You can purchase ADF triage tools directly on-line, through our Training Partners, or by  contacting us.

Features	New Triage Tools	Triage-ID®
Run directly on "live" and "dead" computers	YES	NO
Install and run on Windows 64-bit OS	YES	NO
Control operator scan permissions	YES	NO
Unicode, multiple encodings support	YES	NO
Email analysis (pst, ost)	YES	NO
Windows / Linux / Macintosh support	YES	NO
System captures (CapturePaks®)	YES	NO
Configurable file identification and carving	YES	NO
Full unallocated and slack space analysis	YES	NO
Boot from Triage Key (USB drive)	YES	NO
Advanced bookmarking and reporting	YES	NO
Use USB keys (FAT32) or hard drives (NTFS) as Triage Keys	YES	NO
Logical/physical imaging of suspect drives	YES	NO
Granular SearchPak® set up (metadata filters, drive areas etc.)	YES	NO

Yes. The ADF tools can also accommodate high-capacity hard drives instead of USB memory keys. ADF can also provide these drives but additional charges will apply.

The default Triage Key (USB key) provided in the ADF tools is as follows:

• Triage-Examiner® and Triage-Investigator®: Transcend V20 8GB memory key.
• Triage-G2®: Corsair Flash Voyager GTR 32 GB Hi-speed memory.

Alternatively, larger-capacity keys can be selected, or other brands can be requested by the client (additional charges for these keys apply).

ADF can also accommodate high-capacity hard drives instead of USB memory keys.

ADF Solutions offers one- (1) or three- (3) year subscription (or term) licenses with its software. During the license term all support, maintenance, and upgrades are included. Annual renewals can be purchased to extend the license terms.

ADF used to offer perpetual licenses but these were discontinued in late 2007.

Yes, a subscription (or term) license does stop working when the term expires. If your renewal has been delayed and the license has either expired or is about to expire, ADF Solutions can provide you with a temporary extension so that there is no interruption in the software service. Please contact us to request an extension.

ADF is not offering perpetual licenses anymore. We have however made some exceptions for certain government agencies whose internal policies mandate perpetual licenses. Note that these agencies have placed orders of 500 licenses or more to warrant this exception. If your agency mandates perpetual licenses and is willing to purchase 500 or more units of software, ADF will consider accommodating your request. Additional charges to accommodate perpetual licenses may apply.

Yes. ADF provides comprehensive support for our users. Please visit our Support page for details.

The Triage-Examiner® and Triage-Investigator® tools now include automatic software upgrade if they have access to the Internet.

In addition, all the registered forum users are notified by email when a new upgrade is available for download.

Yes. If your renewal has been delayed and the license has either expired or is about to expire, ADF Solutions will provide you with a temporary extension to your subscription (or term) license so that there is no interruption in the software service. Please contact us to request an extension.

The Triage-Examiner® and Triage-Investigator® tools are offered with a Triage Kit. The kit is designed to be light and ultra-portable and contains several key components that are essential to both field and lab triage. The price is US $99 per kit. This does not include the ADF software license, which must be purchased separately. Please click here for details.

Yes. Trial downloads (or evaluations) of the Triage-Examiner® and Triage-Investigator® software tools will be available shortly at no charge. Instructions and details can be accessed here.

The trial downloads (or evaluations) of Triage-Examiner® and Triage-Investigator® offer the same features as the full versions, but will only collect a limited number of records. This means that the trial versions should not be used to solve real cases.

If you are not a forensic examiner, we ask that you please coordinate with a forensic examiner within your organization to supervise or perform the evaluation of the ADF tools. This is because non-forensic examiners will require proper training to set up, use, and evaluate the tools. Once this training is complete, non-forensic examiners can easily use the tools.

Yes. ADF provides full support during the trials (or evaluations) of its triage tools.

All Triage-ID® users who have active subscription (or "term") licenses qualify for software upgrades to Triage-Examiner® or Triage-Investigator® at no charge. There is however a charge of US $99 per license for the Triage Kit.

Expired subscription (or "term") licenses or perpetual licenses do not qualify for any upgrades to the new ADF tools. To determine what license type you have, please copy the "license.adf" file from your Triage-ID® dongle and email it to our support team. We will get back to you with an answer within 48 hours.

We have sent emails to all Triage-ID® users on how to upgrade to the new Triage-Examiner® and Triage-Investigator® tools.  If you have not received this email please call us at +1301-312-6578 ext. 115 or email at info@adfsolutions.com.

