These three products are approximately the same type of tool, but with different functionalities depending on the market in which they are used. Fundamentally, the purpose of a triage tool is to allow a rapid surface analysis of computers at the scene. This is quite different from a full computer forensic analysis in that an image usually is not taken. Typically, there is no analysis done at the scene. Rather, it usually is saved for the lab.
However, triage tools allow a preconfigured scan of a computer where the scan is assembled to look for a particular type of artifact. So, for example, preconfigured to search for child pornography, it would ignore anything on the computer that would not identify those types of artifacts.
The ADF tools are easy to use and very fast. The documentation is in the form of Learning Tracks that appear on the screen of the administrator/analyst computer and walk users through implementation step by step, in some cases including videos. The tools come in small cases that include everything needed for quick use in the field. A typical kit, packed in a small padded pouch, contains a backup version of the software, a USB thumb drive with the license key, a second thumb drive for acquisition, a small flashlight and a boot CD.
The offering works by preconfiguring one of the thumb drives, called the triage key. We began by installing the administrator software on our forensic PC. Installation was simple and we immediately configured the thumb drive. The Learning Tracks walked us through thumb drive preparation and we were ready to test another computer. We tested the Examiner version of the tool. The G2 version is designed for use by defense, intelligence, border security and similar government agencies. The Responder is designed for non-technical law enforcement investigators and has a slightly different set of search profiles from the other two. The G2 version also has task-specific search profiles.
Once we configured the Examiner triage key we took it to another computer. Users can run the tool while the computer is operating or, if the PC is shut down, can boot using the provided boot disk for a forensically clean boot-up. Since the CD drawer will be shut if the computer is powered off, the kits come with a teasing needle that users can engage to open the CD drawer.
After collecting the evidence specified in the profiles that we installed on the triage key, we returned to the admin computer where we compiled the information into a machine-generated report. This was clear, complete and concise and we were surprised at the level of detail the tool collected in a short period.
We liked the simplicity of setting up the tool - especially the Learning Track concept - and the reporting is especially useful and complete. Pricing is quite reasonable given that they are annual licenses with phone support and software updates included. We can easily see how a quick run through several computers with a triage key would help identify those that need to be seized for a more detailed examination. However, the amount of information that the triage key collects is, at the least, an excellent guide for a more thorough analysis by an experienced examiner. At best, the report could stand on its own.