Triage-investigator

Getting ready to work off site, out of the lab, out of your office, and in someone else's domain is never an easy task. Whether it's a search warrant, in a client's office, suspect's residence, or some other off-site location, being prepared is the key to your success as a digital forensic investigator.

Learn how to easily remove CSAM images and other properties from view

One of the most important factors in a child exploitation investigation, is having the ability to show a report to a colleague, co-worker, prosecutor, or present to present your findings in court without re-victimizing the subject of the photo, or shocking the sense of the viewer of the report. Having a professional report that still reflects the properties that need to be presented is essential to your case.

As digital technology becomes more advanced, the potential for its criminal application is magnified. This can result in overwhelming amounts of digital data for law enforcement to inspect in a limited timeframe. Although opportunities to find digital evidence on a perpetrator's or victim's computer may be numerous, the time it takes to search through such vast quantities of data contributes to the issue of growing forensic backlogs. 

Today’s smartphones, tablets, and computers are faster, smarter, and capable of holding more and more data than ever before. They offer more storage and the ability to connect to the cloud and to Internet of Things (IoT) devices.  

Faced with more and more data, more and more police forces are adopting forensic triage methodologies to handle digital evicence on-scene, in the lab, or both in the field and lab. 

ADF Solutions Introduces Field Investigator™ for Teams

There’s a new way to give digital forensic examiners control of investigations and empower non-technical front-line investigators. Meet Field Investigator™ for Teams, the best way to deploy digital forensic triage capabilities to agents for on-scene digital evidence collection and analysis.

Looking to add key words on-scene? ADF has you covered. In this how-to video, investigators and analysts will learn how to add keywords directly from the Collection Key. As a digital evidence investigator, ADF provides the ability to create a collection key with or without Search Profiles and add keywords just before the start of a scan.

Our digital forensic specialist knows that as someone who used to go out and execute search warrants and conduct knock and talks, the ability to overcome and adapt on-scene is vital to a successful outcome. In this how-to video, Rich explains how to create a Collection Key without Search Profiles and how to add keywords prior to starting a scan from the Collection Key. 

This blog post will feature our Settings page, and tips and tricks to understanding it. The first thing users will notice on the settings page is the Backed-Up Licenses. This displays all licenses that have been backed up on this computer. When selecting a license it will display all the information pertaining to that license and also enable users to delete the license from the backed up licenses folder. Additionally, the information here can be used when making a support call or using the support portal.

Our newest How-To video will cover how to image from either the Desktop tool or the USB device (Collection Key) on a Boot and Live Scan. 

When using ADF tools to collect files, either by File Properties, Hashes, or Keywords, ADF tools provide  three methods for file identification:

With ADF digital forensic software tools, it's possible to scan multiple devices simultaneously and have them as part of one scan. However, there are some items we need to keep in mind when preparing to scan multiple devices.

When your case is complete and it comes time to archive your case,  the best method is to archive with the Stand Alone Viewer, located within reporting.

ADF digital forensic software comes with approximately a dozen out-of-the-box default search profiles designed to make it quick and easy for non-technical field investigators to quickly search for digital evidence. 

In this short How To video, you'll learn how to import and export an ADF digital forensic Search Profile. This allows investigators to create a Custom Search Profile on one computer and export it so that it is available to be imported into another installation on another computer so forensic examiners or senior investigators can create and share profiles with:

In this short How To video, digital forensic specialist Rich Frawley, will show you how to collect and share digital evidence files with prosecutors and third parties using ADF Software. This video is ideal for learning how to share evidence with prosecutors for review. 

Fast investigations require rapid access to evidence. ADF software enables investigators to quickly view the links of artifacts captured from a target device so you can easily understand a user's activities. 

In this short 5 minute video, you'll learn how to filter digital forensic scan results in ADF software. Filtering is available in any table while analyzing any of your scan results. In this how-to video, we'll look at:

Investigate on-scene with a single license for smartphones, tablets, and computers 

Front line investigators and digital forensic examiners are encountering an ever increasing number of images in almost every investigation they perform. This exponential growth in the volume of images can challenge investigators searching for illicit online activity, Child Sexual Abuse Material (CSAM), extremist propaganda, or other types of image content. 

In this short video, ADF digital forensic specialist, Rich Frawley, demonstrates ADF's digital forensic image recognition and classification capabilities. 

Technology has become more powerful and portable, allowing a more significant amount of information to be created, stored, and accessed. This shift in the information technology landscape (mobile, cloud, IoT, etc.) has made the collection and analysis of digital evidence a critical factor in investigating and solving virtually all types of crimes. 

