All ADF forensic tools share the same search and scan engine. The differences are aimed at 1) usage scenarios – specifically military operations, forensic lab examination, and field investigations, and 2) user risk management.
Triage-G2® has been designed to meet military media exploitation requirements. The tool is primarily used by operators who have training to both run the tool (basic mode) and with additional training, the option to configure the tool (advanced mode). It also offers a stealth mode for live scans, advanced search configurations, and an integrated authentication and collection key for optimized workflow. It is however limited to scanning a single computer at one time.
Digital Evidence Investigator® (DEI) has been designed to meet both forensic lab and field triage requirements. It is primarily used by both forensic examiners and investigators who have training to run and configure the tool (advanced mode only). It also offers advanced search configurations, and separate authentication and collection keys which allows users to scan multiple computers simultaneously. It does not offer stealth mode during live scans or the ability to switch to basic user mode.
Triage-Investigator® has been designed for field triage requirements. It is primarily used by investigators with limited digital forensic training in running the tool (basic mode only). This basic user mode allows for ease of use and limits user risk. It also offers a separate authentication and collection keys which allows users to scan multiple computers simultaneously. It does not offer stealth mode during live scans, advanced search configurations, or the ability to switch to advanced mode.
|Digital Evidence Investigator®||Triage-G2||Triage-Investigator|
Setup and Configuration
|Create custom Search Profiles|
|Create custom Captures
(keywords, SHA-1/MD-5 hash, grep search, file collection)
|Configure file collection types|
|Customize file headers|
|Configure folders and paths to scan|
|Set filters by file properties
(size, timestamps, etc.)
|Basic mode||Note 1|
|Configure Stealth Mode|
|Out-of-the-box Search Profiles for "Media Exploitation"|
|Out-of-the-box Search Profiles for "Law Enforcement"
(including Indecent Images)
Processing Computers and Media
|Scan drive images (e01, dd)|
|Scan live (on) computers|
|Scan dead (off) computers|
|Scan multiple computers/devices simultaneously
with a single license dongle
|Scan NTFS, FAT, HFS+ , EXT systems|
|Scan devices connected to suspect computer|
|Scan external devices (USB, CD, DVD, SD cards, etc.)
from forensic/friendly computer
|Images suspect drives & media||Note 2|
|Comprehensive file and artifact analysis and collection||Note 3|
Analysis and Reporting
|Review evidence on suspect computer|
|Create comprehensive reports|
|Timeline analysis of files and artifacts|
|Comprehensive filtering of results|
|Tag evidence on suspect computer|
|Export standalone report viewer|
|Export HTML and CSV report formats|
|Extended license duration (limitations)|
Note 1: Triage-G2 is switchable between Advanced and Basic Modes.
Note 2: Triage-Investigator can only image drives and other media during live or boot scans (Note: DEI and Triage-G2 can also image from a forensic/friendly computer).
Note 3: Triage-Investigator can only run either the out-of-box Search Profiles or custom Search Profiles created by Digital Evidence Investigator (DEI).®