Triage-investigator

Digital forensics has become an increasingly important tool for the military in combating cyber threats.

As early as 1984, the FBI Laboratory and other law enforcement agencies began developing programs to examine computer evidence [1]. Since the publication of ISO 17025 by the Scientific Working Group on Digital Evidence (SWGDE) which was centered around the best practices for computer forensics, standards and guidelines were established to help computer forensics investigators. It became clear that the proper computer forensic software needed to be produced to allow for the collection of data but also function with changing technology in our modern era. The right computer forensic software should allow for each stage of digital evidence collection to be completed successfully. Investigation's reliability is predominantly determined by the validity and correctness of computer forensic software tools and their application process [2]. This post will focus on computer forensic software tools and how they can be beneficial in the process of digital evidence collection. 

A long, long time ago in a galaxy far far away
(2006 to be exact and the galaxy was Maryland USA)
It was a period of innovation.
Computers, USBs, all kinds of devices ... 
Some people were committing digital crimes
from their seemingly hidden bases in the digital world. 

ADF's Quick-Saved Credentials profile is a powerful profile that extracts the usernames and passwords from Web Browsers and is built so it will not trigger antivirus applications when attempting to collect web credentials. This makes the investigator's job easier on-scene, requires less interaction with the device, and allows for more records to be parsed thereby giving the computer forensic investigator the ability to quickly collect critical information for their investigation.

Learn how to use the ADF Quick Saved Credentials Profile to uncover Web credentials in this short 2-minute video tutorial. Collecting saved credentials quickly gives access to accounts that may have been previously unknown and allows investigators to do preservation orders and search warrants. 

ADF tools have the ability to scan all available Mac computers (M1 and T2 chips) with all types of encryption and virtual drives by running a remote agent that communicates with the desktop application. 

Welcome! You have a requirement or need and decided to evaluate one of the ADF products for your computer forensic, mobile forensic, or triage workflows. You have observed the videos and have most likely been through a demonstration or two and have a better understanding of the functionality you are looking for. We here at ADF Solutions want to make sure you get the most out of your evaluation, and that starts with a smooth transition to the evaluation phase.

When conducting digital forensic investigations that involve live (up and running) computers, it is imperative to collect volatile memory so that all your bases covered and so that no vital evidence is lost.  A live analysis conducted in the correct manner will yield the results you are looking for in your investigation.  It has become commonplace and an accepted practice to collect data from a live computer, especially in cases of child exploitation. ADF software makes it easy for detectives and investigators to perform a RAM capture in the proper manner with as little intrusion as possible.

The number of backlogged digital evidence requests has continued to rise over the years. The total number of backlogged evidence requests was over 570,000 in 2014 and every one of those requests is associated with a case that affects real people. This is why we love forensic triage, and why you should too.

During a criminal investigation, prioritizing the evidence is paramount to your success as an investigator. Filtering what is critical to the case and what isn't is the difference between the success and failure of an investigation. 

Forensic triage - sometimes referred to as "digital forensic triage" - is the process by which you collect, assemble, analyze, and prioritize digital evidence from a crime or investigation.

Within ADF software and forensic triage products, including Digital Evidence Investigator, Triage-Investigator, or Triage-G2, an investigator can quickly find Dark Web traces. This can be done in Quick Profiles but in this video, Rich Frawley shows how to use an Intermediate Profile to triage a suspect machine to identify Dark Web traces. These can be found in ADF's Anti-Forensic Traces Capture. 

The Encrypt backup feature in iTunes locks and encodes your information. In this short How To video, Director of Training, Rich Frawley shows investigators how to remove the known iTunes backup password, if required.

Investigators can now scan all available Mac computers (including macs with T2 or M1 chips) with all types of encryption and virtual drives by running a remote agent that communicates with the desktop application. Now you can perform digital forensic triage on all Macs including

• macOS T2 chip
• macOS M1 chip
• Mac Fusion Drive

Crimes against children investigations can lead CSAM investigators to have to review thousands or even tens of thousands of images. Investigators need tools to help them find relevant evidence quickly. 

Regular Expressions - (also known as "regex") are special strings representing a pattern to be matched in a search operation and they can be particularly useful in mobile and computer forensics investigations. 

One of the ways we allow investigators to find and focus on relevant evidence is by allowing investigators to customize and bring in a unique set of keywords using a substring or with regular expressions. ADF forensic tools also implement regular expression keywords in our trace captures and keyword lists. So why are Regular Expressions different from using regular keywords?