Here are the general steps:

1. Assess the number of active Triage-ID licenses that you have and determine how many you want to upgrade.
2. Determine whether you want to upgrade these licenses to either Triage-Examiner® or Triage-Investigator®. The general rule is Triage-Examiner for forensic examiners and Triage-Investigator for non-technical users (including investigators). For more details on the differences, please visit the "Selecting the right ADF tool" section in this FAQ.
3. Please contact us via phone or email with details on the number of active Triage-ID licenses you want to upgrade and the allocation of these licenses between Triage-Examiner and Triage-Investigator. There will be no charge for the software upgrades but all upgrades will require a purchase of the Triage Kit and any associated shipping costs. The Triage Kit has a one-time cost of US $99 – please click here for details.
4. We will send you an invoice for the purchase of the triage kits and once acceptance is confirmed, we can process and ship the upgrades right away.

Yes. Triage-Examiner® and Triage-Investigator® allow you to scan multiple computers with a single Authentication Key (license dongle). However, you will need one Triage Key for each computer if you want to scan multiple computers at the same time.

Please note that Triage-G2® and Triage-Lab® do not allow this.

If you have been through a prior DFR training and have been regularly using Triage-ID®, then the updated DFR training is optional. On our user forum, ADF will be offering instructional videos that highlight the differences between the tools and provide instructions on how to use the new tools.

We will be also be offering workshops at certain conferences to highlight the differences between the tools and provide instructions on how to use the new tools.

ADF plans to offer current DFR certification holders an opportunity to take the updated certification exam. However, this examination will be offered after August 2010. A new certification fee of US $149 will apply to any users whose last DFR training was done prior to Feb. 1, 2010.

 

Yes. All Triage-ID® qualifying upgrades to Triage-Examiner® and Triage-Investigator® require a purchase of the Triage Kit. The kit is US $99 and the price of this kit does not include the ADF software license, which must be purchased separately. Please click here for details.

The following features will not be introduced in the first release of the new tools. The estimated release schedule is as follows:

Features	Estimated Release Date
Email analysis (pst, ost)	Sep 2010
Format Triage Key with NTFS	Sep 2010
Macintosh support	Sep 2010
CapturePak® for state of drive encryption	Sep 2010
Volatile memory (RAM) dump	Sep 2010
Full unallocated and slack space analysis	Oct 2010
CapturePak® for password information	Oct 2010
CapturePak® for Windows encryption keys	Oct 2010
Logical/physical imaging of suspect drives	Oct 2010
EXT 4 (Linux) support	Nov 2010

The only limitation is that investigator users can now only create keyword SearchPaks® in the new Triage-Investigator® tool. This limitation was requested by our user base. If you are an investigator who wants to create more complex SearchPaks®, then we recommend that you use Triage-Examiner® instead.

Here is a comparative analysis of user tasks across Triage-Examiner®, Triage-Investigator®, and Triage-ID®.

User Task	Triage-Examiner®	Triage-Investigator®	Triage-ID®
Create SearchPaks®: File collection Keywords Hash sets Regular expressions Image signatures	YES YES YES YES YES	NO YES NO NO NO	NO YES YES YES YES
Set up advanced* SearchPak® features	YES	NO	NO
Set up basic Search Profiles	YES	YES	YES
Set up advanced* Search Profiles	YES	NO	NO
Run triage scans with basic Search Profiles	YES	YES	YES
Run triage scans with advanced Search Profiles	YES	YES	NO
Run triage scans on "Live" computerl	YES	YES	NO
Run triage scans from USB keys	YES	YES	NO
Review evidence on suspect computer	YES	YES	YES
Bookmark evidence on suspect computer	YES	YES	NO
Create Reports	YES	YES	YES

* Note:

• "Advanced" includes configuring customer header/footer definitions for file identification, configurable file carving from unallocated space analysis, and access to other advanced technical setup features

Yes. Triage-ID® will continue to be offered and supported. However, there will be no upgrades except for critical bug fixes.

The new Triage-Lab® is due in fall 2010.

All Triage-Live functionality has been integrated into the new Triage-Examiner® and Triage-Investigator® tools. As a result, Triage-Live® will no longer be offered. However, the product will continue to be supported but there will be no upgrades.

Yes. ADF will continue to offer an updated DFR training. This updated training will be offered after July 1, 2010, and will be adapted to the new ADF tools.

The following table provides a high-level review of the differences between the Triage-Examiner® and Triage-Investigator® tools. Both tools run the same triage engine so all search features and functionalities are the same. The key differences are in setting up the Search Profiles and SearchPaks®.

