WinFE and Triage

On the subject of triage, I have some thoughts which some companies may not like to hear (at least companies selling triage software or ‘triage computer systems’…).

Here are some problems I see with several triage systems available;

-Any triage tool that is marketed that anyone can plug it in and capture all responsive data and even create a forensic image, without having any knowledge of computers is a tool I would keep at a safe distance from custodians of data…Plug n’ Play to capture evidence or triage a system?  How many problems? Let me count the ways…

-Any triage tool that is restricted to run on a specific computer is one that has just limited itself out of the market.  Since when do you want a tool that can only run on a specific computer you must buy?  Sorta useless if something happens to that computer.

-Any triage tool that professes to magically find all relevant data, even in the hands of untrained persons…wow.    Are you sure its finding what you need?

Why not triage a computer like everyone did in the old days.  Boot to a forensic OS (pick your flavor of OS) and use a tool you always use to find what you need to find.  Every case is different, so every triage is bound to be different.   On one computer, you may need to see the registry, whereas on another, you need to see the images.

And untrained persons triaging machines?  Good luck.  Emergency rooms don’t use non-medical staff to triage patients, why would anyone use non-computer trained persons to triage computers?

As for a pretty good system for triage, build a WinFE disc (it’s free, you don’t need to buy anything other than a CD) and put your favorite forensic tools on it, the ones you use all the time.  Now you have a triage system.   No, more than that, you have a complete Windows Forensic Environment to look for exactly the things you need to look for.   Done right the first time.

So the next time you see a “Triage System” that is plug n’play simple, that decides what data you need to be collected, and that you just sit back and let it work, think about it a little more.  As for me, I want to push the buttons and triage based on what I need and what I see when I am looking at the data.

2 thoughts on “WinFE and Triage

  1. Hi Brett,

    Your comments are interesting but your conclusions are, IMHO, missing the mark by some way (and yes, we produce SPEKTOR, a triage tool for non-FORENSIC people so I’m bound to be bias, just as you are :-))

    Your entire argument against “plug and play triage tools” can be supported *provided* there are enough people trained in forensic computing to use the excellent technical triage tools available. Unfortunately, there are not, and never can be sufficient numbers of forensically trained staff to deal with the growing “front line” of computer crime/issues requiring a forensic response.

    I believe that the whole triage argument can be divided into “technical tools for technical people” and “Non-technical tools for non-technical people”

    ALL “tools” should be used by people who have been trained to use them, that does not mean they have to be trained forensic analysts though. Every day, people are charged with drink driving based on initial results obtained using a brethalyser deployed by an officer who
    a) was trained in its deployment and
    b) made a risk assessment about whether the deployment was required or not.

    Triage is emphatically NOT a replacement for forensic analysis. Nor should it be used to produce the sole evidence on which a person is prosecuted. It is, however, a tool that can be used, by appropriately trained staff and with appropriate risk assessment, to enable informed decisions about specific scenarios.

    With 18 years of forensic analysis behind me I absolutely agree with you that I would rather use a triage tool set comprising of my favorite forensic utilities because I know how to use them effectively. BUT given the choice, I (and I suspect most forensic experts) would rather be in my lab working on the difficult stuff that actually needs my experience and skill set rather than constantly traveling to the scene of a crime and seizing systems.

    Keep up the good work with WinFE – in the right hands it’s a very usable solution but please try and consider that we have moved beyond the forensic communities ability to keep up with the demands placed on us and we have to look at alternative ways of addressing the issue :-)

  2. Thanks for your comment. There is certainly a situation for everything. I don’t believe there is a single answer to the triage problem, whether it is done in the lab or onsite, by trained persons or untrained persons. Some thoughts with onsite triage is that unless everything bit of data is taken (imaged or seized in whole), triage should be done by someone well trained in what they are doing, which means the expert in the field not being able to stay in the lab.

    Having have written more affidavits than I can remember and served probably well over 100 search warrants, I have seen cases where evidence was overlooked and left at the scene by inexperienced or apathetic searchers. If dozens of computers are at the scene, and a triage of those computers is to be made to determine which get seized, it may be best to have a well trained examiner do the triage. If all are to be taken, then no issue with missing evidence as it will be all at the lab anyway.

    With civil cases, having custodians plug-n-play a software application without any visual supervision is a courtroom disaster waiting to happen. I have had more than one client specifically demand that only experts be onsite to collect data, no matter the cost, for the reason of past experiences of inexperience causing data to be overlooked or otherwise missed, or collected in a manner to be usable. I believe that in criminal cases, the need for experts onsite is even more important (because usually, physical harm and/or incarceration is at stake in criminal cases).

    Although unfair, the forensic examiner (criminal or civil cases) will bear the brunt of explaining if s/he did everything possible to gather all evidence, including exculpatory information. I’d rather have someone with expertise sort through data to determine what is evidence rather than an automated process, although I do understand that there has to be a compromise somewhere. Hinging a terrorism incident, murder investigation, or civil lawsuit on an inexperienced/un-trained data-collector using a push button system may not be the fairest process to those that the case impacts.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s