Cloud Forensics Triage Framework (CFTF)

Digital media forensic investigations come in multiple forms and span single assets - from thumb drives, laptops, mobile phones, or a single email server to large-scale corporate incident response actions. Corporate network investigations are when analysts can become overwhelmed with the volume of internal hosts of interest, which must be forensically triaged and analyzed. The pressure to produce evidence to support or refute a case is still the same. Analysts need to deliver the evidence as quickly as possible and maintain proper evidence handling procedures. Endpoint Detection and Response (EDR) tools perform a great job identifying these systems and providing a platform to collect data. The next step of preparation and analysis of these hosts must be done and is time-consuming. This circumstance is where a Cloud Forensics Triage Framework (CFTF) can leverage cloud resources to set up a scalable and automated forensic triage framework and benefit the digital media forensic investigators. The research will explore the possibilities of using a mixture of traditional forensic media collection processes and modern cloud technologies to determine if reducing the time it takes to deliver processed media benefits the overall mean time to deliver results.