AccessData. Triage. Quick Start Guide. Published: December 2011

(1)

| 1

AccessData

Triage

Quick Start Guide

(2)

Legal Information | 2

Legal Information

©2011 AccessData Group, LLC All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the publisher.

AccessData Group, LLC makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, AccessData Group, LLC reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. Further, AccessData Group, LLC makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, AccessData Group, LLC reserves the right to make changes to any and all parts of AccessData software, at any time, without any obligation to notify any person or entity of such changes.

You may not export or re-export this product in violation of any applicable laws or regulations including, without limitation, U.S. export regulations or the laws of the country in which you reside.

AccessData Group, LLC. 384 South 400 West Suite 200 Lindon, Utah 84042 U.S.A. www.accessdata.com

AccessData Trademarks and Copyright Information

AccessData® is a registered trademark of AccessData Group, LLC.

Distributed Network Attack® is a registered trademark of AccessData Group, LLC. DNA® is a registered trademark of AccessData Group, LLC.

Forensic Toolkit® is a registered trademark of AccessData Group, LLC. FTK® is a registered trademark of AccessData Group, LLC.

Password Recovery Toolkit® is a registered trademark of AccessData Group, LLC. PRTK® is a registered trademark of AccessData Group, LLC.

Registry Viewer® is a registered trademark of AccessData Group, LLC.

A trademark symbol (®, ™, etc.) denotes an AccessData Group, LLC. trademark. With few exceptions, and unless otherwise notated, all third-party product names are spelled and capitalized the same way the owner spells and capitalizes its product name. Third-party trademarks and copyrights are the property of the trademark and copyright holders. AccessData claims no responsibility for the function or performance of third-party products.

Third party acknowledgements:

AFF® and AFFLIB® Copyright® 2005, 2006, 2007, 2008 Simson L. Garfinkel and Basis Technology

(3)

AD Triage Quick Start Guide Installing AD Triage | 3

AD Triage Quick Start Guide

AD Triage is designed to collect and review data/artifacts from a live or powered down target system and facilitate the transfer of that data to an administrator system. An AD1 logical image of the systems artifacts can then be written to the destination of your choice. From there, the data can be decrypted and imported into the administrator’s interface for further review and reporting or can be consumed by FTK for more advanced analysis.

This guide is designed to walk you through a basic workflow of the Triage system. This is not a comprehensive guide, but an abbreviated guide for common tasks. See the AccessData Triage User Guide for a complete description of AD Triage features.

Installing AD Triage

Before you install AD Triage, you must have the following items:

A CodeMeter dongle that is licensed for AD Triage and plugged into the Admin machine CodeMeter Runtime 4.2 installed on your system

Microsoft .NET 3.5 SP1

To install AD Triage Admin

1. Insert installation disk into the CD/DVD drive.

2. In the autorun, click Install Triage Admin.

3. Follow the installation wizard, allowing default folders and options.

Licensing a USB Device

To collect data from a target system, you must create a Triage USB device with a Triage profile on it. Before you can apply a profile to a device for collection, you must first license the device. You can use one license per device and one profile per device.

To license a USB device

(4)

AD Triage Quick Start Guide Licensing a USB Device | 4

FIGURE A-1 Triage Admin Console Admin Tab

2. Attach the USB device (minimum 400mb).

3. Select the Admin tab and then click Manage Licenses.

FIGURE A-2 Manage Licenses Dialog

(5)

AD Triage Quick Start Guide Creating a Standard Triage USB Device | 5

FIGURE A-3 Format Triage Device Dialog

5. Label and Format the USB device.

Note: Formatting the device will erase all data currently on the device.

The device appears in the Licensed Devices pane of the Manage License dialog.

6. Close the Manage Licenses dialog.

Creating a Standard Triage USB Device

1. In the Admin console, click the Devices tab.

(6)

AD Triage Quick Start Guide Creating a Custom USB Device | 6

FIGURE A-4 Default Collector Wizard

3. Enter a Case Name, select the USB device, and click Finish.

4. Your USB device is now ready for use, click OK.

Creating a Custom USB Device

To create a custom Triage USB Device, you must first create a custom profile with the filters and actions that you want the collector to perform. Then, you must apply that profile to the USB device.

Creating a Custom Profile

To create a custom profile

(7)

FIGURE A-5 AD Triage Admin Main Window Configure Tab

2. Click Manage Profiles.

3. In the Profiles dialog, click New Profile.

4. In the Custom Profile Wizard, click Next.

5. In the Profile Name screen, enter a Name and Description for the profile and then click Next.

FIGURE A-6 Custom Profile Wizard Standard Actions Screen

6. In the Standard Actions screen, check the actions from the default list that you want the profile to perform during collection and then click Next.

Note: Actions that can be performed only on a live system are listed as “(LIVE).” All other actions can be

performed on either a live system or a shutdown system.

Example: If you wanted to search for memory and network items on a live system, you would check

(LIVE) Memory Dump under the System check box, then (LIVE) Network Adapters and (LIVE) Network Connections under the Network check box.

(8)

FIGURE A-7 Custom Profile Wizard Custom File Filters Screen

7. In the Custom File Filters screen, click Create Your Own Filter to create your own custom filter.

8. In the Custom Filter Wizard, click Next.

9. In the Filter Name screen, enter a Name and Description for the filter and then click Next.

FIGURE A-8 Custom Filter Wizard Select Criteria Screen

(9)

FIGURE A-9 Custom Filter Wizard Groups Screen

11. Depending on the groups that you checked, the next screen allows you to add the specific criteria for each group to the custom filter. The following screens may appear:

Keyword Hash

Regular Expression File Size

Note: When applying a File Size filter, the filter will search for the “Size on Disk” file capacity rather than the “Size” capacity when collecting data. Increase the size of your file search accordingly to accommodate this.

