Warning: This One Step Can Save You Hours of Work In Your Forensic Examinations

Digital Forensic Triage

 

Have you ever needed to figure out the timezone of the OS in a digital forensic image? What Internet browsers were installed? What chat programs were installed?

I know I have needed all the above in my casework and more.

Now you could find this information in the the various windows registry keys where its located – NTUser.dat, SYSTEM etc – pull it out, format it and stick it in your forensic report.

Or…you could run the triage script in Forensic Explorer and get it done for you without much more work than checking a box during the intake of your evidence.

I don’t know about you but me likey less work.

A lot.

So how do you use the triage processing function in Forensic Explorer? Where is it located? What’s it doing?

I’m glad you asked. I had the same questions.

Want to hear the answers? Good, let’s go!

 The Triage Intake Option Forensic Explorer

The first step in using the triage processing option in Forensic Explorer is to create a case. Now, I’m not going to tell you how to create a case in forensic explorer or add investigators or add evidence to the case. Nope. But that isn’t because I don’t want to or won’t. It’s because this article is about the triage intake processing function. But I will show you some pictures – here you go.

Create Case Forensic Explorer

Create a Case Forensic Explorer

 

 

Add image Forensic Explorer

Add Image Forensic Explorer

 

Now that we have that out of the way and have our image added to the case, Forensic Explorer presents us with a dialog window to select what intake or processing options we want to perform on the evidence.

Using the Triage Script during intake requires no extra expertise on the part of the examiner other than the ability to check a box and if you can’t do that…well, send me an email and I’ll give you a referral to a good doctor.

Triage Check Box

Triage Check Box

Other than selecting that check box in the intake dialog box all you need to do is press the “Ok” button and let FEX rip. When all the intake actions are done, simply head over to the reports module and select the Triage folder to view the results, print or edit.

Forensic Explorer Report Window

Forensic Explorer Report Window

Forensic Explorer Triage Information

The triage intake function in Forensic Explorer creates report group in the report module and is comprised of a title page and three separate report groups – Data Examined, Registry and File system. Note: if you don’t see the a Triage report generated in the report module select the drop-down arrow on the new button in the Reports window and select “Triage”

Forensi Explorer Missing Triage Report

Forensic Explorer Missing Triage Report

 

The Data Examined Group

This group contains a header and details on the data that was added to the case. In our picture below we see that I have added a logical image file to the case.

Forensi Explorer Missing Triage Report

Forensic Explorer Missing Triage Report

 

The Registry Group

This group comprises reports extracted from keys in the SAM, SOFTWARE and SYSTEM Windows registry hives. Information that is parsed include users, network information and email clients.

Forensic Explorer Triage Registry

Forensic Explorer Triage Registry

 

The File System Group

This group reports on installed programs like browsers, chat, shadow copies or wiping tools.

Forensic Explorer Triage File System

Forensic Explorer Triage File System

 

A Word To The Wise

The triage function that happens at intake should not be confused with the triage script that cane be run from within the file system module. This script pulls out a subset of the information that the triage intake function pulls out, plus some other sections like the presence of iPhone backups. This script is run after the evidence is already added and processed in the case, and is an editable Pascal script whereas at the time of this writing the intake triage is built into the program.

Forensic Explorer Triage Script

Forensic Explorer Triage Script

 

Forensic Explorer Triage Script Summary

Forensic Explorer Triage Script Summary

I hope you enjoyed this brief introduction to the triage processing function that is available at intake with Forensic Explorer. Its a standard intake function that I use every time I start a new case and I’ve found it to be a time saver as well as a rich source of clues for evidence artifacts. Its also helped with setting the correct timezone for evidence – and believe me that matters!

Good luck in your forensic endeavors and tell me what you think of the article or about any other articles on Forensic Explorer that you would like to see. If you are reading this because you are trying to figure out if Forensic Explorer is right for you, grab a free 30 day trial from the Forensic Explorer website,I think you will like it. If you need help, feel free to ask me as well!

Photo Credit: Instant Vantage via photopin cc

Advertisements

3 comments

  1. Rob

    Thanks Mike…another Good One.. Now…reporting would be a GREAT topic! .. It’s very powerful, but a bit confusing to me at this point with a custom folder/bookmark.
    Thanks again.. Rob

    • numenorian

      Thanks Rob. Well, you aren’t the only one to ask about reporting – I will do some write-ups and maybe a video tut or two on it.

Let Me Know Whatcha Think....

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s