DIGITAL FORENSIC LABORATORIES
BUSINESS PROCESS MANAGEMENT R E D U C I N G B A C K L O G S & T U R N A R O U N D T I M E S
ALISTER THORNTON MCVEIGH
Research proposal for
Masters of Science (Cyber Security and Forensic Computing)
School of Information Technology and Mathematical Sciences
University of South Australia
Digital Forensic Laboratories Business Process Management: Reducing Backlogs & Turnaround Times
i
Table of Contents 1 Research problem ........................................................................................................................ 1
1.1 The problem .......................................................................................................................... 1
1.2 Main question ....................................................................................................................... 1
1.3 Sub questions ........................................................................................................................ 1
1.4 Explanation of the main and sub questions ..................................................................... 1
2 Literature review ......................................................................................................................... 3
2.1 What is digital forensics? .................................................................................................... 3
2.2 Background ........................................................................................................................... 3
2.3 Significance ........................................................................................................................... 6
2.4 Proposed solutions ............................................................................................................... 6
2.5 Research gap ......................................................................................................................... 7
2.6 Business process management ........................................................................................... 7
3 Research methodology ............................................................................................................... 9
3.1 Validating digital forensic process models ...................................................................... 9
3.2 Applying business process management to digital forensics ........................................ 9
3.3 Structure ................................................................................................................................ 9
4 Research schedule ..................................................................................................................... 10
5 Proposed Table of Contents ..................................................................................................... 11
6 References ................................................................................................................................... 12
Table of Figures Figure 1 Number of cases and exhibits per case is rising each year, derived from Turnbull,
Taylor & Blundell (2009) ..................................................................................................................... 4
Digital Forensic Laboratories Business Process Management: Reducing Backlogs & Turnaround Times
ii
List of Acronyms CODIS COmbined DNA Index System
CSF Critical Success Factor
CSI Crime Scene Investigation, a popular crime drama series which frequently
showcases unrealistically instantaneous forensic analysis
DFL Digital Forensic Laboratory
FTK Forensic ToolKit, a forensic analysis tool developed by AccessData Corp.
Gb Giga byte, 1,073,741,824 bytes
HTML Hyper Text Markup Language, file format for storing and transmitting web
pages
JSON JavaScript Object Notation, a common data storage format
LEA Law Enforcement Agency
MSG Message—file extension of an email stored as a plain text file
PST Personal Storage file, used to store user data by Microsoft Outlook
including email messages
Tb Tera byte, 1024 Gb
XML eXtensable Markup Language, a common data storage format
Digital Forensic Laboratories Business Process Management: Reducing Backlogs & Turnaround Times
1
1 Research problem
1.1 The problem
This research aims to develop solutions to the problems of long backlogs and turnaround
times in digital forensic laboratories.
1.2 Main question
How can a digital forensic laboratory reduce its backlog and turnaround time through process
improvement?
1.3 Sub questions
1. What criteria constitutes efficiency and effectiveness for digital forensic laboratories?
2. What issues do digital forensic laboratories face that impact on their efficiency and
effectiveness?
3. What is the effective framework in use in digital forensic laboratories, as derived from
their as-is processes?
4. How can business process management techniques be applied to a digital forensic
laboratory processes to improve their efficiency and effectiveness?
1.4 Explanation of the main and sub questions
1.4.1 What criteria constitutes efficiency and effectiveness for digital forensic laboratories?
This question will establish what criteria the digital forensic laboratory itself uses to determine
whether it or its processes are efficient or effective. In order to determine whether or not a
process has been improved, it is necessary to determine what the criteria are for measuring
that change and what the goals of process improvement are, to balance trade-offs. As an
example, a process might be consider to have improved efficiency if the cost to perform it was
reduced with only a slight increase in the time required however, if speed is the highest
priority then the efficiency would have been reduced.
Whether a process is effective is more difficult to determine still, as this is a question of what
the goals and priorities are for the process. As a process may involve multiple participants
who have different roles or are in different departments, opinions may vary on what the
precise goal of the process is. These can vary as a result of different objectives of individual
participant and how extensive their knowledge of the entire process is.
