Towards a Smart Digital Forensic Advisor to Support First Responders with At-Scene Triage of Digital Evidence Across Crime Types
Lead Research Organisation:
UNIVERSITY COLLEGE LONDON
Department Name: Computer Science
Abstract
Over 90% of reported crime involves a digital device, and the increased use of digital devices in criminality has resulted in significant backlogs within the departments that forensically examine these devices. Despite this backlog, front-line officers often seize devices that have little evidential value to an investigation. This is perhaps unsurprising, as most digital evidence is seized by front-line officers who often lack awareness and training around digital forensics and technology. The speed at which technology develops and is adapted for use in criminality means that even those with advanced training can struggle to stay up to date. This can lead to risk-averse decision-making and a "seize all" mentality, increasing the digital forensic backlog. Prior research and government reports highlight the issues related to the digital forensic backlog within Policing and highlight how existing approaches are in need of modernisation to help address the problem.
Digital device triage is one potential way of helping to reduce the backlog. This is the process of evaluating digital devices at a crime scene to assess their investigative value based on the circumstances of the case. Devices deemed likely to be of evidential value would be seized and submitted to a digital forensics lab for in-depth examination and analysis. While this approach may be effective in reducing the number of devices seized, there is a risk of inconsistent approaches to triage decision-making, and low digital awareness reducing decision-making effectiveness. This project makes a first step in addressing this, by laying the foundations for developing a smart digital forensic advisor tool to support first responders conducting digital evidence triage at-scene.
To do this, we will explore existing practices, resources, challenges, and user needs around the process of search and seizure of digital devices across two distinct crime types. Through this, we will identify data that could be used to inform the smart advisor tool, and data gaps that the tool itself could address. We will also be exploring both the legal and ethical implications of its use, due to the tool's potential in helping to shape decision-making. Finally, drawing on our findings we will develop a set of early-stage low-fidelity prototypes to present back to our user groups.
Digital device triage is one potential way of helping to reduce the backlog. This is the process of evaluating digital devices at a crime scene to assess their investigative value based on the circumstances of the case. Devices deemed likely to be of evidential value would be seized and submitted to a digital forensics lab for in-depth examination and analysis. While this approach may be effective in reducing the number of devices seized, there is a risk of inconsistent approaches to triage decision-making, and low digital awareness reducing decision-making effectiveness. This project makes a first step in addressing this, by laying the foundations for developing a smart digital forensic advisor tool to support first responders conducting digital evidence triage at-scene.
To do this, we will explore existing practices, resources, challenges, and user needs around the process of search and seizure of digital devices across two distinct crime types. Through this, we will identify data that could be used to inform the smart advisor tool, and data gaps that the tool itself could address. We will also be exploring both the legal and ethical implications of its use, due to the tool's potential in helping to shape decision-making. Finally, drawing on our findings we will develop a set of early-stage low-fidelity prototypes to present back to our user groups.
Organisations
| Title | Sketchnotes from our midpoint engagement event |
| Description | Dr Maria Maclennan developed sketches during our mid-point stakeholder engagement event, and then turned these hand drawn sketches into digital sketch notes. |
| Type Of Art | Artefact (including digital) |
| Year Produced | 2025 |
| Impact | We will be distributing this artefact to our stakeholders towards the end of this week. No impact as of yet to report. |
| URL | https://discovery.ucl.ac.uk/id/eprint/10206030/ |
| Description | Our finding so far show that digital device triage is understood and applied differently across police services. While digital device triage is typically considered as a practice that is applied at the scene of crime to prioritise the seizure of digital devices, we find triage is often ineffectively applied at this point in the investigation. This is due to a variety of reasons, including insufficient digital understanding and awareness amongst non-specialist police personnel, a lack of engagement with specialist digital personnel, and late input of specialist knowledge and advice in investigations. We also identify digital device triaging occurring at other stages of the investigation. For instance, triage occurs at the point at which devices are submitted for examination into digital forensic labs. This triaging occurs to help reduce the strain on digital forensic services, and to ensure devices are only examined where it is necessary and proportionate to do so, to progress reasonable lines of inquiry. Yet, triage at the point of submission is often seen as a barrier by submitting officers who can struggle with forming justifications for examination in relation to reasonable lines of inquiry within cases, and make requests of the devices that are not viable due to limitations in the capability of devices or the digital forensic tools and methods available. We have identify various initiatives that police services have developed to help up-skill and support non-specialist staff with triaging of digital devices, to help address insufficient digital understanding and awareness amongst non-specialist police personnel. However, these initiatives are not always viewed as effective, as the guidance and support is often not present to officers when it is contextually relevant to them and their investigations. Yet, through other initiatives, we identify incidental learning happening within systems designed to support the triage of digital devices. This may be more effective as it offers advice, guidance, and support when it is needed, and contextualises learning for officers. However, these initiatives are often not scaleable due to the demands they place on specialist staff. |
| Exploitation Route | Currently, we envisage our research outcomes being used by developers of digital device triaging systems to help support them in more explicitly integrating experiential learning opportunities into software products. We also envisage the current outcomes of this funding to be used to support our ongoing research through design work, to help us develop initial conceptual design ideas and prototypes to support digital device triage at different points within investigations. |
| Sectors | Digital/Communication/Information Technologies (including Software) Government Democracy and Justice |
| Description | Join Trust and Triage Project Launch Event (London) |
| Form Of Engagement Activity | A formal working group, expert panel or dialogue |
| Part Of Official Scheme? | No |
| Geographic Reach | National |
| Primary Audience | Professional Practitioners |
| Results and Impact | A project launch event was run in partnership with the Trust project (ES/Y010639/1) in London at the start of the two projects. The event was intended to develop a community around the project, to capture insights to help shape the projects direction. |
| Year(s) Of Engagement Activity | 2024 |
| URL | https://discovery.ucl.ac.uk/id/eprint/10193897 |
| Description | Mid-point project event |
| Form Of Engagement Activity | A formal working group, expert panel or dialogue |
| Part Of Official Scheme? | No |
| Geographic Reach | National |
| Primary Audience | Professional Practitioners |
| Results and Impact | We ran a joint mid-point stakeholder engagement event between the Triage, Trust (ES/Y010639/1) and SCAnDI (ES/Y010655/1) projects, in London. The aims of the event were: • To present findings across the three projects • To provide stakeholder input into the projects to help shape their continued development and progress • To facilitate cross project fertilisation of ideas • To bring the forensic science community together to foster new discussions, ideas, and relationships • To identify usable outputs from the projects that would have an impact on practice During the event, Triage ran three workshops in the form of ideation sessions, with our stakeholders. These allowed us to evaluate our workshop methodology that we will apply later on in the project, but in of itself these workshops allowed us to develop initial ideas related to the main challenges we have so far identified within the research. Moreover, we developed new contacts that will allow us to run future workshop activities with a wider range of police forces, and non-policing stakeholders. It also provided us with renewed connections into government departments that will support us in disseminating our research. |
| Year(s) Of Engagement Activity | 2025 |
| Description | Webinar hosted by the Chartered Society of Forensic Sciences |
| Form Of Engagement Activity | A talk or presentation |
| Part Of Official Scheme? | No |
| Geographic Reach | National |
| Primary Audience | Professional Practitioners |
| Results and Impact | The project team presented at The Chartered Society of Forensic Sciences webinar on 9th October 2024. Mark Warner spoke on behalf of the team as part of a series of talks on UKRI forensic science sandpit funded projects. The purpose was to highlight the project to members of The Chartered Society of Forensic Sciences. |
| Year(s) Of Engagement Activity | 2024 |