Here is a neat and FREE app to test your Live CDs.  Not sure how I missed this one, but instead of creating an entire virtual machine to boot a ISO for testing, you can just run the ISO with MobaLiveCD (http://mobalivecd.mobatek.net/en/).  QEMU opens a virtual machine window that much faster on your screen.



This may just cut down the number of cup mats I usually make when burning CDs...

On the subject of triage, I have some thoughts which some companies may not like to hear (at least companies selling triage software or 'triage computer systems'...).

Here are some problems I see with several triage systems available;

-Any triage tool that is marketed that anyone can plug it in and capture all responsive data and even create a forensic image, without having any knowledge of computers is a tool I would keep at a safe distance from custodians of data...Plug n' Play to capture evidence or triage a system?  How many problems? Let me count the ways...

-Any triage tool that is restricted to run on a specific computer is one that has just limited itself out of the market.  Since when do you want a tool that can only run on a specific computer you must buy?  Sorta useless if something happens to that computer.

-Any triage tool that professes to magically find all relevant data, even in the hands of untrained persons...wow.    Are you sure its finding what you need?

Why not triage a computer like everyone did in the old days.  Boot to a forensic OS (pick your flavor of OS) and use a tool you always use to find what you need to find.  Every case is different, so every triage is bound to be different.   On one computer, you may need to see the registry, whereas on another, you need to see the images.



And untrained persons triaging machines?  Good luck.  Emergency rooms don't use non-medical staff to triage patients, why would anyone use non-computer trained persons to triage computers?

As for a pretty good system for triage, build a WinFE disc (it's free, you don't need to buy anything other than a CD) and put your favorite forensic tools on it, the ones you use all the time.  Now you have a triage system.   No, more than that, you have a complete Windows Forensic Environment to look for exactly the things you need to look for.   Done right the first time.

So the next time you see a "Triage System" that is plug n'play simple, that decides what data you need to be collected, and that you just sit back and let it work, think about it a little more.  As for me, I want to push the buttons and triage based on what I need and what I see when I am looking at the data.

I've been asked on occasion, "What makes WinFE better or different than any other boot disc?".

WinFE is Windows based, not Linux.  For someone not experienced in Linux, the Windows environment may be easier to use due to familiarity with Windows.

Additionally, WinFE allows you to use your Windows based forensic applications in a forensically booted environment.  Rather than using a Linux CD and image with Linen, you can use a Windows CD and image with the full version of Encase or FTK Imager or X-Ways Forensics or other Windows based tool.

If your lab is Linux based, then WinFE may not be as comfortable as using a Linux based tool, but still may be an option to keep on hand (the opposite still remains true, if you focus on using Windows based tools, have some Linux options on hand as well).

Lastly, WinFE is updated by YOU, when YOU need it updated.  There is no need to wait for a distro to be upgraded every 6 months or longer before you can download it.  Current Linux ISO's available online still may have older versions of software that are outdated.  With WinFE, if any tool is updated/upgraded, you can do it immediately and always have the latest apps.

Other than that, its just user preference.