In the fast-paced world of digital forensics, time is often the enemy. Investigators need tools that allow quick, reliable evidence collection without compromising integrity. That’s where ADF Solutions comes in. Their software empowers field examiners to triage computers using a simple USB device. This portable setup turns any compatible USB SSD drive into a powerful “Collection Key” for scanning suspect machines.

Whether you’re dealing with child exploitation cases, corporate investigations, or cyber threats, ADF Software streamlines the process by automating searches for critical artifacts like contraband, chat logs, browser history, and more. In this post, we’ll dive into the two primary scanning methods: live scan and boot scan. I’ll cover how to set them up, their steps, benefits, and when to choose one over the other. Let’s get started!

What is Digital Forensics Triage?

Before we jump into the scans, a quick primer: Triage in digital forensics is like emergency room sorting—it’s about rapidly identifying and prioritizing evidence on devices. ADF Software excels here by using predefined “Search Profiles” that target specific data, such as keywords, hashes for known illicit files (e.g., via VICS or CAID databases), or artifacts from apps like social media, P2P networks, and cryptocurrency wallets.

The magic happens via a USB Collection Key, which you prepare on your forensic workstation. This key is bootable and can include custom profiles for tailored scans. ADF supports Windows, macOS (including T2 and M1/M-series chips), Linux, and ChromeOS, and handles file systems such as NTFS, APFS, and EXT. It even decrypts encrypted volumes (e.g., BitLocker, FileVault) using the provided credentials.

When preparing the Collection Key, you have options to prepare the Collection Key with Search Profiles, which are your set of instructions for what is going to be captured and collected, or they can be set up to only show the individual captures, allowing you to customize on scene right before the scan.

Performing a Live Scan

A live scan is ideal when the target computer is already powered on, and you can’t afford to shut it down. Think volatile data like running processes and RAM contents that could vanish on reboot, or BitLocker encryption for which you do not yet have the credentials. Using a live scan on a running Windows computer with Digital Evidence Investigator (DEI) or ADF PRO can collect RAM, recover Bitlocker credentials, and also collect user credentials saved in browsers.

To conduct a live scan, the Collection Key is inserted, and a batch file is executed to open the ADF interface. The Collection Key can be prepared using Search Profiles that are preconfigured or customized for your investigation with specific keywords, hashes, and only the artifacts you want to collect. At this point, you will have access to the system drive and any attached device you would like to scan, such as physical drives, logical volumes, attached storage, or even network shares.

Once you commence the  “Scan.” The process runs in parallel, collecting artifacts while displaying real-time progress, thumbnails, matches (hashes and keywords), and image classifications such as weapons, vehicles, pornography, and more. Once complete, results are stored on the Collection Key. You can view them immediately or transfer them to your workstation for deeper analysis.

Benefits:

• Minimizes Data Loss: Captures live system data, including RAM dumps for volatile memory analysis.
• Speed: No reboot needed, making it perfect for time-sensitive field ops.
• Versatility: Works on locked or encrypted systems with credentials; supports remote agents for macOS.
• Non-Intrusive: Leaves minimal traces Windows log some artifacts from USB insertion and program execution. Once the program is executed, no dates, times, metadata, or files are changed.

However, live scans might not access everything if the OS restricts certain areas, and they’re not “forensically sound” as boot scans since the system is active.

Performing a Boot Scan 

For a more controlled environment, opt for a boot scan. This method boots the target computer directly from the USB, ensuring no modifications to the internal drives.

Getting started with the boot scan is simple. Insert the Collection Key and upon powering up, press the one-time boot menu key (available on most modern computers). The Collection Key is built on Windows, so it is trusted; therefore, no secure boot configuration is necessary. Next, select the Collection Key and it will boot to ADF. From here, you have access to the system drive, attached devices, and Search Profiles that are preconfigured or customized to your investigation with specific keywords, hashes and only the artifacts you want to collect. The rest of the process is the same as a live scan.

Benefits:

• Forensically Sound: Read-only access prevents any changes to the target media.
• Comprehensive Access: Bypasses OS restrictions to scan internal storage, recover deleted files, and decrypt volumes.
• Portability: Great for powered-off devices or for imaging the entire drive post-scan.
• Efficiency: Supports multiple OS types, including UEFI Secure Boot and Macs, with parallel artifact collection.

