Have you ever needed to figure out the timezone of the OS in a digital forensic image? What Internet browsers were installed? What chat programs were installed?
I know I have needed all the above in my casework and more.
Now you could find this information in the the various windows registry keys where its located – NTUser.dat, SYSTEM etc – pull it out, format it and stick it in your forensic report.
Or…you could run the triage script in Forensic Explorer and get it done for you without much more work than checking a box during the intake of your evidence.
I don’t know about you but me likey less work.
So how do you use the triage processing function in Forensic Explorer? Where is it located? What’s it doing?
I’m glad you asked. I had the same questions.
Want to hear the answers? Good, let’s go!
The Triage Intake Option Forensic Explorer
The first step in using the triage processing option in Forensic Explorer is to create a case. Now, I’m not going to tell you how to create a case in forensic explorer or add investigators or add evidence to the case. Nope. But that isn’t because I don’t want to or won’t. It’s because this article is about the triage intake processing function. But I will show you some pictures – here you go.
Now that we have that out of the way and have our image added to the case, Forensic Explorer presents us with a dialog window to select what intake or processing options we want to perform on the evidence.
Using the Triage Script during intake requires no extra expertise on the part of the examiner other than the ability to check a box and if you can’t do that…well, send me an email and I’ll give you a referral to a good doctor.
Other than selecting that check box in the intake dialog box all you need to do is press the “Ok” button and let FEX rip. When all the intake actions are done, simply head over to the reports module and select the Triage folder to view the results, print or edit.
Forensic Explorer Triage Information
The triage intake function in Forensic Explorer creates report group in the report module and is comprised of a title page and three separate report groups – Data Examined, Registry and File system. Note: if you don’t see the a Triage report generated in the report module select the drop-down arrow on the new button in the Reports window and select “Triage”
The Data Examined Group
This group contains a header and details on the data that was added to the case. In our picture below we see that I have added a logical image file to the case.
The Registry Group
This group comprises reports extracted from keys in the SAM, SOFTWARE and SYSTEM Windows registry hives. Information that is parsed include users, network information and email clients.
The File System Group
This group reports on installed programs like browsers, chat, shadow copies or wiping tools.
A Word To The Wise
The triage function that happens at intake should not be confused with the triage script that cane be run from within the file system module. This script pulls out a subset of the information that the triage intake function pulls out, plus some other sections like the presence of iPhone backups. This script is run after the evidence is already added and processed in the case, and is an editable Pascal script whereas at the time of this writing the intake triage is built into the program.
I hope you enjoyed this brief introduction to the triage processing function that is available at intake with Forensic Explorer. Its a standard intake function that I use every time I start a new case and I’ve found it to be a time saver as well as a rich source of clues for evidence artifacts. Its also helped with setting the correct timezone for evidence – and believe me that matters!
Good luck in your forensic endeavors and tell me what you think of the article or about any other articles on Forensic Explorer that you would like to see. If you are reading this because you are trying to figure out if Forensic Explorer is right for you, grab a free 30 day trial from the Forensic Explorer website,I think you will like it. If you need help, feel free to ask me as well!