Triage tools vary greatly in their technical and operational performance capabilities.

Overview
Previous Digital Insider columns discussed the traditional law enforcement protocol for seizing a live system, namely “pulling the plug” to maintain the “gold standard” (the integrity of the hard drive). Over the years, this approach has been clearly articulated to the law enforcement community: “Actions taken to secure and collect digital evidence should not affect the integrity of that evidence.” ¹ Therefore, “pulling the plug” initially ensures that no data was written to the evidentiary hard drive when it was seized.

The traditional approach does present a number of inherent concerns that originally may not have been considered as relevant or important. For instance, once the power is removed from a computer, potential probative volatile data is lost. Depending upon the type of alleged crime, some of that data could have been germane to the investigation and subsequent prosecution of the subject. Not to be overlooked is the serious issue concerning volume or hard drive encryption. (It would be nice to know that there was an encryption application running before the power is removed)! In recent years, tools have been developed that can overcome some of these inherent concerns and capture data from a live system. Collectively referred to as triage tools, they vary in their technical and operational performance capabilities.

Why Triage a Computer?
An important consideration is a triage tool’s intended use (which can be different for investigators and examiners). Triaging can provide the investigator or first responder with the methodology to quickly assess a computer’s relevance to an investigation prior to removing its power and seizure. For example, an investigator might want to quickly search for suspected pornographic images. Indeed, with the use of a triage tool, it may not be necessary to seize the computer at all if no probative data is found! If seized, an examiner might be interested in examining Registry information. He/she could use a triage tool to perform a more in-depth analysis or quickly triage a number of computers to determine which ones need further analysis using more sophisticated forensic tools. Since a given triage tool may or may not support both of these functionalities or might not be easily configurable to perform both tasks, several may be needed for investigators and examiners to cover potential uses.

The Military Approach to Triaging
For a number of reasons, it is not practicable or feasible for the U.S. Military to have several triage tools in their toolbox while downrange on target. Several months ago, the United States Special Operations Command (USSOCOM—which is charged with overseeing the various Special Operations Commands of the U.S. Armed Forces), conducted an evaluation of computer media exploitation and cellular telephone exploitation products, systems, and tools. The evaluation was organized by the USSOCOM Program Office. Triage tools were included as a separate category along with other computer media exploitation tools. An important part of the evaluation was to include representation from each of the respective military services to ensure that the triage tools were evaluated respective to any service unique requirements. Overall, the objective of the evaluation was to determine which triage tool could best meet the military’s requirements for procurement and worldwide dissemination.