Mastering Triage: Intro To ADF Pro

The following transcript was generated by AI and may contain inaccuracies. Richard Frawley: Welcome to Mastering Triage: Intro to ADF Pro. We’re going to explore our cutting-edge digital forensic triage solution, a powerful tool designed to empower investigators in a rapidly evolving digital landscape. I went over the agenda a little bit here. It looks like a lot, but it’s pretty compact. We’re going to go through some slides in the beginning, and I’m going to get to the demo as fast as I can without missing anything that’s important. There’s a live demo coming up, so we’ll definitely be doing that. About us. We have deployments at larger agencies and corporations. We enable frontline users to collect digital evidence quickly and comprehensively with minimal training, with the ability to connect to and triage just about any device you have access to. 1,500 users in law enforcement and the public safety arena. ADF is the leader in digital device triage and data collection, and we’re headquartered in Northern Virginia. We started over 20 years ago as an image identification tool. That has quickly morphed into a comprehensive suite that you’re going to be taking a look at today. You may even be familiar with it, but catching back up to where we’ve come — we’ve come a long way. It’s something that just keeps evolving over time. As time changes, we’re keeping up with it as well. Get The Latest DFIR News Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month. Unsubscribe any time. We respect your privacy - read our privacy policy. When you’re looking at a tool such as ADF Pro, it’s mobile and computer in one nice user interface. The challenges you’re facing are just that explosion of data. You could see here in petabytes since 2010, how much the data explosion has gone up. I think you missed my introduction too. I’m Richard Frawley. I’m the Director of Training here at ADF Solutions. I’ve been here for 10 years. Prior to that, 23 years in law enforcement, 17 of those as a forensic examiner and investigator. If you do the math, I go back 10, 11 years prior to this — turn of the century, the late 1900s. I’m a dinosaur in the industry, but have always been forward thinking, which is why I’m here in the triage market. The data explosion — if you go back to when I started, some of you may remember 2010 on, do you remember 1.44 megabytes of data and using DiskEdit? We’ve come a long, long way from those days. Now it’s the save icon. That volume of data, that digital explosion — what I want to do here is throw out a poll. What’s your biggest bottleneck today? Data volume? Backlogs — they kind of go hand in hand. Limited staff — that’s always been an issue in this discipline. It takes a lot to get you up to that level of expertise. Budgets and training? Tool limitations? That’s another one. We all try to have a big toolbox, but sometimes you’re trying to do it with one or two and it doesn’t work out. That’s great. Thanks everybody for helping. This poll really does help us out. Lets me know and lets everybody know where everyone is in the industry. I’m going to have a couple more coming up. The data is just driven by how we are today. So many data centres, always online. Phones, tablets, laptops, desktops — they’re all still there. There was a time when they said the laptop or the computer was going away and the phone was going to take over. But with all the remote workers, school, there’s just — computers aren’t going away and the devices are always on. You come into my house and there’s at least four or five, six different devices, at least a couple phones, a couple tablets, a couple laptops. We both work from home, so you’re going to be walking into that just about every day. That increases our backlogs and the amount of devices coming in. They’re not all the same devices. You’ve got Chromebooks, phones, laptops, Linux, Macs. And each one of those takes a different approach into how you’re dealing with them. More bad actors — that’s just the internet explosion, the availability to all this information and data and sharing and hiding. There’s more and more bad actors out there, especially when they don’t have to do it in front of somebody. They’re sneaking around in their basement online rather than out in front of someone. And then again, staff reductions or just not able to keep up. That all contributes to the cost of putting this together. Existing tools can’t help in some factors. When you’re talking about our tool and what we can do — those lab tools are lab-centric. They’re meant for deep dives. They’re meant to have a lot of time put into them, a lot of expertise to use them, not really designed for where we come in, and I’ll explain that a little better. They’re not portable — they’re meant to be in your lab, and they’re good at what they do. I am not in any way minimising those tools. I’ve been there. I used them. I had a big toolbox. I knew what each one of my tools did, how I could use it, and where I could use it. And it’s the same here. We have what we like to say the three different versions of triage. If you look at my other webinars I’ve done so far this year, I really talk about triage tool-agnostically — how do you have a good programme, how it works. I really highly suggest you look those up on our site and go see those. There’s a couple