On the subject of triage, I have some thoughts which some companies may not like to hear (at least companies selling triage software or 'triage computer systems'...).

Here are some problems I see with several triage systems available;

-Any triage tool that is marketed that anyone can plug it in and capture all responsive data and even create a forensic image, without having any knowledge of computers is a tool I would keep at a safe distance from custodians of data...Plug n' Play to capture evidence or triage a system?  How many problems? Let me count the ways...

-Any triage tool that is restricted to run on a specific computer is one that has just limited itself out of the market.  Since when do you want a tool that can only run on a specific computer you must buy?  Sorta useless if something happens to that computer.

-Any triage tool that professes to magically find all relevant data, even in the hands of untrained persons...wow.    Are you sure its finding what you need?

Why not triage a computer like everyone did in the old days.  Boot to a forensic OS (pick your flavor of OS) and use a tool you always use to find what you need to find.  Every case is different, so every triage is bound to be different.   On one computer, you may need to see the registry, whereas on another, you need to see the images.



And untrained persons triaging machines?  Good luck.  Emergency rooms don't use non-medical staff to triage patients, why would anyone use non-computer trained persons to triage computers?

As for a pretty good system for triage, build a WinFE disc (it's free, you don't need to buy anything other than a CD) and put your favorite forensic tools on it, the ones you use all the time.  Now you have a triage system.   No, more than that, you have a complete Windows Forensic Environment to look for exactly the things you need to look for.   Done right the first time.

So the next time you see a "Triage System" that is plug n'play simple, that decides what data you need to be collected, and that you just sit back and let it work, think about it a little more.  As for me, I want to push the buttons and triage based on what I need and what I see when I am looking at the data.

I've been asked on occasion, "What makes WinFE better or different than any other boot disc?".

WinFE is Windows based, not Linux.  For someone not experienced in Linux, the Windows environment may be easier to use due to familiarity with Windows.

Additionally, WinFE allows you to use your Windows based forensic applications in a forensically booted environment.  Rather than using a Linux CD and image with Linen, you can use a Windows CD and image with the full version of Encase or FTK Imager or X-Ways Forensics or other Windows based tool.

If your lab is Linux based, then WinFE may not be as comfortable as using a Linux based tool, but still may be an option to keep on hand (the opposite still remains true, if you focus on using Windows based tools, have some Linux options on hand as well).

Lastly, WinFE is updated by YOU, when YOU need it updated.  There is no need to wait for a distro to be upgraded every 6 months or longer before you can download it.  Current Linux ISO's available online still may have older versions of software that are outdated.  With WinFE, if any tool is updated/upgraded, you can do it immediately and always have the latest apps.

Other than that, its just user preference.

By now, most everyone involved with forensics knows about the latest release of FTK Imager 3.0.   In my opinion, this is perhaps the best release ever of FTK Imager and probably one of the top releases of software this  year because of one of the newest features and the price (FREE and MOUNTS IMAGES!).  Given other expensive software, or free software  that doesn't work as expected, or difficult to manage manual procedures to mount images, to now have FTK Imager 3.0 quickly and neatly mount an image is a nice addition to my Start Menu.



So the bigger deal with FTK Imager 3.0....it runs in WinFE.  With FTK Imager 3.0, you can mount images in WinFE and conduct analysis in the Windows Forensic Environment with any other tool that runs in WinFE, such as X-Ways Forensics, ProDiscover, or Encase.



Now I know what you are probably thinking.  FTK Imager "Lite" 2.9 will run in WinFE and that version doesn't support image mounting.  FTK Imager 3.0 needs to be installed, which is problematic in WinFE.  Well, right and wrong. FTK Imager 3.0 only needs to be installed on any system, then copy the program folder onto WinFE  to run as if it were installed.  Voila!  No need for the Lite version when you can have the full meal deal.

Now how's that for having a completely self-contained Windows Forensic Environment, running minimal processes on just about any system...technically, this is called, "Niiiccceee...."