The same process may also have different goals depending on when or what stage in the
broader process it is performed in, what it is performed on, to whom the outputs are given
and other factors.
The criteria for efficiency and effectiveness will be established though a survey and compared
with those found in the literature review.
Digital Forensic Laboratories Business Process Management: Reducing Backlogs & Turnaround Times
2
1.4.2 What issues do digital forensic laboratories face that impact on their efficiency and
effectiveness?
This question will establish what the issues are that hinder a digital forensic laboratory from
being efficient or effective, as defined by sub question 1. To determine whether process
improvement can the reduce backlog or turnaround time, the issues that are in the process or
affect the process need to be identified so they can be resolved. Information for answering the
question will be primarily sourced from the survey, with supporting information drawn from
the literature review.
1.4.3 What is the effective framework in use in digital forensic laboratories, as derived from
their as-is processes?
This question will establish what the current framework in the digital forensic laboratory is.
It is necessary as in order to conduct process improvement, the as-is state must be known first.
Information will be gathered through process mapping, using the survey data.
1.4.4 How can business process management techniques be applied to a digital forensic
laboratory processes to improve their efficiency and effectiveness?
This question will establish in what ways business process management techniques can be
used to improve the efficiency or effectiveness of a process and therefore whether they can be
used to reduce the backlog and turnaround time of the laboratory as a whole. An answer will
be found by creating a new framework using business process management techniques. This
will be a modification of the process determined by sub question 3 that resolves the issues
identified by sub question 2.
Digital Forensic Laboratories Business Process Management: Reducing Backlogs & Turnaround Times
3
2 Literature review
2.1 What is digital forensics?
Initially, digital forensics’ scope was limited to law enforcement investigation of crimes
committed with or on computers and has since expanded to include investigations, by both
law enforcement and commercial firms, of any digital device that can be manipulated for
criminal purposes or have evidenced stored on it (Kohn, Eloff & Eloff 2013).
For the purposes of this research, digital forensics will be defined using Willassen and
Mjølsnes’ (2005) definition of digital forensics as “the practice of scientifically derived and
proven technical methods and tools towards the after-the-fact digital information derived
from digital sources for the purpose of facilitating or furthering the reconstruction of events
as forensic evidence” (Kohn, Eloff & Eloff 2013). This is a slight alteration to Palmer’s (2001)
generally accepted definition that does not require digital forensic investigations always be
criminal investigations, allowing it to be applied to other situations such as commercial
investigations (Kohn, Eloff & Eloff 2013).
Under the definition, digital forensics’ primary purpose is to reconstruct the events to
determine a root cause from analysis of digital media. This is done in such a way that the
evidence produced would be admissible in court.
2.2 Background
2.2.1 Brief history
Digital forensics was first used during the 1970s primarily for investigating financial fraud
(Garfinkel, SL 2010; Kohn, Eloff & Eloff 2013). In its infancy, investigators had to contend with
a considerable diversity of different hardware and file formats without the support of formal
investigative processes, training or purpose built software and so had to adapt file recovery
tools to their needs (Garfinkel, SL 2010). As storage capacities were quite small at this time,
analysis was easier and perpetrators had to make heavy use of printouts, limiting the need for
digital forensics (Garfinkel, SL 2010).
During the ‘Golden Age’ between 1999 to 2007, computing largely standardised on Microsoft
Windows XP, a small number of relevant file formats and IDE hard drives for storage, which
allowed digital forensic investigators to be competent while knowing very few systems
(Garfinkel, SL 2010). This period coincided with a rapid uptake in computer use in society and
an accompanying increase in evidence being stored on digital media, leasing to a surge in
digital forensic research, professionalisation, tool development and training programs, both
professional and academic (Garfinkel, SL 2010; Overill, Silomon & Roscoe 2013; Turnbull,
Taylor & Blundell 2009).
Digital Forensic Laboratories Business Process Management: Reducing Backlogs & Turnaround Times
4
Much of the progress gained in the previous decade is becoming increasingly irrelevant as the
computing landscape evolves, with Casey, Ferraro and Nguyen (2009), Garfinkel (2010) and
Gogolin (2010) predicting a crisis for digital forensic laboratories in the near future. A number
of factors have contributed to this state of affairs.