of different ones, but triage breaks into three. Early triage — freeware, basic image identification, fast, maybe not as accurate. Shouldn’t say accurate, but your trust in what you found or did not find could have been a little better. Triage 1.0 and 2.0 follow our basic exams. You’re going to collect, identify, analyse, and report. Very simple — the what, who, where, when, how. All those questions that you’re asking, you want to try to solve with triage, and we fit in there like a glove. Then Triage 3.0 — you’re looking at hosted case management, user collaboration, and the bottom two: licence sharing or token servers, especially for task forces or corporations. Being able to pull up, grab a token, grab a licence, and do what you need to do. And have that audited as to who’s using the tool, how they’re using it, what they’re scanning, how they’re scanning, how much has been successful, how much has been an issue, where they’ve had issues. How many cases get moved forward, how many devices are left behind or are clean. This is where we reduce that backlog. What I’m going to do here is throw out another poll. Do you currently use triage in your investigations? Triage has come a long way. As I said, I’ve been doing this a long time. I adopted it early. I mentioned in my other webinars I go over 2001, 2002, employing triage because it just needs to be — the backlog was ridiculous back then. I was a one-man lab for a long time, then a one-and-a-half-man lab. Somebody come in part-time and you just don’t have the time when you have backlog. But it’s nice if you implement it. It’s that force multiplier — that term’s getting used a lot, but it’s true. Good employment of triage reduces backlog, reduces time, moves cases faster, and really helps out in areas where it may have been missed. Like, “this doesn’t really rise to the level, let’s just leave it behind,” or “let’s not do anything at all.” I see about half here use it regularly, about a third occasionally, and then there’s about 10% each of rarely or not at all. If it’s something you’re thinking about, those two previous webinars will work on that. ADF Pro — what is it? Capturing data that might not be accessible in your advanced logical acquisition. Instant preview and triage of Android and iOS devices, which you’ll see here live today. Easy-to-use mobile triage tool. Mobile Device Investigator, which is part of the whole tool, is the only tool for rapid mobile triage. The computer-only capabilities I’m going to show here — that’s the Digital Evidence Investigator side. ADF Pro is these two tools put together in one interface, covering all your computer needs. Triage on computers found that are live, up and running Windows — you can scan those. I think we’re all used to that by now over the years. But with our tool, you could also, if you come across one that’s powered off sitting on the suspect’s desk or bed or wherever, or in a closet, you can boot to that. Get some power to it, boot to our collection key, and you can scan those as well. Other computers — 32-bit computers, Mac, Linux — we have ways to connect to those also and do a triage. All those capabilities in one interface, to be your single on-scene solution for all devices. If you encounter a device on scene, chances are ADF has some type of method for you to gather information in just about any situation. Some of the key features: comprehensive file collection, and it could also be modified if you come across a proprietary programme and need to add something to it. It can be done really quickly. Advanced mobile acquisitions — logical acquisitions for iOS, Android, and the ability to capture screenshots, screen recordings. I’m going to show that today. And also Chromebook. All the capabilities you would expect in a forensic tool are in here. It really is a beefy tool. I’m going to be showing you quickly from the ground up as far as triage on scene, but it does a whole lot more. I have another poll I want to throw out here. Which capability would make the biggest impact for you on scene? Mobile preview, fast logical acquisitions, advanced filtering, hash set analysis, and imaging of Windows and macOS on scene. Some of this may be a little bit more than you would be doing on triage, but just think about the on-scene mobile capability, which we’ve been hearing about for years. That’s why we’ve really worked on this to make it such a powerful tool — it’s resolved some of this stuff being done because triage wasn’t available. The manual thumbing through to see if there’s anything on there — now it’s connected, and you’re getting a lot of information. I’m going to end that poll. Here is a UK agency that cut their device submissions. This report is actually in here. If you go to the download section, there’s a place for you — you’ll see some of our sheets and stuff. This report is in there for you to read through. I think it’s a two to three page report. This case study is in there, and this is some of what comes out of the challenge. 