User Task	Triage-Examiner®	Triage-Investigator®
Create SearchPaks®: File collection Keywords Hash sets Regular expressions Image signatures	YES YES YES YES YES	NO YES NO NO NO
Set up advanced* SearchPak® features	YES	NO
Set up basic Search Profiles	YES	YES
Set up advanced* Search Profiles	YES	NO
Run triage scans with basic Search Profiles	YES	YES
Run triage scans with advanced Search Profiles	YES	YES
Run triage scans on "live" computers	YES	YES
Run triage Scans from USB keys	YES	YES
Review evidence on suspect computer	YES	YES
Bookmark evidence on suspect computer	YES	YES
Create reports	YES	YES

* Note:

• "Advanced" includes configuring customer header/footer definitions for file identification, configurable file carving from unallocated space analysis, and access to other advanced technical setup features

If you are a qualified forensic examiner looking to:

1. Run triage tools directly on suspect computers, the correct tool for you is Triage-Examiner®.
2. Run triage tools directly on drive images, the correct tool for you is Triage-Lab®.
3. Set up and manage investigators who will triage suspect computers, the correct tool for you is Triage-Examiner®, but the correct tools for your investigators will be Triage-Investigator®.

Triage-G2® is the right tool for defense/intelligence operatives. Recent prospect evaluations have shown that Triage-G2® is the most powerful data exploitation tool available today.

If you are an investigator/detective looking to:

1. Run triage tools directly on suspect computers, the correct tool for you is Triage-Investigator®.
2. Run triage tools directly on drive images, CD/DVDs, or other external media, the correct tool for you is Triage-Lab®.

Triage-Investigator® is the right tool for child protection officers.

Triage-Investigator® is the right tool for parole/probation officers.

Triage-Investigator® is the right tool for customs/border agents.

If you are an e-discovery professional looking to:

1. Run triage tools directly on suspect computers, the correct tool for you is Triage-Examiner®.
2. Run triage tools directly on drive images, the correct tool for you is Triage-Lab®.

If you are an IT professional looking to:

1. Run triage tools directly on suspect computers, the correct tool for you is Triage-Examiner®.
2. Run triage tools directly on drive images, the correct tool for you is Triage-Lab®.

Triage-Examiner®, Triage-Investigator®, and Triage-G2® can be used to scan computers that are off (dead).

1. Triage-Examiner® is for forensic examiners and e-discovery professionals.
2. Triage-Investigator® is for non-forensic examiners including investigators, detectives, child protection officers, parole/probation agents, and border agents.
3. Triage-G2® is for defense/intelligence operatives.

Triage-Examiner®, Triage-Investigator®, and Triage-G2® can be used to scan computers that are on (live).

1. Triage-Examiner® is for forensic examiners and e-discovery professionals.
2. Triage-Investigator® is for non-forensic examiners including investigators, detectives, child protection officers, parole/probation agents, and border agents.
3. Triage-G2® is for defense/intelligence operatives.

Triage-Lab® can scan drive images in EWF and DD formats.

The Triage-Lab® tool is the most appropriate for scanning removed hard drives. However Triage-Examiner®, Triage-Investigator®, and Triage-G2® can be used for this.

Using Triage-Lab:

1. Attach the removed hard drive to computer running Triage-Lab
2. Start Triage-Lab
3. Select the removed hard drive as target system
4. Select SearchPaks
5. Start triage scan

Using other ADF triage tools:

1. Prepare a Triage Key (in interactive mode)
2. Attach the removed hard drive to friendly computer
3. Start the triage application
4. Isolate the removed hard drive as target system
5. Start triage scan

The triage process can take minutes or hours, depending on your goals and objectives. Specifically:

1. Do you need to find evidence as quickly as possible (time restricted)?

• If YES, then the ADF triage tools can be configured to search the highest probability areas of a computer first so that you can achieve your goals. See ActivitySensor for more details.

2. Do you need to scan the entire hard drive?

• If YES, then this will take some time and should probably run overnight. Keep in mind that this will still be much faster than processing a case for a full forensic examination – the difference is hours for a triage scan versus days for processing a drive image.

With regards to variables, the triage process primarily depends on the following factors:

1. The memory (RAM) of the suspect computer.
2. The read/write speeds of the suspect hard drive.
3. The read/write speeds of the Triage Key (USB key).
4. The size of your SearchPaks®. You can contact us for more details.

Yes. Triage-Examiner® and Triage-Investigator® allow you to scan multiple computers with a single Authentication Key (license dongle). However, you will need one Triage Key for each computer if you want to scan multiple computers at the same time.

Please note that Triage-G2® and Triage-Lab® do not allow this.

Yes. You will need one Triage Key for each computer if you want to scan multiple computers simultaneously.

Yes. ADF has been providing triage tools for investigators since 2005 and we have numerous success stories with our clients. The Triage-Investigator® tool is very easy for non-technical users. Please visit our client testimonials and white papers.