2.2.2 Issues in digital forensics
Digital forensics is different
Compared to other forensic evidence, digital evidence is very fragile as it can be easily altered
even just by observing it; examples include alteration of file’s last modified or last accessed
timestamps, automatic deletion of data on solid state drives by powering them on and remote
wipe of mobile devices (Bell & Boddington 2010; Cantrell et al. 2012; Gogolin & Jones 2010).
Additionally, digital evidence is often not well understood or trusted by the courts, with
judges and prosecution still having a limited understanding of technology (Gogolin & Jones
2010). Digital evidence’s fragility, lack of trust and a belief that not preserving all media will
leave a case open to legal challenge have combined to overly prioritise evidence capture and
preservation over analysis speed (Richard III & Roussev 2006). Together, this has resulted in
extensive backlogs and long turnaround times as substantial resources are wasted on
preserving all media, without pre-processing exhibits to determine their evidentiary value
(Casey, Ferraro & Nguyen 2009; Gogolin & Jones 2010; Hunton 2010).
Increasing workload
Whereas previously only a single computer needed to be analysed for each case, now multiple
exhibits per case are common with SAPOL averaging 4.38 exhibits per case in 2007-08, while
the number of cases per year is also rising (Figure 1) (Turnbull, Taylor & Blundell 2009).
Figure 1 Number of cases and exhibits per case is rising each year, derived from Turnbull, Taylor & Blundell (2009)
0.00
1.00
2.00
3.00
4.00
5.00
0200400600800
10001200140016001800
1999
/200
0
2000
/200
1
2001
/200
2
2002
/200
3
2003
/200
4
2004
/200
5
2005
/200
6
2006
/200
7
2007
/200
8
Exh
ibit
s p
er C
ase
No
. of
Exh
ibit
s
Exhibits Exhibits per Case
0.00
1.00
2.00
3.00
4.00
5.00
050
100150200250300350400450
1999
/200
0
2000
/200
1
2001
/200
2
2002
/200
3
2003
/200
4
2004
/200
5
2005
/200
6
2006
/200
7
2007
/200
8
Exh
ibit
s p
er J
ob
No
. of
Job
s
Jobs Exhibits per Case
Digital Forensic Laboratories Business Process Management: Reducing Backlogs & Turnaround Times
5
This is exacerbated by the rising storage capacity of the exhibits which has resulted in the
growth from averages of 84 Gb per case in 2003 to 559 Gb per case in 2011, according to the
FBI’s annual reports (Roussev, Quates & Martell 2013). As digital forensic laboratories often
duplicate media before analysis, and a 3 Tb hard disk can take more than 11 hours just to
acquire, traditional frameworks for digital forensics are becoming infeasible as increasing data
set sizes outstrip the capacity to analyse them in a timely fashion (Roussev, Quates & Martell
2013).
Increasing difficulty
Digital forensic investigators again have to deal with diverse combinations of hardware,
operating systems and file formats (Garfinkel, S 2012). Previously, digital evidence was
primarily located on a single desktop or notebook computer with a removable hard drive
using a standard interface, for which there were well developed and reliable methods for
preserving and analysing the evidence stored on it (Garfinkel, SL 2010). Now, evidence can
also be found on many other devices including mobile phones, tablets, GPS devices, game
consoles, digital cameras, e-book readers and digital CCTV systems many of which have
proprietary or customised operating systems that may be designed to protect their intellectual
property (Garfinkel, S 2012; Garfinkel, SL 2010; Gogolin 2010). As many of these exhibits
employ non-removable storage or proprietary hardware interfaces, it is often infeasible to
completely preserve the evidence as the system must be powered on and/or modified to
acquire the data (Garfinkel, SL 2010).
Investigators must also analyse many different file formats, including those from the millions
of mobile applications available and those from web services such as Facebook and Google,
which often change the structures of their JSON and XML files (Garfinkel, S 2012; Garfinkel,
SL 2010). This requires regular retraining to deal with however limited resources and time
pressures mean this is not often achieved (Gogolin & Jones 2010).
