A case-based reasoning method for locating evidence during digital forensic device triage

• Novel approach to digital forensic triage using case-based reasoning.
• Knowledge of past investigations highlights likely evidential areas on a system.
• Uses Bayesian inference.
• A more effective triage method compared to a practitioner using leading tool EnCase.

The role of triage in digital forensics is disputed, with some practitioners questioning its reliability for identifying evidential data. Although successfully implemented in the field of medicine, triage has not established itself to the same degree in digital forensics. This article presents a novel approach to triage for digital forensics. Case-Based Reasoning Forensic Triager (CBR-FT) is a method for collecting and reusing past digital forensic investigation information in order to highlight likely evidential areas on a suspect operating system, thereby helping an investigator to decide where to search for evidence. The CBR-FT framework is discussed and the results of twenty test triage examinations are presented. CBR-FT has been shown to be a more effective method of triage when compared to a practitioner using a leading commercial application.