Date Time Extensions Path Illicit Images

Note: Multiple conditions added under a single group name are considered as an “OR” condition. Each

separate group name added is considered as an “AND” condition.

Example 1: If you wanted to create a filter that searches for .doc files created in the last week, you would

perform the following actions:

11a. In the Select Criteria screen, check Date Time and Extensions and then click Next.

11b. In the File Date screen, select File created within a week, click Add Existing Filter, and click

Next.

11c. In the File Extension screen, select File is a user created file, click Add Existing Filter, and click

Next.

Example 2: If you wanted to create a filter that searches for image files on the user’s home directory,

you would perform the following actions:

11a. In the Select Criteria screen, check Extensions and Path and then click Next.

(10)

11c. In the File Path screen, select File resides in users home directory, click Add Existing Filter, and click Next.

12. Add your criteria for each group and click Next until you reach the Review Custom File Filter

Constraints screen.

13. Click Finish.

14. Click OK.

You are returned to the Custom File Filters screen.

15. Check the custom filters that you want to add to the profile and then click Next.

FIGURE A-10 Custom Profile Wizard Review Selections Screen

16. In the Review Selections screen, review the actions you have selected to ensure that you want them applied to the profile. If you want to remove any of the actions, highlight the item and click the Remove button.

17. Click Finish and click Yes to the message that appears.

Applying a Custom Profile to a USB Device

After you have created your custom profile, you need to apply the profile to your USB device in order for the device to perform your specified actions during collection.

To create a custom USB device

1. In the Admin console, click on the Devices tab.

2. Click on the Custom Triage Devices button.

(11)

FIGURE A-11 Custom Collector Wizard Select Profile Screen

4. In the Select Profile screen, select the profile that you want to use during collection and click Next.

FIGURE A-12 Custom Collector Wizard Select Triage Device Screen

5. In the Select Triage Device screen, enter a Case Name and Agent Name for the device.

6. Select the USB device that you want to make into a Triage device.

Note: If you do not see the device that you are looking for, ensure that the device is attached to the

(12)

AD Triage Quick Start Guide Collecting Data from a Target System | 12

7. Check to Auto-start collection if you want Triage to automatically collect data on the target system upon start up.

8. Check Auto-export if you want Triage to automatically export collected data to the USB device.

9. Check Include File Slack Space to include slack-space on files during collection.

10. Check Include Deleted Files to include deleted files during collection.

11. Click Next.

FIGURE A-13 Custom Collector Wizard Finished Screen

12. Click Finish.

Collecting Data from a Target System

You can collect data from a shutdown target system or a live system. This section describes both methods.

To collect data from a shutdown system

1. Power on the target system and use the keyboard hotkey to boot into the BIOS configuration utility (typically F2 or DEL on most systems).

2. Configure the boot priority of the devices in the BIOS so that it will check for boot devices in this order:

CD/DVD

Removable (aka USB)

Hard Disk Drive (HDD) and other boot devices in any order after that

(13)

AD Triage Quick Start Guide Collecting Data from a Target System | 13

FIGURE A-14 Agent Interface Window

4. If you did not select to Auto-Collect or Auto-Export when you created your Triage USB device, click the play button to collect data.

When collection is complete, the play button becomes a check mark.

5. Click the Evidence tab, ensure the evidence that you want to export is checked in the Pending Evidence pane, and click Export.

Collected data is exported to the USB device. Data that was successfully exported appears in the

Successfully Exported pane. When all the evidence has been exported, the Evidence tab appears in

green.

6. Click Exit and shut down the system.

7. Remove the USB device.

To collect data from a live system

1. Insert the Triage USB device into target system.

2. In the Window’s prompt, select to run AD Triage.

3. If you did not select to Auto-Collect or Auto-Export when you created your Triage USB device, click the play button to collect data.

(14)

AD Triage Quick Start Guide Saving, Reviewing, and Exporting Collected Data | 14

4. Click the Evidence tab, ensure the evidence that you want to export is checked in the Pending Evidence pane, and click Export Now!

Collected data is exported to the USB device. Data that was successfully exported appears in the

Successfully Exported pane. When all the evidence has been exported, the Evidence tab appears in

green.

5. Click Exit.

6. Remove the USB device.

Saving, Reviewing, and Exporting Collected Data

After you have collected data from a target system, you must bring that data into the Admin console in order to review or export it.

To save, review, and export collected data

1. Attach the USB device to the Admin system.

2. Launch the Triage Admin window, select the Devices tab, and click Manage Triage devices.

FIGURE A-15 Manage Triage Devices

3. Select the case from the Profile on Triage Device pane and click Save Collection. The collection is saved in the AD Triage files.

4. Close the dialog.

(15)

FIGURE A-16 Manage Collections Dialog

6. Select the collection from the Collection pane; use the History Filtering options to find the collection if needed.

(16)

FIGURE A-17 Recover Evidence

8. Close the Recover Evidence dialog when you have finished reviewing the data and generating reports.

9. In the Manage Collections dialog, select the collection again and click Export Collection.

10. Browse to the location where you want to export the data and click OK.