300% rising caseload over four years. Staff expanded from eight to 28 — that’s big, that’s a lot of staff. And they didn’t really have that triage system. The solution was to implement triage, look at things quickly, and get the information to court faster. ADF Pro was employed, and the result: 76% fewer devices sent to the forensic lab for full analysis. They’re making decisions on scene that they trust on what’s going to go to the lab and what’s going to be left behind. Cases processed through charges, now being charged in under a year. And high-risk cases are managed more effectively and confidently. I urge you to download that. Take a look through it, read it. It really is a great case study. Triage, again — when I talk tool-agnostically, it is for the frontline. And if you don’t have that yet, you can start it in the lab. Really go through your backlog, clean it up, and then start deploying triage out in the field. You’ll start seeing things moving faster, backlogs going down, charges being made quicker. I know everybody’s in a different legal environment, but plea deals being made faster, and no stale cases. Just moving through a lot better for the lab. If you’re using it in the lab, I mentioned clearing your backlog, making sure which devices go into what lane. This needs to be done. This doesn’t need to be done. This needs to be first, second, third. I mentioned we do full logical, advanced logical acquisitions. We have a couple of places that use us — everything that comes in gets that full file system or as much information as they can get out of these devices. Your GrayKeys, your Cellebrites, what have you. But the first tool they run against those when they’re done is ADF, because we go through it quick. They’re targeted in what they’re looking for and they determine the lane or what needs to be done with those devices. The same way — even though it’s time heavy on the front, it’s quicker to go through and use this tool. When you are employing triage, you have a process, you’re going out and it’s repeatable. You know what you’re looking for. You’re going out on specific cases, CyberTips, bringing your specific information that you’re looking for. You’re able to document everything. You’re connecting the device to a tool that is grabbing the information you need rather than manual scrolling and finding something. You are connected. You are getting your chain of custody information that you may lose when you’re doing things manually. You’re getting date and time, hash values, which device it’s coming from — it’s all connected. And it’s being done in a proper policy and procedure manner. All the different solutions here. We get used everywhere. I talk about child exploitation, CSAM — it fits like a glove there with all the stuff we have built into the tool and what you’re doing on scene. It’s really where triage gets used a lot. Border security — you need quick access, you need to look at something fast. Human and drug trafficking, undercover, confidential informants — being able to grab information from them. Somebody who’s being trafficked and helping you move your way up the line. Hooking up the phone, getting screenshots, getting their Ubers, getting their Lyft maps, getting where they’ve been, what they’ve been doing. Chats, phone calls — all able to be done. Military and counterterrorism — we’re still built so that if you have an issue and you need to beat feet and run out the door, you could disconnect our key and run out with it. Everything you’ve collected up to that point is on there and ready to go. Or if it’s a phone, you disconnect it, hold your laptop, run out the door. Everything you’ve collected up to that point is there for you to use when you get back. We’re going to do the demo here. I have one more poll that I’m going to launch while I set up. How quickly do you need that evidence out in the field? Everybody’s got a different threshold or a different standard. I talk about the different types of triage and I’ll probably mention those as I’m going through here as well. The show-me early case assessment, the critical incident-type scans — if you’re not deploying triage, maybe hours is okay. But most of the time you want to get in, get out. Especially if you’re doing these early in the morning, you want to get to breakfast and have a good day after that. And I like “it depends on the case” — that’s one of the biggest answers here that we always get. Can you do it? It depends. I like that. Thank you very much. Let’s move on to the demo. You should be able to see ADF up on your screen. If you have any questions, please put them in the question box. ADF Pro — both mobile and computer. Investigate devices, review scan results, view acquisitions, and then the more advanced area: scan setup and key management. That’s where you go into customise search profiles. Search profiles are really your set of instructions — what do I want to get out of this device? I’ll tell you where those get used and how they get used. What we’re going to go through here today is basically how can I get into devices quickly and get what I need. Investigate device — pretty simple menu. Scan, acquire, image. Acquire phone, image computer, collect files. This is an MTP connection to your phones or even off a computer where you can grab specific files. Consensual situations, witnesses at a fight, critical incidents in some cases — we’ll go over that. You can make that connection and pull down the files directly from the phone. No emailing to yourself, no messaging, no saying “hey, come in tomorrow and I’ll grab that.” You’ll be able to hook it up and get it right then and there. Screen capture — we’re going to go over that. Hooking