Triage Media

Recently, I had a need to quickly collect some files of interest from a hard drive. I had limited time and I was really not concerned with deleted data, only logical files that existed. I manually created a LEF with the areas that interested me, but I then began to think about those areas where people are most likely going to collect artifacts from in a quick triage process.

I came up with (5) five distinct areas on a volume:

User profiles (\Documents & Settings or \Users)
Recycle Bin
System Volume Information
Registry (\Windows\System32\Config)
Program Files

So I built a triage EnScript that contains options to collect data from each of these areas in an automated way.

On the left, there are the five options I mentioned above, then on the right, there is a sixth option, which is a kind of "catch-all" for other areas. The first five options on the left collect *ALL* files, regardless of extension from each respective area. The sixth and final option can be limited by extension and includes those paths that are not already collected in the previous five options.

My purpose of writing this was to have a relatively quick automated way to collect user data from any attached/previewed media and then have that data placed into a logical evidence file in a logical manner that made sense later if I collected data from several pieces of media.

The help button explains each of the options:

Running the EnScript with each of the options will result in up to (6) six LEF files being created for each volume, one for each option, depending on whether that path is present. You can then examine those LEF files as time permits. Obviously the time to process each option is dependant on the amount of data that may or may not be in a specific area.

Download Here