ADF digital forensic software is known for rapid file and artifact collection but we're also widely respected for our seamless user interface. No matter whether you are using Mobile Device Investigator, Triage-Investigator, Triage-G2, Digital Evidence Investigator or our PRO tools, ADF tools are designed to make it easy for investigators to quickly determine what to scan and how to scan it. 

Getting ready to work off site, out of the lab, out of your office, and in someone else's domain is never an easy task. Whether it's a search warrant, in a client's office, suspect's residence, or some other off-site location, being prepared is the key to your success as a digital forensic investigator.

Learn how to easily remove CSAM images and other properties from view

One of the most important factors in a child exploitation investigation, is having the ability to show a report to a colleague, co-worker, prosecutor, or present to present your findings in court without re-victimizing the subject of the photo, or shocking the sense of the viewer of the report. Having a professional report that still reflects the properties that need to be presented is essential to your case.

As digital technology becomes more advanced, the potential for its criminal application is magnified. This can result in overwhelming amounts of digital data for law enforcement to inspect in a limited timeframe. Although opportunities to find digital evidence on a perpetrator's or victim's computer may be numerous, the time it takes to search through such vast quantities of data contributes to the issue of growing forensic backlogs. 

Today’s smartphones, tablets, and computers are faster, smarter, and capable of holding more and more data than ever before. They offer more storage and the ability to connect to the cloud and to Internet of Things (IoT) devices.  

Faced with more and more data, more and more police forces are adopting forensic triage methodologies to handle digital evicence on-scene, in the lab, or both in the field and lab. 

ADF Solutions Introduces Field Investigator™ for Teams

There’s a new way to give digital forensic examiners control of investigations and empower non-technical front-line investigators. Meet Field Investigator™ for Teams, the best way to deploy digital forensic triage capabilities to agents for on-scene digital evidence collection and analysis.

Looking to add key words on-scene? ADF has you covered. In this how-to video, investigators and analysts will learn how to add keywords directly from the Collection Key. As a digital evidence investigator, ADF provides the ability to create a collection key with or without Search Profiles and add keywords just before the start of a scan.

Our digital forensic specialist knows that as someone who used to go out and execute search warrants and conduct knock and talks, the ability to overcome and adapt on-scene is vital to a successful outcome. In this how-to video, Rich explains how to create a Collection Key without Search Profiles and how to add keywords prior to starting a scan from the Collection Key. 

This blog post will feature our Settings page, and tips and tricks to understanding it. The first thing users will notice on the settings page is the Backed-Up Licenses. This displays all licenses that have been backed up on this computer. When selecting a license it will display all the information pertaining to that license and also enable users to delete the license from the backed up licenses folder. Additionally, the information here can be used when making a support call or using the support portal.

Our newest How-To video will cover how to image from either the Desktop tool or the USB device (Collection Key) on a Boot and Live Scan. 

When using ADF tools to collect files, either by File Properties, Hashes, or Keywords, ADF tools provide  three methods for file identification:

With ADF digital forensic software tools, it's possible to scan multiple devices simultaneously and have them as part of one scan. However, there are some items we need to keep in mind when preparing to scan multiple devices.

Once you have completed your investigation and need to archive your case, the most efficient method is to use the Stand Alone Viewer, which can be found within the reporting module. This viewer provides an all-in-one solution that includes a self-contained folder with a standalone application that gives you the ability to view the results. It is independent of the ADF suite of tools and does not require a license to use. By using the Stand Alone Viewer, you can be sure that all tags, comments, filters, and sorting will be included in the output. Please note that it is not possible to run the Stand Alone Viewer from read-only storage devices such as CDs or DVDs.

ADF digital forensic software comes with approximately a dozen out-of-the-box default search profiles designed to make it quick and easy for non-technical field investigators to quickly search for digital evidence. 

In this short How To video, you'll learn how to import and export an ADF digital forensic Search Profile. This allows investigators to create a Custom Search Profile on one computer and export it so that it is available to be imported into another installation on another computer so forensic examiners or senior investigators can create and share profiles with:

In this short How To video, digital forensic specialist Rich Frawley, will show you how to collect and share digital evidence files with prosecutors and third parties using ADF Software. This video is ideal for learning how to share evidence with prosecutors for review. 

Fast investigations require rapid access to evidence. ADF software enables investigators to quickly view the links of artifacts captured from a target device so you can easily understand a user's activities. 