Live Scan vs. Boot Scan: When to Choose What

Use Live Scan for active systems where shutting down risks data loss. Use Boot Scan for thorough, tamper-proof analysis on seized devices (e.g., in lab settings or when full drive access is crucial for CSAM investigations). In both, you can follow up with imaging: 

Hybrid approaches work too—start with a live scan for quick intel, then boot for deeper dives.

Conclusion 

ADF Software on a USB device revolutionizes computer triage by making it accessible, fast, and reliable for non-technical users. Whether opting for the convenience of a live scan or the rigor of a boot scan, you’ll collect actionable evidence like prohibited files, user activity, and hidden artifacts in minutes. If you’re in law enforcement, HR, or cybersecurity, tools like Digital Evidence Investigator can transform your workflow to triage from a USB device.

Request a demo today at www.adfsolutions.com

The post How to Triage from a USB Device: Boot and Live Scan Computers appeared first on ADF Solutions.

Begin by unlocking the device, setting Auto-Lock to Never, and accessing the “Add Device Wizard.” Following the prompts to establish a device connection, you’ll have access to more data than the Media Transfer Protocol (MTP), which only retrieves media.

For those with iOS 16 or higher, enable screen mirroring via AirPlay by connecting both the iOS device and ADF workstation to the same WiFi access point, ensuring a smooth connection for casting. If issues arise, consider alternative methods like MyPublicWiFi for a local network setup without internet access.

Watch the video to learn more:

REQUEST A FREE TRIAL

The post How to connect to an iOS device for Screencasting appeared first on ADF Solutions.

We have several options available for conducting triage, including, but not limited to, a quick “show me” approach, “early case assessment,” “critical incident” evaluation, and “intelligent triage.” Let’s briefly explore each of these methods and their potential applications.

The Show-Me Triage

Let’s start with the quickest and most commonly used form of triage: the “show-me” triage. This method is particularly effective in child exploitation investigations, where multimedia content and specific keywords can help you quickly locate the data necessary for decision-making. It is mainly utilized on-site during a search warrant or a knock-and-talk situation. This approach helps investigators make swift decisions, allowing them to rule out devices as well as locate them. 

The “show-me” triage is fast and often depends on the visual inspection of the investigator or analyst to determine if the multimedia content meets the threshold for seizing the device. However, depending on the tool used, this method can be one-dimensional, may generate false positives, and can leave you uncertain about the findings.

Early Case Assessment

Utilizing a customizable tool can enhance your ability to conduct a quick multimedia and visual search, incorporating case-specific hash values, unique keywords, and artifacts. This approach can lead to user-specific interactions with the multimedia content. An “Early Case Assessment,” performed within a “preview” or “scan-only” framework, allows for the rapid visualization of data. You can pause at any moment to report on what you’ve collected, enabling accurate documentation of your actions and decisions.

If you are a forensic investigator who typically sends devices to a regional lab, early case assessment enables you to gather data directly from the device using Advanced Logical Acquisition. This allows you to continue your investigation while the device is being sent to the lab and you await the results. In some instances, this method can lead to an earlier and more successful resolution of the case.

Consider an investigator who receives a CyberTip related to Child Sexual Assault Material (CSAM), along with unique keywords and hashes pertinent to the case. By employing a triage methodology, the investigator can create customized search parameters, incorporating the Cat 1 Project Vic hashes to scan both computer and mobile devices for relevant data linked to the CyberTip. 

Using ADF PRO on the scene, the investigator scans a live Windows computer and also boots a computer using a USB Collection Key loaded with ADF PRO and the customized search parameters. While scanning the computers, the investigator utilizes the license to preview and obtain Advanced Logical Acquisitions from multiple devices. 

Through this process, the investigator determines that the live Windows computer is directly connected to the downloading of the material referenced in the CyberTip. Additionally, the scan of the powered-off computer—identified as a Linux machine—also reveals the presence of contraband. All of this is accomplished within a timeframe consistent with the duration typically required for executing a search warrant. 