up your devices — we’ll see Chromebooks, Android, and iOS in there today. And preview — this is where I’m going to preview with computer first and then come back to this menu and show you preview with phone. The reason I’m doing that is I have two collection keys set up here. A collection key is a USB device. This is a Samsung T7 SSD. You prepare it in that advanced menu that I was showing you for what you want to do. I’m going to close my menus down here. I have one plugged in. If you were live on scene, what I’m going to show you — if it’s a live Windows machine, so it’s up and running. I can boot to this collection key, or I can run it live on a Windows machine, or I can also use it to remotely connect to another machine like a 32-bit or a Mac — that’s a little more advanced. We can do it, but I’m not going to demo that today. I walk into the suspect’s home — there’s a computer up and running Windows. I plug this in and hit Start Windows Live Scanner. The programme will start here in a second. What we’re doing is starting up the programme and taking control of the computer. You see it looks exactly like the desktop where you start from. I have a couple of options here: scan computer, image computer, create RAM dump, or review any scan results that I’ve done previously. Plug it in, takes control of the computer. Does not change any dates, times, or metadata when it collects. What it does do — like any other tool that you plug into a Windows machine — Windows is going to say “hey, something was plugged in.” When you execute Start Windows Live, Windows says “a programme started” and makes those logs. From that point forward, when you’re using this, it is not changing dates or times or anything on there. First order of business — if you want to collect RAM, you click that. One click, everybody knows the rules, it just goes right into RAM collection, saves it onto that T7 for you to use. We’re not going to go through it, but you would bring that back for your favourite memory tool. You go into scan computer — it’s going to show you everything attached to the device, so you have the ability to scan anything attached to that computer. Here you see my system drive and the operating system. It says it’s BitLocker encrypted with TPM and it is currently unlocked, meaning I can scan it. I have an NTFS deleted partition and I have the typical image and support partitions that you see on all these drives. I have a virtual drive open and I have several backup drives connected as well. Anything I want to scan there, if I wanted to go through one of the storage drives, I just need to pick the right search profile, which is in the centre here. I’ll start out showing you how this works on scene, but it’s going to be quick. You’ll have profiles. I have one to go through non-operating system storage devices for multimedia. I’m going to show you those results here. I have one that’s going to go through another Windows demo partition so you can see how it looks. And I have another one that does a little bit more, kind of an early case assessment. I have one that just does hashes and keywords only — child exploitation keywords and hashes. That’s your show-me scan. I’m just going to go through here and run hashes and keywords and anything that hits — show me that. If I hit my threshold, then I’ve got the collection of the pictures and the hashes, which also goes one step further. If there aren’t any hash hits, you still get to visualise the pictures. Then I move up to computer triage with linked artefacts. Any files it collects and any of the artefacts it’s parsed out — if that file is referenced, it links them together for you. You look at a picture and you can say, “look, it came through a web download,” or “it came through peer-to-peer.” There’s three recent file entries for it. You can show user manipulation — where it went, the path it went to — all done for you in the background. You would choose that, give it a name. I’m just looking at that drive and I’m going to use this one and scan. Now it’s looking at the machine. You can see the list of everything I’ve asked it to collect here. There’s a lot of artefacts, there’s a lot of files. I’m running some unique keywords and some hashes. I can see the keywords that I’m getting hits on going across the top. This matches PAIN, which can be hidden. But the first thing it did was make an inventory or a listing of every file and folder on that device. Even though we’re only collecting what you asked it to collect for speed, there is still that file listing you can go back to and look at. You can gain perspective — okay, there’s more being done here, or there’s nothing else being done here. It’s going to go through and parse out all your artefacts first. It’s running unique keywords. Now, if they’re really specific, you can see I have over 240 keyword hits that are unique to my case. That wouldn’t necessarily be found on other computers. That’s part of the triage — bringing that uniqueness so you know what you’re getting. Just by looking at that, I’ve got a pretty good idea of what’s going on. It’s processing a bunch of files here. This is running a little bit slower because I’ve got browsers open, I’m video sharing. But it does go through — you could see all the different things that it collected. Two things I want to say about a live Windows machine. I’ve