Jump to content











Photo

WinFE and Triage

Started by bshavers , Nov 30 2010 08:09 AM

  • Please log in to reply
No replies to this topic

#1 bshavers

bshavers

    Frequent Member

  • Developer
  • 140 posts
  •  
    United States

Posted 30 November 2010 - 08:09 AM

On the subject of triage, I have some thoughts which some companies may not like to hear (at least companies selling triage software or ‘triage computer systems’…).

Here are some problems I see with several triage systems available;

-Any triage tool that is marketed that anyone can plug it in and capture all responsive data and even create a forensic image, without having any knowledge of computers is a tool I would keep at a safe distance from custodians of data…Plug n’ Play to capture evidence or triage a system?  How many problems? Let me count the ways…

-Any triage tool that is restricted to run on a specific computer is one that has just limited itself out of the market.  Since when do you want a tool that can only run on a specific computer you must buy?  Sorta useless if something happens to that computer.

-Any triage tool that professes to magically find all relevant data, even in the hands of untrained persons…wow.    Are you sure its finding what you need?

Why not triage a computer like everyone did in the old days.  Boot to a forensic OS (pick your flavor of OS) and use a tool you always use to find what you need to find.  Every case is different, so every triage is bound to be different.   On one computer, you may need to see the registry, whereas on another, you need to see the images.

Posted Image

And untrained persons triaging machines?  Good luck.  Emergency rooms don’t use non-medical staff to triage patients, why would anyone use non-computer trained persons to triage computers?

As for a pretty good system for triage, build a WinFE disc (it’s free, you don’t need to buy anything other than a CD) and put your favorite forensic tools on it, the ones you use all the time.  Now you have a triage system.   No, more than that, you have a complete Windows Forensic Environment to look for exactly the things you need to look for.   Done right the first time.

So the next time you see a “Triage System” that is plug n’play simple, that decides what data you need to be collected, and that you just sit back and let it work, think about it a little more.  As for me, I want to push the buttons and triage based on what I need and what I see when I am looking at the data.


http://feeds.wordpre...dpress.com/369/ http://feeds.wordpre...dpress.com/369/ http://feeds.wordpre...dpress.com/369/ http://feeds.wordpre...dpress.com/369/ http://feeds.wordpre...dpress.com/369/ http://feeds.wordpre...dpress.com/369/ http://feeds.wordpre...dpress.com/369/ Posted Image

View the full article
Back to WinFE


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. reboot.pro
  2. Groups
  3. Security
  4. Forensics
  5. WinFE
  6. Privacy Policy
  7. Site policies ·