Triaging a computer and options

Dell have a new solution with Evidence Talks called SPEKTOR. Go to www.spektor.co.uk for more info or give the team a call on +44 (0) 845 125 4400 or info@evidencetalks.com .

Ed, there are several options out there for on-scene triage including MS Coffee (Free - LEO Only).

http//www.nw3c.com/

Or, collect your own trusted tools and run them with a batch file (my preferred method).

Mike

DriveProphet is a good triage tool
http//www.driveprophet.com/

Plus there are always options such as F-Response on the system and the use of imaging tools such as FTK Imager than can do a memory dump as well as allow you to pull down from the HDDs reg hives, event logs, MFT, etc so you an do a triage that way with other free tools depending on your skill sets.

Triage is a rather overused term in digital forensics right now. To me, triage is prioritizing your evidence for what has to be examined first based on the importance and relevance to the case.

Acquiring volatile data, on the other hand, is not exactly triage as this would/should occur on every live machine encountered during the seizure. While doing this, certain information is learned that can be useful for triage but not in and of itself.

A tool like ADF is more of a targeted collection tool.

Before you make any purchase, first figure out what it is you want to accomplish. You may find that something like F-Response Tactical and your current toolset can get the job done.

Triage is certainly becoming a term that is being used in several senses by many people and various vendors and they often all mean different things.

I work for ADF now having retired from the police after 30 years service with the last 10 years managing a Computer Forensics Unit. I brought ADF into our unit in 2007 to reduce the backlog and it was very successful at doing that.

Since then it has developed into a tool that can do most if not all of the tasks that people refer to as triage. It can capture volatile information from a live system - memory, ports and processes, screenshots of open screens, clipboard dump, and then collect Internet history, user profile details, most used applications all at the same time. It can be used in both a live and from boot situation to search for keywords, hashes, fuzzy hashes for pictures, regex and collect files based on many different user defined parameters.

I would recommend to anyone looking at triage in whatever sense to have a go at the evaluation and see what you think.

I understand financial constraints and that cops will have a go at whatever they can get their hands on to try and get the job done but you rarely get something for nothing.

[quote="I got lured in by a product called triage examiner. http//www.adfsolutions.com/ The title is what got me, but it appears to be something like ImageScan?

Ed,
Have you had a trial of Triage-Examiner? I ask because you cannot compare Triage-Examiner to Image-Scan or any other freeware tool. Triage-Examiner is far superior and most importantly our users have seen a significant return on their investment in time and resources saved. You are welcome to do a 30-day trial of our software. You can request this directly at our [url=http//www.adfsolutions.com/index.php?option=com_user&view=login&return=aHR0cDovL3d3dy5hZGZzb2x1dGlvbnMuY29tL2luZGV4LnBocD9vcHRpb249Y29tX2NvbnRlbnQmdmlldz1hcnRpY2xlJmlkPTExMSZJdGVtaWQ9OTU=]website[/url], or contact us at info at adfsolutions.com.

Regards,
JJ Wallia
CEO/Co-founder
ADF Solutions, Inc.

JJ,
Thanks for the response. I believe I misused the term and apparently asked for something I don’t really need. My department receives about a half dozen tips per year related to CP that require a knock and talk. We also execute between 10 and 12 computer related search warrants.

Last month I received ImageScan training for two reasons. It was free, sponsored by www.rcfl.gov and I needed some type of certification. I would still like to have something that would document open applications and processes.

Short of having a tool to capture the data I am talking about the suggestion was made to bring a video camera to the scene of a search warrant. I could then open the task manager and document the apps and processes. I have no doubt by doing this I would change some data, but I wouldn’t be loading CP on a hard drive, loading search terms or whatever you want to add to the list.

I would document everything I did and provide a copy of the video to the defense. Now, as you can see I don’t have any back log that I need to clear out so I don’t know if your product necessarily applies to what I was looking for and failed to describe properly.

Videotaping or photoing a monitor doesn't always work as planned and can produce awful looking results.

You can always print screen and paste into a document from the users computer and email to yourself, wifi it to yourself, insert a CD and burn it, a thumbdrive and burn it, or install a capture package to a thumbdrive and run that software to capture the screens. There are no major changes made by any of these methods.

JJ,
Thanks for the response. I believe I misused the term and apparently asked for something I don’t really need. My department receives about a half dozen tips per year related to CP that require a knock and talk. We also execute between 10 and 12 computer related search warrants.

Last month I received ImageScan training for two reasons. It was free, sponsored by www.rcfl.gov and I needed some type of certification. I would still like to have something that would document open applications and processes.

Short of having a tool to capture the data I am talking about the suggestion was made to bring a video camera to the scene of a search warrant. I could then open the task manager and document the apps and processes. I have no doubt by doing this I would change some data, but I wouldn’t be loading CP on a hard drive, loading search terms or whatever you want to add to the list.

I would document everything I did and provide a copy of the video to the defense. Now, as you can see I don’t have any back log that I need to clear out so I don’t know if your product necessarily applies to what I was looking for and failed to describe properly.

Consent searches on running computers should consist of using tools meant for that purpose. However, there are tools that, although maybe not developed for consent searches, can be used with the same veracity of evidence collection. Sysinternals is a good example of obtaining most everything you need of open processes and computer information.

With seized computers, as long as the original evidence is write-protected or the work is conducted on an image, then most any (forensic) tool works to either prioritize the work or find the easy evidence that can lead to additional case leads, suspect admissions, or suspect confessions.

There are many ‘systems’ available for this work, some free, others not. Practically any forensically sound Linux Boot CD can be used in a consent search scenario. For the non-Linux folks, a forensically sound Windows bootable environment can be built for free or purchased as a pre-built system. In a Windows forensic environment, nearly any Windows forensic tool can be used. There are free LE/military only systems and programs such as Field Search (NIJ), ImageScan (FBI), and Tux4n6 (NW3C) as well as paid systems such as ADFSolutions, Encase Portable, and DriveProphet.

It is also a fairly simple process to build your own live and/or forensic bootable system (Linux or Windows), suited to what you or your team needs to do. Your collection of tools can be made to search a live system or run from a forensically sound booted system. I'd say that anyone can build their own system using the tools on hand without spending any additional money. It all comes down to how much money and time you do/don't have to spend.