Computer forensic triage is usually defined as the process by which projects or activities are prioritized to determine which should be attempted first, second, etc. and which projects or activities should never be done at all. This process applies to the forensic examination process to determine which data should be investigated first, second, etc. and which data should not be investigated at all. Triage considers the value of investigating, the complexity and the cost and the order in which the investigation should be accomplished.
The focus of forensic triage is to:
- Find useable evidence quickly
- Identify possible victims that may be at risk
- Direct the ongoing investigation
- Identify potential charges
- Assess the possible danger the suspect poses to society