Issues impeding analysis
In addition to the factors making it more difficult for investigators to analyse evidence, are
issues preventing analysis altogether. Effective encryption is becoming easy to use and
pervasive, with built-in support in many operating systems including Windows, OS X, iOS
and Android preventing investigators from accessing data (Cantrell et al. 2012; Garfinkel, SL
2010). Data may not even be stored on the system, but in the cloud preventing analysis or even
identification (Garfinkel, SL 2010). The potential existence of malware on the defendant’s
system may require a time consuming in-depth forensic examination to determine whether or
not the evidence was created by a remote attacker (Casey, Ferraro & Nguyen 2009). The ‘CSI
effect’ is also contributing to giving courts unrealistically high expectations of forensic
investigator’s capabilities, as these shows give the impression that the work is easy, fast, error-
free and able to easily overcome such obstacles as encryption and overwritten data, all of
which is quite a departure from reality (Garfinkel, S 2012).
Digital Forensic Laboratories Business Process Management: Reducing Backlogs & Turnaround Times
6
Forensic tools
Although the now industry standard forensic analysis tools developed during the ‘Golden
age’, such as EnCase and FTK, were suitable to the workloads of the time, they are now rapidly
becoming outdated (Ayers 2009; Garfinkel, SL 2010). These tools are designed to run on a
single workstation and, while FTK can store its database on a second system and EnCase can
manage multiple workstation’s process jobs, no court-tested tool can use multiple
workstations in parallel to analyse a single job (grid computing) (Ayers 2009). With device
capacities increasing every year, current forensic tools are not able to analyse the required
data volumes quickly enough (Clayton 2012; Gogolin 2010; Roussev, Quates & Martell 2013).
Other issues that have been identified with current tools include a lack of reliability,
auditability, ability to repeat results or capability to automate tasks (Ayers 2009). Even if they
could be improved, it has been suggested that the fundamentally file-based architecture of
current tools may be insufficient, as the tools should be focused on finding relevant evidence,
not relevant files; for example, emails may be stored as an MSG file, HTML page, in a PST
archive or a ZIP archive but should all be presented in the same format and location to the
investigator regardless of the original storage format (Ayers 2009).
2.3 Significance
The issues described above are significant due to the impact they have on digital forensic
laboratories’ ability to process cases in a timely fashion, which impacts on the justice system
a whole as investigations are held up, opportunities to apprehend are lost, criminals are able
to remain at liberty and perpetrate further crimes and digital evidence is only available for
serious cases due to limited forensic resources (Casey, Ferraro & Nguyen 2009; Gogolin &
Jones 2010; Kobus et al. 2011). Additionally, defendants may suffer damage to their reputation
while awaiting trial and are without their property while it is held as evidence; for example,
it was 12 months before a teacher accused of accessing pornography during class was cleared
of the charge (Casey, Ferraro & Nguyen 2009).
2.4 Proposed solutions
Richard (2006) calls for faster, automated analysis tools that exploit distributed processing.
Parsonage (2009) calls for better prioritisation of exhibits using triage tools. Hunton (2010)
proposes a framework that integrates digital forensics with the broader investigative process
to allow both to be conducted in parallel and create an information feedback loop. Mislan,
Casey & Kessler (2010) call for better mobile analysis tools that are optimised for on-scene use.
Cantrell et al. (2012) advocates for triage analysis tools to be used early in the digital forensic
process to reduce the amount of resource intensive collection and duplication required. Jones,
Pleno & Wilkinson (2012) propose a process for sampling evidence for illegal images to
expedite the analysis process and reduce exposure to disturbing material.
Digital Forensic Laboratories Business Process Management: Reducing Backlogs & Turnaround Times
7
2.5 Research gap
The proposed solutions largely focus on analysis tools that either perform faster or are better
suited in current analysis and investigation needs, or are focused on specific crime types, or
are not applicable to smaller DFLs as in the case of Hunton (2010). None of these solutions
looks at process improvements beyond the changes needed to implement their solution or
only focus on one aspect of the overall process, as Parsonage’s (2009) does. While these can
improve parts of the process, research is needed to improve the process as a whole to make
significant headway in resolving the backlog and turnaround time problems. Looking only at
individual aspects of the process can only achieve limited improvements, although those may
be used as part of improving the whole.
