Triage-G2
Rapid Intelligent Media Exploitation
Triage-G2® is ADF’s award-winning media exploitation tool deployed by special forces, military, and intelligence agencies worldwide. As the ultimate cyber triage tool, Triage-G2 has a proven track record supporting sensitive site exploitation operations (including DOMEX, MEDEX, and tactical media exploitation as a key component of biometric identity kits).
Designed for forward-deployed operators with stealth capabilities, operators follow a rapid 2-step process, Triage-G2® will rapidly scan, extract, and analyze critical intelligence from computers and digital devices. The tool can be deployed in the field for reconnaissance on a small, rugged USB key.
Key Highlights
- Run scans in Stealth Mode
- Scan multiple computer and storage devices for evidence
- Employ hash matching to pinpoint files from established hash sets such as VICS or CAID
- Use built-in and custom search profiles for swift evidence discovery
The ultimate Plug and Pay DOMEX tool
Leverage AI/ML and Natural Language Processing (NLP) in a pocket-sized media exploitation tool used by special forces, military, and intelligence agencies worldwide to rapidly scan, extract and analyze critical intelligence from computers and devices.
Collect
Forward operators can exploit media and gather critical intelligence in under 2 minutes with the #1 DOMEX tool.
- Ability to run in stealth mode
- Portable and lightweight deployment utilizing an unmarked rugged USB key
- Scan and Image Chrome OS computers such as Chromebooks
- Image live macOS computers via our remote agent and create an AFF4 logical image
- Image live ARM CPU-based Window devices
- Highly configurable artifact and file collection including web browser cached files, social media, P2P, Cryptocurrency, cloud storage, user login events, anti-forensic traces, saved credentials, files shared via Skype, USB history, user connection log, etc.
- Recover deleted records from apps using the SQLite database
- Supports collection of forensic artifacts from Windows and macOS (including T2 and M1 chips)
- Search and collect emails including MS Outlook, Windows Mail, Windows Live Mail 10, Apple Mail
- Investigate attached devices, live powered-on computers, boot scans from powered-off computers, forensic images, the contents of folders, and network shares (including shares made available by NAS devices)
- Simple multi-workstation deployment with a single configuration file
- Rapid data collection from computers and digital devices
- Prepare a Collection Key without Search Profiles to select Captures just before the scan
- Prepare a Collection Key with pre-configured or custom Search Profiles
- Ability to protect the Collection Key with BitLocker
- Ability to borrow license tokens for Collection Keys
- Discover remote Mac OS agents automatically
- Deploy user-created Captures to the Collection Key when not using Search Profiles
- Supports collection of artifacts from Windows and macOS (including T2 and M1 chips)
- Create new log files for logical images
- Simplified data container to store Mac logical images with the ability to process local images from the data container
- Rapidly search suspect media using large hash sets (>100 million)
- Find relevant files and artifacts using powerful keyword and regular expression search capability
- Use password and recovery key to decrypt and scan or image BitLocker volumes including those using the new AES-XTS encryption algorithm introduced in Windows 10
- Process APFS partitions, NTFS, FAT, HFS+, EXT, ExFAT, and YAFFS2 file systems, compute MD5 and SHA1 on collected files for integrity validation
- Capture RAM and volatile memory
- Collect password-protected and corrupted files for later review
- Collect iOS backups on target computers
- Image drives Out-of-the-box with image verification and imaging log file
- Recover images from unallocated drive space
- Recover deleted records from apps using the SQLite database
- Detect and warn of BitLocker and FileVault2-protected drives
- Leverage powerful boot capability (including UEFI secure boot and Macs) to access internal storage that cannot easily be removed from computers
- Direct access to the Capture screen with the ability to define the time range of data collection, define collection per app in a Search Profile, select Captures and apps before a live or boot scan, and exclude folders from the scan
Analyze
- Leverage facial analysis age detection to quickly sort and identify infants, toddlers, children, and adults
- View results while a scan is running
- View thumbnail(s) of attached reference files (displays them in the HTML/PDF report as well)
- In gallery view, filter out images that aren’t rendered
- View chat conversations with bubbles to easily identify the senders and receivers with “Message Thread” hyperlink to select individual conversations
- Filter search results with sorting and search capabilities (dates, hash values, tags, text filters, and more)
- Search scan results using keywords, with results categorized by record type
- View pictures and videos organized by visual classes such as people, faces, currency, weapons, vehicles
- View links between files of interest and user’s activities such as recently accessed files, downloaded files, attachments, and more
- View highlighted encrypted files in the scan summary
- Redact previews when exporting a report
- The ability to Undock Frames panel tab
- Inspect video using comprehensive video preview and frame extraction
- Automatically tag hash and keyword matches
- Define new file types and select individual ones to be processed
- Display provenance, including comprehensive metadata, of all relevant files and artifacts
- Reorder or disable post-scan tasks (classification of pictures, videos, or entity extraction) to run in the Viewer
- ADD-ON: Entity Extraction and Language Translation Gisting (230 languages) available
Report
- Precisely select which files and artifacts to export
- Import hash values from a VICS/CAID database with the possibility to select categories,
- Import keyword list and prompt for default tags and comments if none are in the CSV file
- Import hash values from the CSV file and prompt for default tags and comments if none are in the CSV file
- Export errors when importing keywords or hash values
- Log issues when importing data
- Customize your report to show specific columns and redact pictures
- Present information in a table or list
- Include original files or previews only
- HTML and PDF reporting options
- Export to other forensics applications with VICS / Project VIC (JSON) or CSV formats
- Export to the Orchesight platform
- Share scan results with a portable standalone viewer
Product Description
The Triage G2 Software Kit Includes:
- One portable case
- One 500GB high-speed SSD USB Key
- One four-port USB hub
- One USB-A to USB-C adapter
- One Adapter USB-C to Ethernet and 3 USB-A
- One Ethernet Cable
- Software Maintenance and Support
Technical Specs
Recommended Technical Specs:
- Windows 10 64-bit
- Intel i7 CPU
- 8GB Minimal, 16GB of RAM Recommended
- 500GB PCIe NVMe SSD hard drive