ADF Triage-G2, Responder, Examiner
May 12, 2014
Triage-Responder: one-year software license (including kit): $748, one-year license renewal $529; Triage-Examiner: one-year software license (including kit): $1,448, one-year license renewal $1,199; Triage-G2: three-year software license (including kit): $4,148, three-year license renewal $3,999.
- Ease of Use:
- Value for Money:
- Overall Rating:
- Strengths: Learning Tracks, simplicity of operation and completeness of reporting.
- Weaknesses: None that we found.
- Verdict: A well-thought-out tool kit that is customised for a particular use case and has everything necessary for field application.
These three products are approximately the same type of tool, but with different functionalities depending on the market in which they are used. Fundamentally, the purpose of a triage tool is to allow a rapid surface analysis of computers at the scene. This is quite different from a full computer forensic analysis in that an image usually is not taken. Typically, there is no analysis done at the scene. Rather, it usually is saved for the lab.
However, triage tools allow a preconfigured scan of a computer where the scan is assembled to look for a particular type of artefact. So, for example, preconfigured to search for child pornography, it would ignore anything on the computer that would not identify those types of artefacts.
The ADF tools are easy to use and very fast. The documentation is in the form of Learning Tracks that appear on the screen of the administrator/analyst computer and walk users through implementation step by step, in some cases including videos. The tools come in small cases that include everything needed for quick use in the field. A typical kit, packed in a small padded pouch, contains a backup version of the software, a USB thumb drive with the license key, a second thumb drive for acquisition, a small flashlight and a boot CD.
The offering works by preconfiguring one of the thumb drives, called the triage key. We began by installing the administrator software on our forensic PC. Installation was simple and we immediately configured the thumb drive. The Learning Tracks walked us through thumb drive preparation and we were ready to test another computer. We tested the Examiner version of the tool. The G2 version is designed for use by defence, intelligence, border security and similar government agencies. The Responder is designed for non-technical law enforcement investigators and has a slightly different set of search profiles from the other two. The G2 version also has task-specific search profiles.
Once we configured the Examiner triage key we took it to another computer. Users can run the tool while the computer is operating or, if the PC is shut down, can boot using the provided boot disk for a forensically clean boot-up. Since the CD drawer will be shut if the computer is powered off, the kits come with a teasing needle that users can engage to open the CD drawer.
After collecting the evidence specified in the profiles that we installed on the triage key, we returned to the admin computer where we compiled the information into a machine-generated report. This was clear, complete and concise and we were surprised at the level of detail the tool collected in a short period.
We liked the simplicity of setting up the tool - especially the Learning Track concept - and the reporting is especially useful and complete. Pricing is quite reasonable given that they are annual licenses with phone support and software updates included. We can easily see how a quick run through several computers with a triage key would help identify those that need to be seized for a more detailed examination. However, the amount of information that the triage key collects is, at the least, an excellent guide for a more thorough analysis by an experienced examiner. At best, the report could stand on its own.
SC Webcasts UK
Information Security Manager
Infosec People - Hammersmith, West London
Information Security Risk Manager, £45-55k + bens
Infosec People - West Midlands, England, Coventry
SOC Analyst, Aldershot, £55-63k + benefits
Infosec People - England, Aldershot, Hampshire
Security Architect, Cardiff - to £70k Basic
Infosec People - Cardiff, Wales
Interim CISO (Chief Information Security Officer) - Cyber Security Director
CYBER EXECS - London (Central), London (Greater)
Sign up to our newsletters
SC Magazine UK Articles
- Gooligan ad fraud malware infects 1.3M Android users, installs over 2M unwanted apps
- Met Police grab suspect with phone unlocked to get hold of data
- Cyber-security must reflect risk not just regulation
- Data centres are on the move - where will they end up?
- The information security implications of M&A deals
- SC Awards Europe 2016 winners announcements!
- ISIS radicalises 'lone wolves' through strong social media presence
- Updated: How will Brexit affect the cyber-security industry in UK and Europe?
- 9.2 million medical records for sale on darkweb
- Microsoft Office 365 hit with massive Cerber ransomware attack, report
- Over 400,000 phishing sites have been detected each month in 2016
- TalkTalk customers urged to get routers swapped over hacker fears
- Report: Mirai 'is just the tip of the iceberg'
- Avalanche takedown involved searches in 40 countries
- India Supreme Court calls on tech giants to curb sexual assault, cyber-crime