The need for digital forensic investigations is spiking both in law enforcement agencies and corporations, but there’s a dramatic shortage of qualified forensic investigators. It’s estimated that approximately 600,000 open positions remain unfilled, and that number is growing. But this widening gap between need and talent signals increasing risk for investigators. In 2021 businesses worldwide experienced a 50% spike in cyberattacks per week, all requiring immediate investigation and response; law enforcement agencies, meanwhile, are handling a constantly growing digital investigation workload, but a lack of qualified staff is hampering their efforts to bring criminals to justice.
The risk lies not just in overload and stress on investigation teams: time is of the essence in forensic investigations. Corporations must initiate breach response, investigation and remediation as quickly as possible to avoid risks ranging from financial loss, consumer exposure and reputation damage to heavy regulatory penalties. In law enforcement agencies, budget constraints and a lack of experienced staff mean that non-technical reviewers are more frequently asked to prepare cases for review; this leads to time-consuming errors, backlogs and bottlenecks.
At some time or other, we’ve all complained that twenty-four hours a day are not enough. This is particularly true for investigative staff. 45% of all crime occurs between the hours of 7 p.m. and 7 a.m. Given that the ‘normal’ working hours are 8 to 6, the fact that crime tends to happen when everyone has gone home is a big problem for investigators.
For their part, law enforcement agencies often plug the gap by hiring forensic lab sub-contractors to work till the small hours. Although this solution makes more cases ready for the examiner to review by morning, it’s an expensive option. The annual cost for a single subcontractor averages about $80,000. Imagine if you had to employ four or five: the extra half-million dollars or so per annum is a big budget hit. This cost rises further if the workers are permanent or receive additional benefits and in any case training and replacing these workers is an ongoing expense. What makes the cost even more painful is that preparing these cases for review is a monotonous task. Humans who are bored tend to get distracted and make mistakes, which can jeopardize the speed or even the overall success of an investigation.
For corporations who can’t fill the vital cybersecurity and forensic positions, the highest cost lies in timeliness: they can’t afford delays in responding to incidents or breaches. If, for example, they are hit by ransomware and need to do an urgent investigation, they must scramble to assemble the necessary resources to initiate a digital forensic investigation from wherever they can. It’s an expensive and risky strategy. Even with the right resources in place, writing scripts to connect their security infrastructure with platforms such as security orchestration, automation and response (SOAR) and security information and event management (SIEM) will create an unwelcome delay in response. It also opens the door to human error.
Despite this picture of gloom, there’s light on the horizon in the form of new technology. Digital forensic tools with automation capabilities are now becoming available; they have been created specifically to help with problems including costs, talent shortages, consistency and efficiency.
Automation benefits law enforcement agencies by helping them improve their overall digital forensic lab efficiency. It doesn’t replace human workers; rather, it augments their work, frees individuals from monotonous, repetitive tasks, and provides them with time to make considered decisions and judgment calls. Instead of closing the door on an empty forensic lab when six o’clock strikes, agencies can set their automated processes to operate at any time of night, day, or any day of the year, even if — especially when — the office is unstaffed. The beauty of this new technology is that it incorporates checks and processes to ensure that decisions are in line with standard operating procedures and, crucially, does away with the danger of human error. The data made ready for examiners is error-free, which is a huge factor in speeding the investigation process: mistakes cost the entire force time and money and hurt the victim in terms of bringing criminals to justice.
For corporations, automation accelerates incident response workflows and improves the speed at which corporate assets can be secured. One of the highlights of the newest technology is its ease of use: a graphical user interface enables even non-experts to be productive with minimal training. Instead of waiting for IT to write a script, they can use a drag and drop interface to create automation for any case type.
This is not just a distant dream: new software is now being trialed that integrates with organizations’ cybersecurity platforms, case management systems, e-discovery applications, and other third-party software tools that have the ability to call a restful API. This integration can speed up the investigation, from collection to processing to review, and can reduce the risk and delay inherent in passing data between platforms. For example, corporate users can now automate tasks and workflows, such as triggering the platform to process any forensic image placed there or initiating a remote endpoint collection when the SIEM security tool detects a possible incident or breach.
Automating investigations and incident response is a problem that everyone wants solved. But all automation tools are not created equal. Many are coming onto the market but almost none can deliver the core benefits that corporations and agencies crave — reduced investigation time and a solution to the talent gap.
The key questions digital forensics professionals need to ask when testing an automation tool are these. Does it have the right amount of features to do what’s needed — but not too much? Does it include a graphical interface that removes the need for writing scripts and allows non-experts to be productive? Does it allow you to automate regardless of your level of expertise? Organizations that are able to automate can transcend the problems of staff shortages, delays and costs in digital forensic investigations and be better able to focus on their core objectives.