Evaluation Instructions for Digital Evidence Investigator®, Triage-Investigator®, Triage-G2®

Thank you for your interest in evaluating ADF. For your convenience, the ADF Software Evaluation Kit comes with one 8GB Evaluation Key (USB). This Evaluation Key will be used both as a license key as well as a device to launch a scan of a stand-alone computer and store collected data.

Please note, you can also use a larger drive as a collection drive (see the Create Your Own Collection Drive section below).


System Requirements

Operating System Requirements

  • Windows 7 64-bit 16GB of RAM, 20 GB of free hard drive space
  • Windows 8.1 64-bit 16GB of RAM, 20 GB of free hard drive space
  • Windows 10 64-bit 16GB of RAM, 20 GB of free hard drive space

Getting Started

  • Insert the Evaluation Key into your computer and execute the MSI installer
  • Follow the installation wizard instructions
  • During the installation, you will be prompted to install the Windows ADK 10 which is required for scanning powered off computers. See the User Guide for an offline installation
  • The Evaluation Key must be prepared prior to using it on a target computer. To set-up the Evaluation Key see the instructions below
  • If you encounter errors during the installation, please refer to the Troubleshooting section

IMPORTANT: Register your License for Software Updates

YOU ARE NOW READY TO USE THE ADF SOFTWARE

Scanning a Target Computer

ADF Scanning Stand Alone Computers Live and Powered Off

If you are going to scan a computer (powered-on or powered-off) you will need to prepare the USB Evaluation Key for data collection.

  • Start the ADF application
  • Navigate to Prepare Collection Key
  • Select the Search Profile(s) you would like to have available for the scan
  • Select the USB Evaluation Key
  • Click the PREPARE button

ADF Search Profiles

Remove the USB key when prompted. You are now ready to scan a computer.

To scan a powered-off computer please refer to the User Guide to navigate the BIOS/Firmware setup and boot options.

To scan a powered-on computer:

  • Insert the prepared USB Key into the target computer
  • Execute the Start.bat file stored on the USB key
  • Go to the Scan Computer screen
  • Select your target device(s)
  • Select your desired Search Profile
  • Enter your Scan Information
  • Click on SCAN button
Once the scan has completed you will be prompted to review the results.

Comprehensive instructions on all phases of a scan (data collection, analysis and reporting) can be found in the relevant product User Guide.

Scanning a Storage Device

ADF Scanning Other Media and Devices

IMPORTANT: Make sure to connect your target storage device (flash drive, removed hard drive, etc.) to your computer (forensic workstation) using a write blocker.

To scan an external storage device or drive images:

  • Start the ADF application
  • Navigate to Scan Devices and Images
  • Select your target device(s).
    • Physical Drives are denoted by a hard disk icon
    • Logical volumes are listed beneath the physical drive entry
    • Attached devices are denoted by a flash drive icon
    • Bitlocker / FileVault 2 volumes are flagged (volume will be disabled if not decrypted)
    • Specific targeted folders are denoted by a folder icon
    • Image Files - E01 or .dd are denoted by an image icon
  • Select your desired Search Profile
  • Enter your Scan Information
  • Click on SCAN Button

Once the scan is completed you will be prompted to review the results.

Comprehensive instructions on all phases of a scan (data collection, analysis and reporting) can be found in the relevant product User Guide.

How to View the Scan Results

It is possible to view the data collected during a scan (scan result), while a scan is paused, or after a scan. When a scan completes click View Results or subsequently from the Home page:

  1. Select Review Scan Results
  2. Click on the View button of the scan result to open
  3. Navigate through the collected data from the left Navigation bar or the Summary page
  4. Use the right toolbar to see more or less columns, filter records, assign tags and comments, and view the classifier progress

Rosoka Add-on Notes: entities are extracted in the Viewer and progress can be seen with the Classifier button. Extracted entities are visible in the Details pane of the selected record.

OPTIONAL: Creating a Boot CD for Scanning Older Computers

  • The Evaluation key can scan powered off computers if the computer BIOS is set-up for a USB boot. However, the BIOS on some older computers may only allow a CD/DVD boot option. You will need to create an ADF Boot CD for this. (Note: The full ADF Kit includes this Boot CD.)
  • To create your own Bootable CD, download the most recent plpbt-5.0.X.zip, extract the plpbt.iso, right-click select "Burn disc image" to burn this image on your CD.

OPTIONAL: Create Your Own Collection Drive

If you need to collect more than 8GB of data (the size of the Evaluation Key) during your scan, you can create your own collection drive. There is no limitation of the size of the USB device that you use, however ADF recommends using a high-speed USB 3, SSD device for optimum performance. ADF has tested and includes a Samsung T3 250 GB SSD or a Corsair GTX 256 GB SSD in the full, purchased Kits.

Please note that using a USB device that does not meet these specifications will affect the performance and speed of the scan.

To create your own collection key:

  • Insert the USB device you want to use as a collection key
  • From the Home page select “Prepare Collection Key”
  • In the Collection Keys section, select your desired USB device
  • To complete the preparation, follow the on-screen prompts

Evaluation vs. Full License

The ADF Evaluation Software Kit has a trial expiration period but is not feature restricted. There are however, two hardware related restrictions with regards to scanning stand-alone computers.

Limited 8GB Storage Capacity of Evaluation Key

  • The full ADF Kit comes standard with a 250 GB high-speed SSD device to launch a scan of a stand-alone computer and store collected data. Alternatively, you will also be able to use other generic high capacity devices as well (e.g. 1TB, 2TB, etc.). Note: This limitation only applies to scanning stand-alone computers.

Scanning Multiple Computers

  • The Evaluation key is both a license key and scan/storage device - consequently it can scan only one stand-alone computer at a time. The full ADF Kit comes with a dedicated license key which allows you to scan multiple stand-alone computers simultaneously. If you would like to scan multiple computers please see Create Your Own Collection Drive section to create multiple collection keys.

ADF Create Multiple Collection Keys

Resources

 

  • READY TO ACCELERATE YOUR DIGITAL INVESTIGATIONS?