There are serious Internet related crimes, that need to be investigated quickly, child exploitation related offenses for instance. For example, in the United Kingdom, the National Crime Agency recently estimated that about 140,000 out of nearly 3 million registered dark web accounts registered on child abuse sites are UK-based.

Digital Evidence Investigator^® gives investigators the ability to customize Search Profiles and determine exactly what and where you want to look for digital evidence. This is especially convenient when looking to tailor a search for a forensic triage type scan or a targeted collection. This is accomplished by using the Targeted Folders Option when creating a custom file capture.

ADF Solutions’ New Software Delivers Forensic Capabilities to Police and Investigators

Bethesda, Maryland: ADF Solutions, the leading provider of automated forensic software for investigators and lab examiners, today announced the release of Mobile Device Investigator® the newest forensic software to investigate iOS and Android devices.  Qualified professionals can request a free trial of Mobile Device Investigator™ at www.tryadf.com.

ADF offers the best digital forensic solution for getting relevant data from an Apple Mac laptop or desktop running APFS since it is easy to use and offers investigators a quick and easy way to collect and analyze evidence.  In this short 3-minute video, ADF's digital forensic specialist, Rich Frawley shows how to boot a MacBook Air (APFS, non-encrypted) with Digital Evidence Investigator.

When conducting digital forensic investigations that involve live (up and running) computers, it is imperative to collect volatile memory so that all your bases covered and so that no vital evidence is lost.  A live analysis conducted in the correct manner will yield the results you are looking for in your investigation.  It has become commonplace and an accepted practice to collect data from a live computer, especially in cases of child exploitation. ADF software makes it easy for detectives and investigators to perform a RAM capture in the proper manner with as little intrusion as possible.

As a forensic investigator, there will come a time when you will come across the occasional computer that is difficult to get to the HDD and it may be encrypted by default, such as the Microsoft Surface Pro. In this short video, you'll learn how to easily conduct a boot scan of a Microsoft Surface Pro with Bitlocker activated.

Of all the investigations that a law enforcement agency may undertake, there may be none as difficult to deal with as crimes perpetrated against minors. The proliferation of online child exploitation material continues to be an issue worldwide, from child pornography to the facilitation of human trafficking. Luckily, investigators are not having to combat this problem alone thanks to industry solutions like those provided by ADF Solutions and the organizations below.  

Whether you are preparing to go on-scene or you are in your digital forensic lab getting ready to perform triage or one or more digital forensic scans, this video tutorial will show you how you can easily create a keyword capture and add keywords to a Search Profile.  We begin from when you have started to create a Custom Search Profile and want to add your own unique keywords.

ADF software lets investigators and examiners search for files by keyword(s) using substrings or regular expressions.  ADF software allows you to search for keywords in all file and folder names, file content and metadata, and artifact records from other captures.

ADF digital forensic software including Digital Evidence Investigator^® (DEI) and Triage-Investigator^® come with out-of-the-box default Search Profiles. In this short video tutorial, we use Digital Evidence Investigator to demonstrate "What is a Search Profile?".

In DEI the Search Profiles are maintained in the Setup Scans Menu option. The Search Profile, when run, will collect the information selected within the Search Profile. Search Profiles will run from the desktop application or from the collection key on a Live or Boot scan.

When you're faced with a mountain of digital evidence, how do you start sifting through it? For law enforcement, litigation support, and incident response agencies organizing and prioritizing digital media and electronically stored information (ESI) is crucial.

Adopting an Early Case Assessment (ECA) methodology helps expedite and improve overall case efficiency and productivity; reducing backlogs and increasing turnaround times.

In the early 18th century, triage was used to refer to the action of sorting items according to quality and was taken from the French word trier which means to sort, separate out or cull. 

>> Continue reading or watch the Benefits of Triage webinar recording. 

In 2009, the number of backlogged digital evidence requests in publicly funded forensic crime labs was 1,600. By the end of 2014, that number had risen to 7,800. While that's tiny in comparison to the total number of backlogged evidence requests (over 570,000 in 2014!), every one of those requests is associated with a case that affects real people. This is why we love forensic triage, and why you should too.

During a criminal investigation, prioritizing the evidence is paramount to your success as an investigator. Filtering what is critical to the case and what isn't is the difference between the success and failure of an investigation. 

Forensic triage - sometimes referred to as "digital forensic triage" - is the process by which you collect, assemble, analyze, and prioritize digital evidence from a crime or investigation.

One of the reasons that investigators choose ADF software as their primary triage tool is because it can be used standalone or in conjunction with traditional forensic software.  Forensic Triage is ideal for front-line investigators because it's fast, easy-to-use, and can net results in situations where time matters. Deployed in a forensic lab, triage software can reduce forensic backlogs and allow forensic examiners to prioritize deep dive forensic investigations.

