get notified when new content for specific topics is available.

Sign Up