got the encrypted drive here — it collected the BitLocker encryption key and TPM keys. And I also have, which is probably going to run after browser cache: saved credentials on a live Windows machine. When you’re running this, it’ll get usernames and passcodes out of the browsers. What’s great about that? You need to crack another file — you’ve got their password list, you’ve got all the accounts that they’ve saved their passwords in. Think about getting back to your desk and having this for preservation orders. Where did they have accounts? Where were they saving stuff? What were they dealing with? Just a lot of great stuff. I can go in and view my results. What I’m going to do is stop this here. Let’s say I had to stop it — it was consensual and they want to stop. I just stop here. Anything I’ve captured is already saved and I can go back through and analyse what has already been collected. Now legally — do I have to get a search warrant for that, or because it was under consent? That’s up to you. But you have it there. You didn’t lose it. What I’m going to do is go into the results. This is what I was running. This is finished. That took a total of six minutes. It collected 11,165 files. All these different artefacts I was talking about, the unique keywords. I have the IP address that was maybe in my CyberTip. I’ve got somebody’s last name — a unique last name. Not this person’s last name, but somebody that we’re dealing with. Just by looking at that keyword, there’s a saved contact, messages, message threads, an email, calls, browser cache. I know just by looking at this point that there is a relationship there. I have the victim’s names — those come up as well. If I go into pictures now — I use dogs as contraband. Coming in here, I am at the top of my gallery of all the images or pictures that were captured. You see some red lines — they were automatically tagged. Think bringing in VICS, bringing in your own CyberTip hashes, keywords — all those are brought to the top. That’s why you’re seeing such an intense gallery of what you were looking for, because everything you specified is brought to the top for you. You don’t have to go searching for it. Once you get down a little further, then you start seeing things mixed in. Those are the ones that weren’t hash hits or weren’t named with those child exploitation keywords. That’s where your analysis comes in a little later. I just wanted to show you all the properties that come with the file. There was a duplicate of this picture. And when I go look at that, the path of this is in a user-created path. I can see that this picture was downloaded. I’ve got it linked to the download history file and all these recent file entries — whether they’re linked, whether they’re jump lists, whether they’re MRU entries — I have that to show that this was recently accessed. I’ve got the dates and the times. I have everything I need right there to show user manipulation in that quick six minutes. If you’re looking at video, we grab those too. The nice thing about these — you get the metadata, you get frames, significant frames. When the frame changes, you’ll get some information and more frames. You get to see and make a determination of what’s in there. Let me go back out. I know I’m spending a little bit too much time — I love talking about this stuff. This is a storage drive, a 500 gig storage drive that I went through. I just looked for child exploitation keywords and hashes. When I come in here, I had seven hits. Again, I’m using dogs. You can see the dog here — all these are hits on keywords. Hussyfan, Lolita, PTHC. If the file was named that, it picked up on it instantly and showed it to me. 23 seconds, seven images just running hashes and keywords against that storage device. Pretty quick for a show-me threshold-type scan. There were over 20,000 files of pictures on that drive. But let’s say I wanted a little bit more confidence in that. This next scan is just collecting the images only. I still got those seven keyword-named hits, the same hits. But I also — and I interrupted this, I stopped it — there’s 2,400 pictures. When you’re doing these types of scans, you see what’s being collected. I don’t need to go any further. I feel confident that this is what I’m looking for. That was less than a minute — 50 seconds, 2,400 pictures, those seven instantly. You can see where, if speed’s a factor, three different types of profiles can run on scene to get that. Now, the other type of drive we have — I’m going to disconnect this one and plug in another drive. A different collection key, just set up a different way. I’m going to go into this really quick to show you what you can do on scene if you don’t want to customise a profile or you’re not sure what you’re walking into. This is the same thing, just set up on a different drive. I plug it in, start it up, and it’s going to look exactly the same until I go to scan the computer. In the centre, instead of having search profiles with my set of instructions, I pick these on scene. What do I want to search for on scene? I want to search for A, B, and C. I want to add some keywords. I want to look for multimedia. I want to look for my user data. It lets you really customise it on scene. Maybe step through — just give me two things and then I’ll decide if I’m going to look for more. It really