Triage Computers to Reduce Forensic Backlogs and Lower Costs

Forensic backlogs are a major problem today, and many forensic labs have drastically reduced backlogs by implementing proven triage processes. In some cases backlogs have been reduced by as much as 90% over a period as short as six months.

Real-world forensic experience shows that 40% to 50% of all full forensic examinations return negative results. Full examinations can take weeks, whereas triage scans can take only hours to detect the same negative findings, thereby saving significant expense and time.

Extreme ease of use

Triage-Examiner from ADF Solutions is deployed on a Triage key (a 32GB USB flash drive or USB hard drive) and does not require expensive computers or hardware components. Using predefined search profiles, the setup process can be done in two easy steps. The tool is completely automated and runs directly on the suspect computer with minimal user interaction. Triage-Examiner can also utilize the suspect computer to view the results in real time.

Find critical evidence in minutes

When inserted into the target computer, Triage-Examiner automatically collects critical information and identifies valuable evidence. The collected data can be viewed immediately on the target computer or examined later for further analysis.

Powerful search capabilities find evidence fast

Powerful search intelligence can be easily configured by users to identify critical evidence, including search terms, hash values, image analysis, and regular expressions. The search can be narrowed on file properties including dates, file size, etc. Triage-Examiner also collects extensive system captures, including Internet search and browsing histories, browser map search history, USB device history, and most-used applications.

Triage-Examiner’s ability to find targeted digital evidence faster is enhanced by use of its powerful activity sensor technology to target recently used areas of a drive.

Comprehensive reporting capabilities

Viewing detailed scan results on a suspect computer is simple through Triage-Examiner’s comprehensive viewing and reporting capabilities. Details of this critical evidence are easily organized and shared wherever appropriate.

Single device to triage computers using Windows, Macintosh, and Linux platforms

When out in the field, it is critical that examiners have a simple, single tool that can extract intelligence from multiple devices and systems. Triage-Examiner was designed with this in mind and supports multiple operating platforms including Windows, Macintosh, and Linux.

Scan multiple computers simultaneously with a single license to lower investigation costs

Triage-Examiner is designed to scan computers with a single USB-based ADF license dongle and a separate generic (non-ADF) USB collection device. As a result, users can set up unlimited generic USB collection devices and leverage a single ADF license dongle to start simultaneous scans on multiple computers.

Live analysis of computers running Windows to capture volatile evidence

When examiners cannot risk losing valuable information by turning off a suspect computer, they need to be able to capture the evidence from a running or live device. Triage-Examiner allows live analysis of computers running Windows that cannot be shut down, which minimizes the risk of losing valuable intelligence by capturing all volatile data, including memory from all 32-bit and 64-bit windows operating systems.

Fully configurable collection of artifacts

Triage-Examiner includes configurable file header definitions for file collection and unallocated space file carving. These key features give forensic examiners the highest confidence in the triage results.

Reuse and share forensic intelligence

SearchPaks^® are configurable containers that specify what to search for and where to search for it on the target computer. SearchPaks can be fully customized by forensic examiners to adapt to virtually any investigation. They are also encrypted and permissions restricted to make it easy to disseminate to other examiners inside or outside the organization. The forensic triage community is actively sharing powerful SearchPaks, including those for indecent image detection, indecent keyword detection, registry collection, anti-forensic application detection, and encryption application detection.

Advanced image analysis to quickly identify illegal images

Triage-Responder includes advanced image-matching technology that bypasses the traditional hash value limitations for identifying altered and similar images, including those that have been deleted or found in Thumbs.db files. This technology has helped identify conclusive evidence without deploying time-consuming forensic resources.

Forensically sound to ensure the chain of custody

When investigating sensitive cases, such as those of child exploitation, it is vital that all necessary evidence is viable in order to prosecute the offender. Forensic triage provides a forensically sound strategy to get quick results while maintaining the integrity of the case and preserving all the collected files, including log records.

Digital First Responder training program

In order to best prepare our customers to use our products, we have developed a two-day user training program for forensic and non-forensic users. We also offer a “Train the Trainer” program.

Triage-Examiner Kit

The Triage-Examiner Kit includes:

• One portable travel case
• One licensed authentication key
• One 32GB high-speed USB key
• One bootable CD
• One USB extension cable
• One teasing needle
• One portable flashlight

ADF Triage-Examiner – Lab Add-On  

The Lab Add-On allows users to run Triage-Examiner software on their laptops or forensic workstations to scan drive images, physical drives, DVDs, CDs, and other removable media that are connected to the forensic workstation.

Real-World Testimonials

ADF tools have been selected and deployed by agencies worldwide. Click here for customer testimonials.