The investigator not only makes on-site decisions faster based on the CSAM discovered but also conducts an interview using the relevant data. Devices deemed irrelevant are cleared and left at the scene, allowing the lab to focus on the devices that are pertinent to the case.

The Critical Incident Triage

This brings us to the “Critical Incident” triage, where investigators are faced with a large number of devices and need to find specific information, typically related to date, time, or GPS metadata. In these scenarios, a preview can be conducted, allowing multimedia to be sorted and filtered quickly based on specific criteria. This process enables investigators to select only the devices necessary for immediate review. In cases involving victims or witnesses, the data can be collected, and the devices can be returned promptly and efficiently.

In this context, a critical incident occurs in a contained area, leading to the collection of numerous devices to secure any multimedia (pictures and videos) from that day that may aid the investigation. By utilizing the preview function of Mobile Device Investigator (MDI), investigators can quickly view and filter multimedia based on a specific timeframe or geographic location related to the incident. Within minutes, they can collect pictures, videos, properties, integrity hashes, date/times, and device information. This approach allows for minimal intrusion on the devices, enabling them to be returned to the witnesses swiftly.

Intelligent Triage

Triage methods vary in their processes depending on the type of case and the data available upfront. When these methods are combined or customized, they help adapt and respond effectively; this is where intelligent triage comes into play. Intelligent triage refers to an advanced, technology-driven approach to efficiently sorting, prioritizing, and analyzing data from devices in real-time, especially in time-sensitive or critical situations. Unlike traditional triage methods, which often involve extensive data collection followed by lengthy analysis, intelligent triage utilizes smart tools to streamline the process. This allows users to quickly identify and extract the most relevant information needed at that moment.

How ADF Helps

ADF Solutions has been a leader in digital triage for over 20 years, empowering you to customize, adapt, and effectively manage your cases while filtering out the noise. Our technology enables law enforcement professionals to automate a substantial portion of the evidence collection process, enhancing their confidence in investigations.  

Need assistance with your particular use case? Contact ADF today for a quick demo.

The post How to Master Triage For Your Forensic Investigations appeared first on ADF Solutions.

Empower Your Experience

We are user-driven, meaning we actively listen to our users. With each release, we incorporate features, fixes, and new artifacts at the request of our users. In addition to our daily interactions, we have a program for “super users”. These individuals have a direct line to our development team, where they can provide feedback and suggest new ideas. They also gain access to early release candidates for real-world testing, along with other perks that make this program beneficial. If you consider yourself an ADF Super User or a forensic examiner extraordinaire, please reach out to us. We are always looking to welcome new members to our team.

Updates for Your Favorite Apps

Artifacts play a crucial role in ADF tools and can be quite unpredictable; what works today might not work tomorrow. Rest assured, our teams are constantly working to ensure that when you select an item for parsing, you receive exactly what you expect. This month’s release brings us updates to several artifacts that are already implemented, such as Snapchat, Telegram, TikTok, Tinder and WhatsApp. Additionally, we are introducing support for Apple Wallet financial transactions from iOS. 

Watch ADF PRO v6.2 Webinar

Elevate Your Analysis

Enhancements to the user interface are always appreciated, as they aim to make your examinations and analysis easier. ADF tools have always been user-friendly, but a recent enhancement, the addition of a Home Button on every page, has garnered significant excitement from users. Additionally, we have made two key updates to the viewer section based on user input and request. You can now view your artifacts organized by apps as well as organized by artifact type, giving you a choice on how you are analyzing your data. We have also added a messages thread view in addition to the individual messages records, again giving you latitude in your analysis.

See Everything Together

One of the major improvements in this release is our acquisitions feature. Now, when you create an acquisition using ADF PRO or Mobile Device Investigator, there is a dedicated acquisitions screen where you can view and manage all your acquisitions in one place. Additionally, the acquisition process now allows you to add forms to the acquisition even if you are not going to scan it immediately. 

Conclusion

At ADF, we are driven by our mission to serve those who serve others. Some of our most exciting times come when we add new features and capabilities, as well as when we learn how these enhancements are being utilized. Of course, launch day is always a highlight for us as we release new features. We hope you’ll love what we’ve created!