allows you to adapt and overcome when you have one of these two options. Now all of a sudden something changes on scene. You didn’t have a search profile customised — this allows you to do that. One licence, as many collection keys as you bring out in the field, you can use out there. You plug it in, start your scan, authenticate with your licence. Once it starts, you pull the licence out, move on to computer number two. When that one’s up and running, you take your licence, go back to your laptop, and start working on your phones. Here on that key, you can see I ran a scan for a missing person. I can show you those results, but that’s another way this can be used. You go out on a missing person, the computer’s there, you want to take it back and analyse it, but you want to get people somewhere to start. You could run browsing history, things that may have been downloaded, browser history, forms, downloads, search terms, documents from the user profile — maybe five things, really quickly. Grab that information, let the investigator start on scene, and then take that computer and start going through it. Phones. Now I’m on the phone preview. I have an Android here, hooked up. We have a wizard to walk you through the process, but it’s no different. If you’ve connected an Android device with any other tool, you know what to do: become a developer, USB debugging, make it stay awake, allow apps. It gets connected. We hit proceed and it starts making the advanced logical acquisition of that device. It starts showing it to you in real time. I’m connected, I’m getting properties. It’s an advanced logical acquisition — nothing is different. With Android, you’ll start getting your artefacts up front. But the nice thing about this is I go right into pictures. It’s identified 2,860. It’s up here in the corner. The most recent pictures are at the top, since we’re not using hashes or keywords yet — just the most recent on this phone. You’re not thumbing through the phone. You’re able to come in here and look at it. I have my contraband. I can stop — I could just stop this. Anything I have collected up to this point I could report on. If you need to go further, this is live as if the acquisition was done. All my filters are here to be used. Videos the same way — it’s identified 10 videos. Now that I’m in here, it’s going to know I’m looking at videos and start processing those, giving me the metadata, the frames, the previews. Just a lot of features, but that’s how quick it went through. That’s an Android, and it’s still running. Again, I can stop it at any time, I could report on it. We have HTML, PDF, CSV — we do VICS format. We do location data out to KML. We have a standalone viewer, so I can take all this and give it off to an investigator to go through. Just a lot of different ways to report as well. The nice thing about this is I can start looking at my chats, operating system information, saved networks, how many user accounts are on this device, what’s installed on it. What am I in for when I do seize this? I’m just going to stop that. I’m going to go back to preview and just show you I have an Apple iPhone 14 Pro Max with iOS 16.3.1. Same thing — I just connect it and come in here. The difference between iOS and Android is Android is upfront with artefacts. With iOS, in their acquisition phase, they come a little bit later. You’ve got to watch the screen, make sure you trust and do all that. Again, it’s just like you’re making the advanced logical acquisition — it’s just showing you things in real time. Device information came up quick, so I can go right in there and look at all that information. It’s collecting files, and if I go into pictures, same thing — most recent on top. There’s about 3,000 pictures on this phone, but I’m not going in there because it’s my personal phone. No need to see my kids and my wife. Same exact thing, no difference. Same with videos — 61 videos and it’ll go through and start making thumbnails, frames, previews and such. No different — again, just when the artefacts come across. It’s really heavy on multimedia upfront. Gets you in, gets you looking at it right away. Just stopping this one — it’s got to stop the process. Then I want to get in and show you some screenshots. Preview — quickest way in. I hope everybody was able to understand that: you connect it, it starts making the acquisition, but it’s showing you things in real time. Next is screen capture. Again, a quick way in, good for witness, victim, consent-type situations where you need to grab something quick. Still falls under that triage. I have that Android hooked up. All you do is get it in — Android automatically casts in here, so you see what’s on my screen. I’ve got it in my hands. I can swipe up, swipe down. I can take photographs, I can comment, I can tag, I can sort. I don’t have to wait till after. Especially when you’re doing these — it’s important when you’re looking at something and you see a picture, you say “I want a screenshot of that.” And this is why you can make a comment here and tag it to be in your report. You still have to process it, but it takes all that with you. You can go into settings. Whatever you can bring up on the screen, 99.9% of stuff that comes up on that screen is going to be cast. Some apps, some financial apps may prevent that. And I know one — Telegram secret