The term triage naturally brings to mind a medical emergency where you need to get in quickly, assess the damage and deal with the most serious problems first. Digital forensic triage has the same application but it's applied to a crime scene or investigation which involves computers or other digital media. Standard forensic methods normally take place in a forensic lab where a trained forensic examiner would perform a complete examination. Digital triage is a front line step in saving time and reaching satisfactory results faster.

ADF triage performance is fast -- built to be under two minutes for certain scans. Digital forensic triage speed and performance can vary based on a number of factors including the triage software you are using, the search criteria you choose, the suspect hardware configuration, and how much you know about what you are looking to understand in your investigation.

The best tools for rapid digital forensic investigations just got better with ADF's release of new software versions to support the collection of artifacts with Mac OS Mojave Forensics and MacOS High Sierra as well as from Windows. 

ADF's New Forensic Software Empowers Investigators and Prosecutors

ADF Solutions, the leading provider of automated forensic software for investigators and lab examiners, announced today the release of new software versions 1.4 for Digital Evidence Investigator^Ⓡ, and versions 4.4 for Triage-Investigator^Ⓡ, and Triage-G2^Ⓡ software.  

"We are very excited to be the first digital forensic software to parse macOS Mojave log files natively under Windows strengthening our macOS support", stated Raphael Bousquet, CTO, and co-founder of ADF Solutions. "In our world of fast and efficient forensic analysis, we strive to reduce data noise for the investigator. The addition of picture and video classification is a great step in the right direction!"

A precise timeline view links user activities with pictures, videos, and files of interest so investigators can quickly build a digital forensic report to share with prosecutors or other investigators.  The new version leverages enhanced automation and enables investigators to run in-depth digital forensics scans quickly.  The highlights of this new release for the investigative and forensic community include:

What's the fastest, easiest way to perform RAM Dump? While there are many tools and techniques available to examiners for recovering data from volatile memory, ADF Digital Evidence Investigator^®, Triage-Investigator^®, and Triage-G2^® are fast and easy. 

A simple 2-step process lets even the most non-technical field investigators or highly trained digital forensic examiners quickly perform a RAM capture when running a live scan on the computer from a collection key: 

1. Click "Create RAM Dump" from the main menu
2. The RAM Dump will be saved to the collection key as a .bin file and then zipped

A criminal forensic lab located in one of the largest U.S. Federal agencies was working on an extensive child exploitation case and had seized 37 total hard drives that contained over 38 terabytes of data. The case was high profile and the forensic team had a short window of time to examine the contents of the confiscated drives. Technical resources were limited and imaging drives and conducting traditional forensic examinations would be very time consuming. With the amount of data that needed to be searched, the investigators realized that it could potentially be weeks before the examinations were complete and the case could move forward. In addition the case would require significant disk storage space to hold all of the images.

A long, long time ago in a galaxy far far away
(2006 to be exact and the galaxy was Maryland USA)
It was a period of innovation.
Computers, USBs, all kinds of devices ... 
Some people were committing digital crimes
from their seemingly hidden bases in the digital world. 

Digital forensic experts understand the importance of remembering to perform a RAM Capture on-scene so as to not leave valuable evidence behind. Capturing volatile data in a computer's memory dump enables investigators and examiners to do a full memory analysis and access data including:

There are many cases where time is critical in a police investigation. This is increasingly true in a world where digital evidence can be an essential element in capturing a suspect or solving a crime. Digital data can implicate or clear suspects and utilizing digital evidence to your investigative advantage can allow you to act quickly while on-scene.

Starting digital investigations while at the scene has become increasingly important in fluid crime situations such as terrorism threats, active shooter situations, gang activity or sex trafficking. Field digital forensic investigations (a.k.a. field triage) can also be useful in CyberTip investigations or any crime where a digital device may have photos, video, audio, or other data that could be useful in identifying suspects, victims or protecting evidence.

Today, ADF is announcing the release of new digital forensic software versions for our products: 

• Digital Evidence InvestigatorⓇ (DEI) version 1.3.0 
• Triage-InvestigatorⓇ version 4.3.0
• Triage-G2Ⓡ version 4.3.0

ADF Solutions, a leading provider of digital forensic and media exploitation tools, has released Triage-Investigator, the latest evolution of ADF's award-winning digital forensic triage tool designed for field deployment. Triage-Investigator has a proven track record of providing investigators with easy, quick access to court-defendable evidence to process criminal cases.

This 3 day course uses HTCI’s proven hands-on training methods to train the investigator on the forefront of cyber investigations. It provides the investigator a simple USB/DVD deployment method to scan computers.