Current frameworks are reactive—they try to definitively describe what digital forensics is,
which keeps changing as the field is relatively new. They are largely not proactive, prescribing
how digital forensics should be performed, for a given reason or reasons.
As there is no widely accepted framework, best practices or processes, there is an opportunity
to develop one (Cantrell et al. 2012; Chaikin 2006; Hunton 2010; James & Gladyshev 2013;
Kohn, Eloff & Eloff 2013; Selamat, Yusof & Sahib 2008). Although there are many published
frameworks, these have been developed with the goal of reactively describing the digital
forensic investigation process more accurately as this new forensic field’s methods and scope
changes (Kohn, Eloff & Eloff 2013; Selamat, Yusof & Sahib 2008).
However, they are not evidence based in that they are not based on the processes as they are
actually performed, instead they use each other as their basis, e.g. Kohn, Eloff & Eloff’s (2013)
Integrated Digital Forensic Process Model was “…based on the six SFPMs discussed in the
previous paragraphs.”, not on observation of digital forensic practitioners.
Likewise, such models are not based on or trying to develop best practice but instead develop
a uniform approach and/or standardised terminology. This is eloquently captured by Hunton
(2010) (citing Pollitt (2007) and Selmat et al. (2008)) when he says that “many of the existing
models can be seen to build upon each other by extending earlier approaches with the aim of
becoming more complete and robust.”, rather than prescribing improvements.
2.6 Business process management
In the forensic science domain, there has been a recent move towards adopting business
methodologies—in particular process mapping—as a basis for improving the efficiency and
effectiveness of the laboratory; an example of this is the FORESIGHT project, which seeks to
create benchmarks and standardise terminology in forensic research, so that best practices can
be determined and implemented (Houck et al. 2009).
Process mapping is a method of visually defining all the actions performed to produce a given
output and the relationships, dependences and flow of information between those actions. By
mapping the current process, it can then be discussed, analysed and improved.
Digital Forensic Laboratories Business Process Management: Reducing Backlogs & Turnaround Times
8
Michigan State Police’s CODIS (COmbined DNA Index System) Unit used process mapping
to successfully reduced their backlog from 10 years to under a year, and increasing matches
from evidence left at crime scenes to known criminals by nearly a factor of ten (Thorsen 2005).
Similarly between 2010 and 2011, Louisiana State Police’s Crime Laboratory reduced its
turnaround time from 227 days to 59, and its total backlog from 749 cases to 152 in part due
to performing process mapping (Richard & Kupferschmid 2011).
Lean methodology is the systematic removal of wasteful or non-value adding processes to
increase efficiency and process cycle times and decrease costs (Näslund 2008). Six sigma’s
purpose is to decrease variability in a process to reduce defects, thereby eliminating waste
and increasing customer satisfaction and financial results (Näslund 2008). This is achieved
using statistical methods to identify where fluctuations occur and then eliminating root causes
(Näslund 2008). Combining lean and six sigma allows firstly to remove wasteful processes
with lean, exposing issues that could benefit from a six sigma approach (Smith 2003). To apply
lean six sigma, an understanding of the as-is process is required which process maps provide.
As part of its DNA Backlog Reduction Program, the US National Institute of Justice
demonstrated their support for lean six sigma by authoring funding for its implementation in
two forensic laboratories in 2011, another two in 2012 and six in 2013 including:
San Francisco Police Department Criminalistics Laboratory (CA)
Department of Emergency Services and Public Protection, Division of Scientific
Services, DNA/Forensic Biology Section (CT)
Forensic Services Bureau Crime Laboratory (FL)
Department of Forensic Biology, of the Office of Chief Medical Examiner (NY)
Allegheny County Office of the Medical Examiner, Forensic Biology Section (PA)
Monroe County Crime Laboratory (NY)
Digital Forensic Laboratories Business Process Management: Reducing Backlogs & Turnaround Times
9
3 Research methodology
3.1 Validating digital forensic process models
Within the digital forensics discipline, a number of frameworks—abstract representations of
how the digital forensics process could be performed—have been proposed which can be seen
to successively build on each other to resolve identified weaknesses, becoming more complete
and robust (Hunton 2010, p. 386; Kohn, Eloff & Eloff 2013). However, it is unknown whether
these models are effective or efficient, as there is no evidence of them having been
implemented in or derived from actual DFL business practices. As a result, there is an
opportunity to undertake research in order to determine if, or to what degree, these models
describe actual business processes used in a DFL. This can be undertaken linking each process
in the DFL's process map to corresponding processes in the frameworks, and validating
whether resolving these discrepancies would result in reduced backlogs and turnaround
times.
