ADF Solutions Triage-Examiner
Strengths: Can use with multiple computers simultaneously, great customer support, clear reports.
Weaknesses: Initial setup and documentation causes confusion.
Verdict: Excellent product, streamlined and ideal for collection prior to full investigation.
SummaryADF Solutions Triage-Examiner is a forensic tool that scans target devices whether they are powered on or off. The product reduces forensic backlogs and dedicates resources to collecting evidence. Triage-Examiner does not require an image to be made, but offers that capability. The model tested provides a Lab Add-On, and has three total USBs, which can be used as necessary. Each is clearly labeled and colored differently. This product is easy to use and is mostly automated. There are three steps to complete a scan: install Triage-Examiner, select and define the scan, and analyze the automated reports.
We first installed Triage-Examiner by inserting the Triage Key USB, which required little user interaction, into the target computer. The same key is later prepared to conduct the examination. The first time that the software is implemented requires users to insert the Authentication Key USB to back up the license file. The console opens and users can select either a quick or complete scan. When preparing a scan, the user selects which drive to search and for what to search. From here, the Triage Key can be removed and plugged into any computer. An auto-run box pops up and the scan can begin. Scans provide a live feed of progress and results by category. Users can suspend the scan at any time to view the results up to the interruption. When the scan is done, evidence is clearly presented in a regimented report, which can be exported as HTML and converted to a PDF. Reports offer tags, which label through color codes evidence by significance. The speed and presentation of Triage-Examiner's collected evidence was impressive.
The Triage Key has a third functionality, which is replicated in the bootable CD: If a target device is turned off or locked, the USB or CD can reboot the system. The Lab Add-On option is a third USB. This allows the user to scan suspect drive images, write-blocked physical drives and other removable media.
This is a powerful and versatile forensic tool. It is compatible with Apple products and any other removable media devices. The user interface is refreshingly simple to navigate, buttons are large and certain options provide a quick description of functionality. The reports are very clear, albeit lengthy, and provide a tally of tagged items.
The documentation that came with the Triage-Examiner leaves something to be desired. Screen shots are either blurry or small, and there is little to no description per image. Certain instructions are not clearly explicated, though they can be figured out or clarified by customer service - which is not offered 24/7, but is available by phone, email or an online support ticket. If customer assistance is unavailable by phone, voicemail is offered with a timely response. The service reps were quite familiar with the product, providing extensive assistance and instruction.
The price for the Triage-Examiner and Lab Add-on, both complete with a one-year license, is $2,187. The one-year license renewal for Triage-Examiner by itself is $999 and is $499 for the Lab Add-on. This product is worth the value. As a forensic examination tool that is used prior to a full investigation, it is very strong.