chats. If you have one of those, it prevents the text from being cast over the device. They’ve changed it up a couple of different ways, but typically we can get all the Telegram this way. With that, it’s a little bit different. When you’re done, you can finish this. It processes all your screenshots, processes it with OCR, brings it into a case for you to analyse and report on. You can — and I’m going to show you what that looks like here in a second — or if you’re going through this and using it, it is like an interview process, which I like to do. You’re going through and you decide, “oh, I just saw something — we need to take this phone now.” You can hit acquire and make your advanced logical acquisition at that time too. Or if you talk a reluctant witness into saying, “I really should have everything on here,” and they agree as long as they’re sitting there watching you — sometimes they’ll agree. I’m going to leave here and show you screenshots. I did 16 screenshots on this phone. I broke them down into groups. I have three from the home screen. I had four from Kik, password screen, and Wickr on this one. The nice thing about this — I can show you the previews here. I’ve got their account information, I’ve got their chats. You can see here, we can scroll through chats. I didn’t show you there, but if there’s a long chat, you can hit scroll and it pages down and captures all those screens for you. And this is what it looks like here. You can also search these — I said there’s OCR, so I can look for “Lex” and hit that. You can video record as well — that’s a scroll. You can play video here. I actually recorded the password screen, so I had it up scanning and I recorded myself putting in the password on the device. I have that recording as well. You can record a whole session. You can record just little things as well. That is available to you, especially if you’re worried about “hey, I was in the device — let me just record everything I do.” Every screen that you went to, you have the ability to do that. With each one, you get date and time, a hash value, and the device it came from. Again, connecting that. You can also do iOS devices. They are a little bit different in connection. I have videos on that, but once you’re in and casting, it goes by version. I think it was iOS 15 to 16 where there was a change, so casting into the tool is a little bit different, but we’ve overcome that and we’re good. You saw I did a scan on a iOS 16.3. MTP connections — if it’s a phone, not just Android. If you have an MTP connection, you can get into that. Screen capture — I want to show you one more thing. I have a media capture card connected to this. I have a Chromebook, HDMI out on the Chromebook into my media capture card, media capture card into my computer. I am now looking at my media capture card. When I proceed, you will now see my Chromebook. That’s what’s on my Chromebook. Now we can do an Android acquisition of a Chromebook. You don’t really get as much. For those who are looking for acquisitions, it’s limited. It’s not what you used to be able to get. They’re very difficult, but if you have access and you know what you’re looking for — it’s that type of case. Again, it all comes down to knowing your case. You can come in here and start screencasting and taking pictures of whatever is on that device. You can see them coming through over here. There’s the pictures. I can start screen capturing that. Again, I can record, tag, sort, filter — can do all that as well. Chromebooks, Xbox, PlayStations — anything with a video out, you can get video in. Take a camera’s video. My webcam, if it wasn’t being used, I’d be able to connect to that and you could scan as well. Unlimited opportunities for getting in there. Screen capture, preview, collect files. I have my phone. You have a critical incident or a witness — a fight at a bar and you’re there and you need to get some pictures off of that. You pick the phone, go to add files, find the phone here. There it is. Go to the internal storage, DCIM, pictures from Kik. I can just select these and now they’re there for me to download right off the phone into a container, an acquisition. Then I can process that, pull that information out, and I have it for me to report on. Collect files, acquire — we make an advanced logical acquisition, no different. Get the phone connected, come here where you’re going to save it, proceed, it goes through the process, saves it into your acquisition section. When your acquisition is done, I can come in here and scan it if I want to do it in two phases, or you have the ability to do it all at once. I go into scan, I have my phone connected, I pick my search profile — again, that’s the instructions on what I want to get out of it. Mobile devices, child exploitation. Give it a name, I hit scan, and it’s going to give me the opportunity to screenshot this way. If there’s something I know I need that’s not going to be in that advanced logical, I can capture it at this time. They get added to the acquisition. Then once the acquisition is done, it goes into parsing it out and you’re in the analysis mode. I went a bit over — I get excited about this tool. ADF Pro 6.3 is coming out in about a month. We’re going to have targeted extractions, which would have added to this. Targeted extraction — I want A, B, and C, more than