3.2 Applying business process management to digital forensics
There is an opportunity here to apply process mapping and lean six sigma techniques to
digital forensics and determine whether it can be successfully used to improve the process
workflow to address the backlog and turnaround time issues, as it has with DNA forensics.
3.3 Structure
The first phase of this research will be an extensive literature review focusing on the issues in
digital forensics that have caused the backlog issue, the proposed solutions including the use
of tools and process models which can operate in parallel rather than sequentially, and
solutions to similar problems in other forensic disciplines which could potentially be applied
to digital forensics.
The second phase will be data collected from structured interviews, which will take place at
the participant's usual place of work and take at most one hour. To demonstrate the existence
of the problem using quantitative, first hand evidence, a sanitised copy of the laboratory’s
database will be requested to show the development of the backlog and turnaround time
issues. This data will also be used to illustrate the expected increasing complexity of casework
through the increase in the number and size of exhibits.
The third phase will focus on analysing the data collected, using the results to develop a
evidence based, prescriptive framework with an emphasis on efficiency. Finally, the proposed
framework will be validated by expert digital forensic practitioners, to determine whether it
would solve the research problem if implemented.
Digital Forensic Laboratories Business Process Management: Reducing Backlogs & Turnaround Times
10
4 Research schedule
TASK MAR APR MAY JUN JUL AUG
SEP Due
Week 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Project plan
Ethics application
Research proposal
Ethics approval
Research 1 - Survey
Research 2 - M@RS
CH3 Research methodology
CH2 Literature review
CH1 Introduction
CH4 As is model
CH5 Proposed model
CH6 Conclusion
Digital Forensic Laboratories Business Process Management: Reducing Backlogs & Turnaround Times
11
5 Proposed Table of Contents Abstract
Table of contents
List of figures
List of tables
CH 1 Introduction
o Motivation
o Problem
o Question
Sub questions
CH2 Literature review
o Define
Digital forensics
Process mapping, RACI, 6o
o Issues in DF
o Proposed solutions
CH3 Research methodology
o Process mapping (as-is)
o Informal interview, map, follow up
CH4 ‘As-is’ model
o Process maps, explanations
o Model
o Opportunities for improvement
CH5 Proposed model
o Description
o Validation
CH6 Conclusion
o Results
o Future work
o Conclusion
References
Digital Forensic Laboratories Business Process Management: Reducing Backlogs & Turnaround Times
12
6 References Ayers, D 2009, 'A second generation computer forensic analysis system', The Proceedings of the Ninth
Annual DFRWS Conference, vol. 6, Supplement, pp. S34-S42.
Bell, GB & Boddington, R 2010, 'Solid State Drives: The Beginning of the End for Current Practice in
Digital Forensic Recovery?', The Journal of Digital Forensics, Security and Law, vol. 5, no. 3, p. 5.
Cantrell, G, Dampier, D, Dandass, YS, Niu, N & Bogen, C 2012, 'Research toward a Partially-
Automated, and Crime Specific Digital Triage Process Model', Computer and Information Science, vol. 5,
no. 2, pp. 29-38.
Casey, E, Ferraro, M & Nguyen, L 2009, 'Investigation Delayed is Justice Denied: Proposals for
Expediting Forensic Examinations of Digital Evidence', Journal of forensic sciences, vol. 54, no. 6, pp.
1353-1364.
Chaikin, D 2006, 'Network investigations of cyber attacks: the limits of digital evidence', Crime, Law
and Social Change, vol. 46, no. 4, pp. 239-256.
Clayton, J 2012, 'Investigation into a Digital Forensics Triage Tool using Sampling, Hashes and Bloom
Filters', School of Computing, Edinburgh Napier University, Edinburgh, UK.
