It's a known issue that many agencies and departments are facing worldwide; how to fight and reduce backlog to stay up to date on cases so that they don't get stale. It's a serious issue, but we at ADF can show you a few ways to fight in-house backlog with digital forensic triage.

RAM, short for Random Access Memory, is physical hardware that temporarily stores data for quick read and write access. Think of RAM as a scratch pad you use while working; although all the information you need and may refer to is stored in a binder (in this analogy, your hard drive), the information on the scratch pad is what you are using and need right in the moment. With RAM, it is right there for you to access. While RAM helps with the speed and efficiency of the computer, it can all be lost in an instant as it is volatile.

ADF computer triage has long been admired for some of the best digital forensic triage capabilities on the market. Since 2006, ADF digital forensic experts have been building triage tools to empower investigators to quickly collect evidence and on-scene intelligence from computers and digital devices.

With a record number of attendees, speakers and exhibitors, the 2019 National Cyber Crime Conference organized by Massachusetts Attorney General Maura Healey's office this past week was a huge success with law enforcement professionals from 38 states, Canada, the UK and Africa. 

The NCCC event was especially important to ADF since it's our first major conference of the year and it's where we officially launched our new Mobile Device Investigator™ for iOS and Android investigations.  Our launch featured a demo by our digital forensic specialist, Rich Frawley who joined ADF after 22 years in law enforcement. 

When conducting digital forensic investigations that involve live (up and running) computers, it is imperative to collect volatile memory so that all your bases covered and so that no vital evidence is lost.  A live analysis conducted in the correct manner will yield the results you are looking for in your investigation.  It has become commonplace and an accepted practice to collect data from a live computer, especially in cases of child exploitation. ADF software makes it easy for you to perform a RAM capture it in the proper manner with as little intrusion as possible.

Learn how to conduct a Windows live scan with ADF Solutions Digital Evidence Investigator.  Two USB ports are required to complete a scan, one for the Collection Key and one for the Authentication Key, once the scan has started the Authentication Key can be removed. A USB hub may be used in cases where the target computer only has one USB port. 

When running a live scan from a Collection Key it is possible to create a RAM dump of the computer. RAM dumps can then be analyzed with appropriate software (e.g. Volatility). 

One of the reasons that investigators choose ADF software as their primary triage tool is because it can be used standalone or in conjunction with traditional forensic software.  Triage is ideal for front-line investigators because it's fast, easy-to-use, and can net results in situations where time matters. Deployed in a forensic lab, triage software can reduce forensic backlogs and allow forensic examiners to prioritize deep dive forensic investigations.

While there are many tools and techniques available to examiners for recovering data from volatile memory, ADF Digital Evidence Investigator^®, Triage-Investigator^®, and Triage-G2^® are fast and easy. 

A simple 2-step process lets non-technical investigators and examiners quickly perform a RAM capture when running a live scan on the computer from a collection key: 

1. Click "Create RAM Dump" from the main menu
2. The RAM Dump will be saved to the collection key as a .bin file and then zipped

Here are a few of the highlights of the best parts of the 2018 National Cyber Crime Conference hosted by the Massachusetts Attorney General's Office (AGO) this past week. 

Digital forensic experts understand the importance of remembering to perform a RAM Capture on-scene so as to not leave valuable evidence behind.  Capturing volatile data in a computer's memory dump enables investigators and examiners to do a full memory analysis and access data including: