cyber-triage-logo

Levels of Digital Investigation Automation

You’re Still In Control

Everyone has concerns about automation because it can make mistakes when faced with unique situations. Self-driving cars are great in a controlled environment, but can cause injury in a busy urban environment. 

Similar concerns exist when adding automation and AI to digital investigations. Each investigation is unique, and you don’t want to get the wrong conclusion. 

But, there are many levels of automation, and it’s essential to apply the right level at the right time. In fact, many steps in an investigation already have automation, even if it’s not AI. 

Levels of Automation

Automation is when an application makes a decision instead of you making it. It can reach its conclusion using AI or a hard-coded set of rules. 

There are many levels of automation, but we can focus on four and give a simple parsing example:

  1. None: It’s all on you. You need to know that a decision must be made, and you need to make it. 
    1. Example: You must realize that a .pf file exists and can be parsed. You need to parse it to get Prefetch data. 
  2. Prompt: The application realizes a decision needs to be made and gives you a list of options. You decide which to choose. 
    1. Example: The application detects the .pf file and asks you if it should be parsed. You choose Yes or No. 
  3. Recommend: The application decides, gives you a list of options, and recommends which to pick. You decide whether to overrule it.
    1. Example: Same as above, but it recommends parsing the .pf file. 
  4. Full: The application makes a decision and picks its recommendation. 
    1. Example: The application sees a .pf file and automatically parses it. 

When to Fully Automate

Full automation is when the application makes the decision. You should do this only when:

  • The impact of a wrong decision is low. 
  • The automation doesn’t make many errors.

The previous examples were all about parsing file formats, which is often required in digital investigations. Many tools have full automation of parsing because it’s low risk:

  • If the user didn’t care about that file type, the only waste was some CPU cycles
  • If the detection was wrong, then the parsing fails

Other steps to use full automation include:

  • Collection: Ensure that data is available for examination as quickly as possible. The primary risk is if too little is collected and you can’t return and get more. 
  • Enrichment: Ensure that as much previous threat intelligence and correlations are brought in as possible so that the investigator has full access to knowledge about the artifact. The only risk is if you have a limit on the number of enrichment lookups you can perform and you run out. 
  • Scoring: Let the software propose a score of good, bad, or suspicious, and let the investigator confirm it. There is no risk if the investigator can confirm or change the final score. 

Investigators Make The Final Decision

An investigation starts because someone decides it’s important to know the answer to a question. For these situations, a human should review the data and make the final decision. 

However, automation can make that decision easier and better by ensuring the correct data and context exist. 

Try an Automated Investigation

If you’d like to ensure as much of your investigation is as automated as possible, try out Cyber Triage. It allows you to automate artifact collection, enrichment, and scoring. You get to then review the results with the assistance of the application. You can read about the process here