Digital Forensics: Empowering Experts On-Scene and in the Lab
ADF forensic tools are the best lightweight, portable digital forensic software devices used worldwide to solve lab and front-line field investigations:
- Mobile Device Investigator™ - Android and iOS field forensic software
- Digital Evidence Investigator® - end-to-end forensic investigation software used in the lab and the field for rapid collection, analysis and reporting.
- Triage-Investigator® - automated digital forensics software designed for teams and distributed field units for intelligent collection, analysis, and court-ready reporting.
- Triage-G2® - the world’s best handheld media exploitation tool deployed by special forces, military, and intelligence agencies worldwide.
- Rosoka Add-on (for Entity Extraction and English Gisting for 230+ Languages)
- ADF PRO Tools - combine the power of Mobile Device Investigator with any of ADF's market leading computer triage and forensic tools
Capabilities and Features
What are the differences between Triage-Investigator and DEI?
Each copy of Triage-Investigator DOES NOT NEED a corresponding copy of DEI to setup custom Search Profiles. However, agencies should have at least one copy of DEI to provide custom Search Profiles to all Triage-Investigator installations at the same agency. Without this, Triage-Investigator users will be limited to only the default Search Profiles shipped with the software. For details on the default Search Profiles, please contact email@example.com.
View a complete ADF Product feature comparison
Can the ADF tools be used by non-technical users?
Are the ADF tools forensically sound?
|Description||Powered-OFF Computers||Powered-ON Computers|
|Change to file time stamps||No||No|
|USB key registry entry in standard mode||No||Yes|
|USB key registry entry in stealth mode (Triage-G2 only)||No||No|
What are the key differences among the ADF tools?
All ADF forensic tools share the same search and scan engine. The differences are aimed at 1) usage scenarios – specifically military operations, forensic lab examination, and field investigations, and 2) user risk management.
Triage-G2® has been designed to meet military media exploitation requirements. The tool is primarily used by operators who have training to both run the tool (basic mode) and with additional training, the option to configure the tool (advanced mode). It also offers a stealth mode for live scans, advanced search configurations, and an integrated authentication and collection key for optimized workflow. It is however limited to scanning a single computer at one time.
Digital Evidence Investigator® (DEI) has been designed to meet both forensic lab and field triage requirements. It is primarily used by both forensic examiners and investigators who have training to run and configure the tool (advanced mode only). It also offers advanced search configurations, and separate authentication and collection keys which allows users to scan multiple computers simultaneously. It does not offer stealth mode during live scans or the ability to switch to basic user mode.
Triage-Investigator® has been designed for field triage requirements. It is primarily used by investigators with limited digital forensic training in running the tool (basic mode only). This basic user mode allows for ease of use and limits user risk. It also offers a separate authentication and collection keys which allows users to scan multiple computers simultaneously. It does not offer stealth mode during live scans, advanced search configurations, or the ability to switch to advanced mode.
See our ADF forensic tool comparison page here: ADF Product feature comparison
What are the ADF capabilities for scanning live (on) computers, dead (off) computers, removed hard drives, and drive images?
|Live (on) computers|
|Dead (off) computers|
|Removed hard drives|
|External media (CDs, DVDs, SD cards, USB drives, etc.)|
|Drive images (dd, e01)|
What computer operating systems will ADF tools work on?
ADF tools are designed to scan the following systems:
Powered-off target computer (boot scan)
- Firmware: BIOS, UEFI, SECURE UEFI, MAC EFI 2.0 (released after 2010)
- CPU: Intel 64-bit or compatible
- RAM: 2GB or more
- File sytems: FAT, NTFS, HFS+, EXT2/3/4
- RAID: 0,1,5
- Windows Dynamic Disks: not supported
Powered-on target computers (live scan)
- Windows Vista/7/8/10 64-bit, Server 2008/2012 64-bit
- Windows Dynamic Disks: simple volumes only (no spanned, striped, mirrored, RAID-5, volumes)
Drive image scan from the Desktop application
- Format: dd and e01
- File systems: FAT, NTFS, HFS+, EXT2/3/4
- OS: Windows, Mac, Linux, iOS, Android
- RAID: rebuilding RAID is not supported, so image must represent a logical disk
Folder scan from the Desktop application
- OS: Windows, Mac, Linux, iOS, Android