I know I have needed all the above in my casework and more.
Now you could find this information in the the various windows registry keys where its located – NTUser.dat, SYSTEM etc – pull it out, format it and stick it in your forensic report.
Or…you could run the triage script in Forensic Explorer and get it done for you without much more work than checking a box during the intake of your evidence.
I don’t know about you but me likey less work.
A lot.
So how do you use the triage processing function in Forensic Explorer? Where is it located? What’s it doing?
I’m glad you asked. I had the same questions.
Want to hear the answers? Good, let’s go!
The Triage Intake Option Forensic Explorer
The first step in using the triage processing option in Forensic Explorer is to create a case. Now, I’m not going to tell you how to create a case in forensic explorer or add investigators or add evidence to the case. Nope. But that isn’t because I don’t want to or won’t. It’s because this article is about the triage intake processing function. But I will show you some pictures – here you go.
Create a Case Forensic Explorer
Add Image Forensic Explorer
Now that we have that out of the way and have our image added to the case, Forensic Explorer presents us with a dialog window to select what intake or processing options we want to perform on the evidence.
Using the Triage Script during intake requires no extra expertise on the part of the examiner other than the ability to check a box and if you can’t do that…well, send me an email and I’ll give you a referral to a good doctor.
Triage Check Box
Other than selecting that check box in the intake dialog box all you need to do is press the “Ok” button and let FEX rip. When all the intake actions are done, simply head over to the reports module and select the Triage folder to view the results, print or edit.
Forensic Explorer Report Window
Forensic Explorer Triage Information
The triage intake function in Forensic Explorer creates report group in the report module and is comprised of a title page and three separate report groups – Data Examined, Registry and File system. Note: if you don’t see the a Triage report generated in the report module select the drop-down arrow on the new button in the Reports window and select “Triage”
Forensic Explorer Missing Triage Report
The Data Examined Group
This group contains a header and details on the data that was added to the case. In our picture below we see that I have added a logical image file to the case.
Forensic Explorer Missing Triage Report
The Registry Group
This group comprises reports extracted from keys in the SAM, SOFTWARE and SYSTEM Windows registry hives. Information that is parsed include users, network information and email clients.
Forensic Explorer Triage Registry
The File System Group
This group reports on installed programs like browsers, chat, shadow copies or wiping tools.
Forensic Explorer Triage File System
A Word To The Wise
The triage function that happens at intake should not be confused with the triage script that cane be run from within the file system module. This script pulls out a subset of the information that the triage intake function pulls out, plus some other sections like the presence of iPhone backups. This script is run after the evidence is already added and processed in the case, and is an editable Pascal script whereas at the time of this writing the intake triage is built into the program.
Forensic Explorer Triage Script
Forensic Explorer Triage Script Summary
I hope you enjoyed this brief introduction to the triage processing function that is available at intake with Forensic Explorer. Its a standard intake function that I use every time I start a new case and I’ve found it to be a time saver as well as a rich source of clues for evidence artifacts. Its also helped with setting the correct timezone for evidence – and believe me that matters!
0 comments:
Post a Comment