In this short 5 minute video, you'll learn how to filter digital forensic scan results in ADF software. Filtering is available in any table while analyzing any of your scan results. In this how-to video, we'll look at:

Investigate on-scene with a single license for smartphones, tablets, and computers 

Front line investigators and digital forensic examiners are encountering an ever increasing number of images in almost every investigation they perform. This exponential growth in the volume of images can challenge investigators searching for illicit online activity, Child Sexual Abuse Material (CSAM), extremist propaganda, or other types of image content. 

In this short video, ADF digital forensic specialist, Rich Frawley, demonstrates ADF's digital forensic image recognition and classification capabilities. 

Technology has become more powerful and portable, allowing a more significant amount of information to be created, stored, and accessed. This shift in the information technology landscape (mobile, cloud, IoT, etc.) has made the collection and analysis of digital evidence a critical factor in investigating and solving virtually all types of crimes. 

There are serious Internet related crimes, that need to be investigated quickly, child exploitation related offenses for instance. For example, in the United Kingdom, the National Crime Agency recently estimated that about 140,000 out of nearly 3 million registered dark web accounts registered on child abuse sites are UK-based.

Digital Evidence Investigator^® gives investigators the ability to customize Search Profiles and determine exactly what and where you want to look for digital evidence. This is especially convenient when looking to tailor a search for a forensic triage type scan or a targeted collection. This is accomplished by using the Targeted Folders Option when creating a custom file capture.

ADF Solutions’ New Software Delivers Forensic Capabilities to Police and Investigators

Bethesda, Maryland: ADF Solutions, the leading provider of automated forensic software for investigators and lab examiners, today announced the release of Mobile Device Investigator® the newest forensic software to investigate iOS and Android devices.  Qualified professionals can request a free trial of Mobile Device Investigator™ at www.tryadf.com.

ADF offers the best digital forensic solution for getting relevant data from an Apple Mac laptop or desktop running APFS since it is easy to use and offers investigators a quick and easy way to collect and analyze evidence.  In this short 3-minute video, ADF's digital forensic specialist, Rich Frawley shows how to boot a MacBook Air (APFS, non-encrypted) with Digital Evidence Investigator.

As a forensic investigator, there will come a time when you will come across the occasional computer that is difficult to get to the HDD and it may be encrypted by default, such as the Microsoft Surface Pro. In this short video, you'll learn how to easily conduct a boot scan of a Microsoft Surface Pro with Bitlocker activated.

Of all the investigations that a law enforcement agency may undertake, there may be none as difficult to deal with as crimes perpetrated against minors. The proliferation of online child exploitation material continues to be an issue worldwide, from child pornography to the facilitation of human trafficking. Luckily, investigators are not having to combat this problem alone thanks to industry solutions like those provided by ADF Solutions and the organizations below.  

Whether you are preparing to go on-scene or you are in your digital forensic lab getting ready to perform triage or one or more digital forensic scans, this video tutorial will show you how you can easily create a keyword capture and add keywords to a Search Profile.  We begin from when you have started to create a Custom Search Profile and want to add your own unique keywords.

ADF software lets investigators and examiners search for files by keyword(s) using substrings or regular expressions.  ADF software allows you to search for keywords in all file and folder names, file content and metadata, and artifact records from other captures.

ADF digital forensic software including Digital Evidence Investigator^® (DEI) and Triage-Investigator^® come with out-of-the-box default Search Profiles. In this short video tutorial, we use Digital Evidence Investigator to demonstrate "What is a Search Profile?".

In DEI the Search Profiles are maintained in the Setup Scans Menu option. The Search Profile, when run, will collect the information selected within the Search Profile. Search Profiles will run from the desktop application or from the collection key on a Live or Boot scan.

When you're faced with a mountain of digital evidence, how do you start sifting through it? For law enforcement, litigation support, and incident response agencies organizing and prioritizing digital media and electronically stored information (ESI) is crucial.

Adopting an Early Case Assessment (ECA) methodology helps expedite and improve overall case efficiency and productivity; reducing backlogs and increasing turnaround times.

In the early 18th century, triage was used to refer to the action of sorting items according to quality and was taken from the French word trier which means to sort, separate out or cull. 

>> Continue reading or watch the Benefits of Triage webinar recording. 

In 2009, the number of backlogged digital evidence requests in publicly funded forensic crime labs was 1,600. By the end of 2014, that number had risen to 7,800. While that's tiny in comparison to the total number of backlogged evidence requests (over 570,000 in 2014!), every one of those requests is associated with a case that affects real people. This is why we love forensic triage, and why you should too.

