ADF Solutions Triage tool suite
Strengths: SearchPaks and profiles, usable by lower-skilled users in the field without sacrificing quality of data collected. Training videos in place of simple help files.
Weaknesses: Almost none, but we would like to see a small tool set for removing a disk from a computer if it becomes necessary to seize it.
Verdict: Even without the screwdriver, this is a useful and well-thought-out suite of triage tools. We have enjoyed seeing this tool set evolve. We select it as our Best Buy.
Although we are reviewing this as a suite, the individual tools are not usually used together. They have distinctly different purposes. And, although the Triage-Responder is the obvious computer forensic triage tool, all three are specialized triage tools in their own rights. We have been watching this company for a couple of years and its big strength lies in the way it allows the lab to set up the USB sticks that will be used to triage in the field.
Starting with the small fry of the bunch - AD Triage-Responder - we have a simple tool that can be used with almost no training by first responders. As with all three tools, this one is set up in the lab and the responder takes the provided kit along with the preconfigured USB stick.
The kits contain everything the responder is likely to need in the field, except a screw driver. That would have been a nice addition since a hit on the triage may indicate that the disk needs to be seized and taken to the lab for a full analysis. Responders can view HTML reports after the capture has been completed.
There are a number of preconfigured profiles for such things as child exploitation or fraud. The target computer is booted from the USB stick or a bootable CD provided in the kit. The reports are saved to the USB. In addition to disk-based data, the tools can collect volatile data from RAM and can even take a screenshot of active applications if the acquisition is on a live system instead of one booted into the USB drive.
AD Triage-Examiner is focused on intermediate examiners. In many cases, triage is enough to pinpoint evidence on a computer without resorting to a full analysis. While a full analysis in these cases is desirable, often there is not time to send the evidence to the lab and it is better to do an analysis back at the responder's workplace.
The primary difference between Examiner and Responder lies in the number and types of profiles available. Additionally, the items captured are more detailed in Examiner so a fuller picture of the target computer is available. As with the other kits, there is a collection of everything that would be needed, including a small flashlight and a tool for opening a CD drive for insertion of the boot disk when the computer is shut down.
Examiner also is somewhat more configurable than Responder. Examiner has the ability to create individual search methods giving a wide range of things for which the Examiner wishes to look. Also, as with all of the kits, the computer side of the tool - the computer that the tool uses to set up the USB sticks - contains not just tutorials but video lessons. This is the first time we've seen this approach and it is highly effective.
Finally, there is the ADF Triage-G2. This is quite an interesting tool because it is intended for triage use by government field operatives collecting intelligence from computers. Along with specialized profiles, this one has some interesting functionality. It breaks down the disk into four categories and searches for high-value information. The categories are: ActivitySensor, preferred locations, allocated files and deleted files. On live systems the tool can collect volatile data and open application screen shots. Appropriately, since it is an intelligence-gathering tool it can run in stealth mode where it deletes all evidence of itself, such as USB connections, in the registry. These capabilities are referred to by the vendor as "media exploitation." Also, it has advanced encryption that allows it to deploy classified SearchPaks.
Overall, these are three useful tools in their context and over the past couple of years we have seen them mature and become quite reliable.