ADF has prepared a comprehensive white paper to address the forensic support required for your triage programs. This paper will answer most of the questions you have. If there are any unanswered questions, please do not hesitate to contact us, and we will be happy to answer them for you.

ADF has prepared a comprehensive white paper to address this. This paper will answer most of the questions you have. If there are any unanswered questions, please do not hesitate to contact us, and we will be happy to answer them for you.

CapturePaks® are pluggable software libraries designed to collect and analyze specific information from the suspect computer. ADF Solutions periodically releases new CapturePaks®, and they can be downloaded at no additional cost.

SearchPaks®  are configurable containers that define the evidence to search for and where to search for it on the target computer. They also are encrypted and permissions-restricted to make it easy for information to be disseminated to other users inside or outside the organization.

• Forensic examiners can fully customize SearchPaks® to adapt to virtually any investigations.
• Investigators can create basic keyword SearchPaks® for their investigations.

Search Profiles contain:

• SearchPaks®
• CapturePaks®
• Security settings and user permissions to manage associated risks

Yes. ADF provides an FTP server that hosts valuable SearchPaks® created by our users who decide to share them.

Note that you will have to have law enforcement-designated Authentication Keys to use the SearchPaks® created by the law enforcement agencies.

Yes. Forensic examiners can fully customize SearchPaks® to adapt to virtually any investigations. These SearchPaks® can be given to investigators who can run them for their own investigations. Investigators can also create basic keyword SearchPaks® for their investigations.

No. Currently only ADF Solutions can create CapturePaks®.

Yes. Forensic examiners can fully customize Search Profiles to adapt to virtually any investigations. These Search Profiles can be given to investigators who can run them for their own investigations. Investigators can also create basic Search Profiles for their investigations.

Yes. However, the user rights and restrictions can be defined in each SearchPak®.

Both SearchPaks® and Search Profiles created by forensic examiners can be given to investigators who can run them for their own investigations.

No. The ADF tools are forensic triage tools designed to preprocess cases prior to their submission for full forensic examinations. They are not meant to substitute for full forensic examinations; however, the time savings for identifying negative computers is significant.

No. The ADF tools are forensic triage tools designed to preprocess cases prior to their submission for full forensic examinations. They are not meant to substitute full forensic examinations.

The two-day Digital First Responder® Training and Certification program is designed to equip attendees with knowledge and skills to properly use the ADF triage tools.

Please visit our Training Partners to see where ADF offers DFR training. If your country is not listed on this page, please contact us to schedule training.

DFR training classes can be organized and held in most countries. Training classes are scheduled on a request basis and generally held at client locations. Please contact us to schedule a training or for pricing and further details.

Yes. Please visit our Train the Trainer page for details.

Are you a forensic examiner looking to run triage tools in a forensic lab?

• If YES, then DFR training is optional. However, ADF strongly recommends that you view the training videos that are available on the ADF user forum.

Are you a forensic examiner looking to set up and manage investigators who will triage suspect computers?

• If YES, then ADF considers attendance of a DFR training with the investigators to be mandatory. An understanding of what the investigators are trained to do will facilitate a smooth triage program for your organization.

ADF considers training mandatory for defense/intelligence operatives.  Most defense/intelligence agencies that purchase the ADF triage tools will integrate the ADF training in other training programs for operators.

ADF also offers agencies a Train the Trainer program.

Digital First Responder® (DFR) training is optional for e-discovery professionals. However, ADF strongly recommends that these users view the training videos that are available on our user forum.

ADF considers DFR training mandatory for investigators/detectives to use the triage tools properly.

Please visit our Training Partners to see where ADF offers DFR training. If your country is not listed on this page, please contact us to schedule training.

ADF also offers agencies a Train the Trainer program.

ADF considers DFR training mandatory for child protection officers to use the triage tools properly.

Please visit our Training Partners to see where ADF offers DFR training. If your country is not listed on this page, please contact us to schedule training.

ADF also offers agencies a Train the Trainer program.

ADF considers DFR training mandatory for parole/probation officers to use the triage tools properly.

Please visit our Training Partners to see where ADF offers DFR training. If your country is not listed on this page, please contact us to schedule training.

ADF also offers agencies a Train the Trainer program.

ADF considers DFR training mandatory for customs/border agents to use the triage tools properly.

Please visit our Training Partners to see where ADF offers DFR training. If your country is not listed on this page, please contact us to schedule training.

ADF also offers agencies a Train the Trainer program.

DFR Training is optional for IT professionals. However, ADF strongly recommends that these users view the training videos that are available on our user forum.