One of the reasons that investigators choose ADF software as their primary triage tool is because it can be used standalone or in conjunction with traditional forensic software.  Forensic Triage is ideal for front-line investigators because it's fast, easy-to-use, and can net results in situations where time matters. Deployed in a forensic lab, triage software can reduce forensic backlogs and allow forensic examiners to prioritize deep dive forensic investigations.

The term triage naturally brings to mind a medical emergency where you need to get in quickly, assess the damage and deal with the most serious problems first. Digital forensic triage has the same application but it's applied to a crime scene or investigation which involves computers or other digital media. Standard forensic methods normally take place in a forensic lab where a trained forensic examiner would perform a complete examination. Digital triage is a front line step in saving time and reaching satisfactory results faster.

ADF triage performance is fast -- built to be under two minutes for certain scans. Digital forensic triage speed and performance can vary based on a number of factors including the triage software you are using, the search criteria you choose, the suspect hardware configuration, and how much you know about what you are looking to understand in your investigation.

The best tools for rapid Mac forensics investigations just got better with ADF's release of new software versions to support the collection of artifacts with Mac OS Mojave Forensics and MacOS High Sierra as well as from Windows. 

ADF's New Forensic Software Empowers Investigators and Prosecutors

ADF Solutions, the leading provider of automated forensic software for investigators and lab examiners, announced today the release of new software versions 1.4 for Digital Evidence Investigator^Ⓡ, and versions 4.4 for Triage-Investigator^Ⓡ, and Triage-G2^Ⓡ software.  

"We are very excited to be the first digital forensic software to parse macOS Mojave log files natively under Windows strengthening our macOS support", stated Raphael Bousquet, CTO, and co-founder of ADF Solutions. "In our world of fast and efficient forensic analysis, we strive to reduce data noise for the investigator. The addition of picture and video classification is a great step in the right direction!"

A precise timeline view links user activities with pictures, videos, and files of interest so investigators can quickly build a digital forensic report to share with prosecutors or other investigators.  The new version leverages enhanced automation and enables investigators to run in-depth digital forensics scans quickly.  The highlights of this new release for the investigative and forensic community include:

What's the fastest, easiest way to perform RAM Dump? While there are many tools and techniques available to examiners for recovering data from volatile memory, ADF Digital Evidence Investigator^®, Triage-Investigator^®, and Triage-G2^® are fast and easy. 

A simple 2-step process lets even the most non-technical field investigators or highly trained digital forensic examiners quickly perform a RAM capture when running a live scan on the computer from a collection key: 

1. Click "Create RAM Dump" from the main menu
2. The RAM Dump will be saved to the collection key as a .bin file and then zipped

A criminal forensic lab located in one of the largest U.S. Federal agencies was working on an extensive child exploitation case and had seized 37 total hard drives that contained over 38 terabytes of data. The case was high profile and the forensic team had a short window of time to examine the contents of the confiscated drives. Technical resources were limited and imaging drives and conducting traditional forensic examinations would be very time consuming. With the amount of data that needed to be searched, the investigators realized that it could potentially be weeks before the examinations were complete and the case could move forward. In addition the case would require significant disk storage space to hold all of the images.

Digital forensic experts understand the importance of remembering to perform a RAM Capture on-scene so as to not leave valuable evidence behind. Capturing volatile data in a computer's memory dump enables investigators and examiners to do a full memory analysis and access data including:

There are many cases where time is critical in a police investigation. This is increasingly true in a world where digital evidence can be an essential element in capturing a suspect or solving a crime. Digital data can implicate or clear suspects and utilizing digital evidence to your investigative advantage can allow you to act quickly while on-scene.

Starting digital investigations while at the scene has become increasingly important in fluid crime situations such as terrorism threats, active shooter situations, gang activity, or sex trafficking. Field digital forensic investigations (a.k.a. field triage) can also be useful in CyberTip investigations or any crime where a digital device may have photos, video, audio, or other data that could be useful in identifying suspects, victims or protecting evidence.

Today, ADF is announcing the release of new digital forensic software versions for our products: 

• Digital Evidence InvestigatorⓇ (DEI) version 1.3.0 
• Triage-InvestigatorⓇ version 4.3.0
• Triage-G2Ⓡ version 4.3.0

ADF Solutions, a leading provider of digital forensic and media exploitation tools, has released Triage-Investigator, the latest evolution of ADF's award-winning digital forensic triage tool designed for field deployment. Triage-Investigator has a proven track record of providing investigators with easy, quick access to court-defendable evidence to process criminal cases.