collect files. This will get into your records, your artefacts. I want this chat, I want my Kik chats, I want these pictures, I want whatever. You’re going to be able to target that. When you’re done asking for it and hitting execute, that’s all that you’re going to get. It’s going to leave everything else behind. You won’t have anything else — it’s selective targeted extraction. We have some fixes — iTunes backup, I know we do that already and I think we’ve made some fixes to it. Encrypted acquisitions, dark mode is coming — I know a lot of people love that. And some new artefact improvements as well. Look for that in about a month. Takeaways: it’s quick. You can get connected to a bunch of devices. I know I rambled a little bit. Again, I appreciate everybody coming in here. Frontline non-technical users, but users who are smart enough, trained by you and allowed by you in the lab to do what needs to be done. Or you as an expert out here doing this. You can use token servers, you can audit, you can share. Preview, capture, screen capture. And that’s it. I want to thank you again. Q&A Let me look at some questions here. “What type of results are produced for Mac computers and how does this solution interface?” Great question, because I did mention that. What you do is make a connection through Ethernet — there’s a remote agent on our collection key that gets plugged in, that makes the network connection between you and the Mac. Then you can run a search profile against that Mac from your Windows laptop. You can image from your Windows laptop across that wire. We have it all in our user guides. I have some videos online of it. I have videos online of the HDMI as well. That was a great question, and what I was showing you before — the same results you’re going to get. It’s the same artefact captures, it all shows the same. The nice thing is it covers a lot of different scenarios. It’s not a stupid question — no such thing as a stupid question. Somebody asked about understanding file systems. I don’t know if we have that in there, but I will definitely take this and move it along. The Lenovo Legion, a portable gaming console like Nintendo Switch — I don’t know if we’d see that, but if you can get an HDMI out of that, we would definitely be able to screencast that like we would with an Xbox or a PlayStation. It goes back to way back when I was doing it: clone the drive, put the clone drive back in, navigate through and screenshot as you’re going through. It used to be take pictures, but now you can capture it right in our tool — you get the date and time, the hash value and all that. Great question, and I’ll look into that for you with that operating system. “If the user’s using a hidden photo function on the phone, will the images still show up?” Good question. With the advanced logical — whatever’s in the advanced logical depends on whether we get it or not. Some hidden folders won’t show up. But if you’re connected to screencast — yeah, the hidden folders have been coming up. You’re able to capture those as long as you can get into them and open them. These are great questions. “Is the mobile device preview connected to…?” Yeah, it didn’t show the connections. It’s just your standard connection cable that you would use with your iPhone or your Android. You get them in the kits — when you buy the tool or get a kit, you’ll get the cables and connections and everything you need. “I saw major console badges and a list of devices supported by ADF. How far exactly does the support extend?” Android and iOS — as long as you have access to it, we’re going to be able to get in there. Anything with a video out, we should be able to see. Macs — we connect that remote way. Linux — you can boot to and scan. Any phones that are not Android or iOS that have MTP connections, we could connect through those. Of course, you’re only dealing with files — Media Transfer Protocol — but it’s still a way in to connect and get something off of that device that you’re looking for. Recording? Yes — somebody came in late. This is recorded and you will get a link to the recording. Give me a couple of minutes at the beginning because I had a technical issue, but yes, that will be there. “Photo vault installed and he’s placed protected photos. If you have the passcode, will ADF collect all of them?” In the advanced logical, I’m not sure, but I know if you can bring it up on the screen, you’ll be able to screencast those. Another good question. I see here — “so you were able to connect to that Legion and grab an E01 off of it, but scanning — not so much.” Yeah, we’re probably not there. There’s nothing that we’ve looked at to be able to pull that off. Files possibly, but again, I’d have to look at that OS. Gaming consoles are really just HDMI capture. We don’t have anything — they’re proprietary. Nobody really has a way to get in and get that information. Standard procedure has been to manually clone the drive, put it back in, and take pictures. But here, you just cast it right into the tool just like you saw the Chromebook. Same exact thing. Hey, thank you very much. I know I ran over — a lot of you stayed. I appreciate that. Any questions, you have my email address up here. Get a demo of it. Look at my other webinars about triage. Again, I appreciate it. Thank you very much everybody. Have a great rest of your week.