Garfinkel, S 2012, 'Lessons learned writing digital forensics tools and managing a 30TB digital
evidence corpus', Digital Investigation, vol. 9, pp. S80-S89.
Garfinkel, SL 2010, 'Digital forensics research: The next 10 years', Digital Investigation, vol. 7, pp. S64-
S73.
Gogolin, G 2010, 'The Digital Crime Tsunami', Digital Investigation, vol. 7, no. 1–2, pp. 3-8.
Gogolin, G & Jones, J 2010, 'Law Enforcement's Ability to Deal with Digital Crime and the
Implications for Business', Information Security Journal, vol. 19, no. 3, pp. 109-117.
Houck, MM, Riley, RA, Speaker, PJ & Witt, TS 2009, 'FORESIGHT: A Business Approach to
Improving Forensic Science Services', Forensic Science Policy & Management: An International Journal,
vol. 1, no. 2, pp. 85-95.
Hunton, P 2010, 'Cyber Crime and Security: A New Model of Law Enforcement Investigation',
Policing, vol. 4, no. 4, pp. 385-395.
James, JI & Gladyshev, P 2013, 'Challenges with Automation in Digital Forensic Investigations', arXiv,
Dublin, Ireland,
Jones, B, Pleno, S & Wilkinson, M 2012, 'The use of random sampling in investigations involving child
abuse material', The Proceedings of the Twelfth Annual DFRWS Conference, vol. 9, Supplement, pp. S99-
S107.
Kobus, H, Houck, M, Speaker, P, Riley, R & Witt, T 2011, 'Managing Performance in the Forensic
Sciences: Expectations in Light of Limited Budgets', Forensic Science Policy & Management: An
International Journal, vol. 2, no. 1, pp. 36-43.
Digital Forensic Laboratories Business Process Management: Reducing Backlogs & Turnaround Times
13
Kohn, MD, Eloff, MM & Eloff, JHP 2013, 'Integrated digital forensic process model', Cybercrime in the
Digital Economy, vol. 38, pp. 103-115.
Mislan, RP, Casey, E & Kessler, GC 2010, 'The growing need for on-scene triage of mobile devices',
Digital Investigation, vol. 6, no. 3, pp. 112-124.
Näslund, D 2008, 'Lean, six sigma and lean sigma: fads or real process improvement methods?',
Business Process Management Journal, vol. 14, no. 3, pp. 269-287.
Overill, RE, Silomon, JAM & Roscoe, KA 2013, 'Triage template pipelines in digital forensic
investigations', Triage in Digital Forensics, vol. 10, no. 2, pp. 168-174.
Parsonage, H 2009, 'Computer Forensics Case Assessment and Triage -- some ideas for discussion',
viewed 31 March
2014,<http://computerforensics.parsonage.co.uk/triage/ComputerForensicsCaseAssessmentAndTriag
eDiscussionPaper.pdf>.
Richard III, GG & Roussev, V 2006, 'Next-generation Digital Forensics', Communications of the ACM,
vol. 49, no. 2, pp. 76-80.
Richard, M & Kupferschmid, TD 2011, Increasing Efficiency of Forensic DNA Casework Using Lean Six
Sigma Tools, Louisiana State Police Crime Laboratory, LA, United States.
<https://www.ncjrs.gov/App/Publications/abstract.aspx?ID=257166>.
Roussev, V, Quates, C & Martell, R 2013, 'Real-time digital forensics and triage', Triage in Digital
Forensics, vol. 10, no. 2, pp. 158-167.
Selamat, SR, Yusof, R & Sahib, S 2008, 'Mapping process of digital forensic investigation framework',
International Journal of Computer Science and Network Security, vol. 8, no. 10, pp. 163-169.
Smith, B 2003, 'Lean and Six Sigma–A One-Two Punch', Quality Progress, vol. 36, no. 4, pp. 37-40.
Thorsen, WC 2005, 'Value Stream Mapping & VM', SAVE International 45th Annual Conference, SAVE
International.
Turnbull, B, Taylor, R & Blundell, B 2009, 'The Anatomy of Electronic Evidence - Quantitative
Analysis of Police E-Crime Data', 2009 International Conference on Availability, Reliability and Security,
pp. 143-149.