Request a trial today at www.adfsolutions.com/free-trial

The post What’s New? ADF PRO v6.2.0 Features and Enhancements appeared first on ADF Solutions.

When conducting a digital forensic investigation and collecting screen captures, ADF and Android devices have always worked seamlessly to enable auto-scroll and screen manipulation via touchscreen. On the other hand, iOS devices do not provide the necessary means to enable a feature such as this, creating a process that can become tedious for the user when encountering chat messages that require multiple pages to be screen captured. ADF is proud to introduce you to the ADF Bluetooth dongle, giving you back control of the iOS device and enhancing your collection process during screen capture.

It is now possible to use the ADF Bluetooth Dongle to remote control devices that support Bluetooth keyboards, such as iPhones, iPads, and more. The ADF Bluetooth dongle is strictly for use with the ADF application and is supplied with Mobile Device Investigator and ADF PRO.

By following the steps in the how-to video below, you will be on your way to simplified investigations and evidence collection.

Steps for Connection:

1. Connect the ADF Bluetooth Dongle.

• Insert the ADF Bluetooth Dongle into the computer running the ADF application.

2. For iOS Devices:

• Navigate to Settings > Bluetooth on the target device and enable Bluetooth.
• Under the OTHER DEVICES list, select “ADF” and complete the pairing process.
• Then, go to Settings > Accessibility > Touch > AssistiveTouch, enable AssistiveTouch and adjust TRACKING SENSITIVITY to a value between 10% and 20% to allow interaction for auto-scrolling and screenshots.

3. For Devices Connected via the HDMI Video Capture Card:

• On the target device, go to Bluetooth settings, select “ADF”, and complete the pairing process.

The post How to get started with Bluetooth Capture appeared first on ADF Solutions.

Stolen Device Protection requires biometric authentication—Face ID or Touch ID—for sensitive actions like accessing stored passwords, credit cards, or changing Apple Account settings. If the iPhone is not in a familiar location, a one-hour security delay is enforced for critical changes, followed by a second biometric check. This ensures that thieves cannot quickly alter account settings or access sensitive data, giving victims time to activate Lost Mode via Find My, which locks the device remotely. For users, this feature significantly reduces the risk of financial theft or data loss, as seen in cases where thieves have exploited passcodes to drain bank accounts or lock owners out of their Apple IDs.

For law enforcement investigators, however, Stolen Device Protection complicates digital investigations.
When working with an iOS device away from the user’s familiar locations, even in consensual situations, where the passcode to the device is known, biometric authentication will still be required after the passcode is entered.

Workarounds, such as disabling Stolen Device Protection via Settings (requiring biometrics and a delay if not in a familiar location), are not always feasible. We need to anticipate any iPhone we encounter will have SDP enabled and must act, with the consensual party, to turn off SDP in that familiar location. If you are not in a familiar location, you will have to have the consensual party stay long enough to enter the second biometric authentication after an hour. Knowing this allows you to try and determine if a familiar location is closer than waiting the hour, and then moving to that location.

Additional steps are not required, when you are in a familiar location, the user can use the device passcode like usual. What is a familiar location? Familiar locations typically include your home, work, and certain other locations where you regularly use your iPhone. While there is not a list of familiar locations available to you in settings, you can look at Settings → Privacy & Security → Location Services → System Services → Significant Locations, which may show a recent location close to your current location, other than home or work. This allows you to adapt and overcome if time is of the essence.

The post iOS Stolen Device Protection: A Game-Changer for Users and a Challenge for Law Enforcement appeared first on ADF Solutions.

HDMI capture has revolutionized the way law enforcement agencies collect and analyze digital evidence. By capturing high-quality video and audio directly from a device’s HDMI output, investigators can obtain a comprehensive record of digital activity. This technology offers numerous benefits that can significantly enhance investigations.

Over the years, collection of the primary data used in an investigation has shifted from computer to mobile devices, and has been an ever changing process along the way. The one constant during this period is the question “Do you collect from gaming devices?” or “Can you get anything from the Television?”, or, and this is the big one, “Chromebooks”. For the most part, the answer has been no, except for a few complicated processes along the way. There is also the tried and true method of taking photographs of what is on the screen of the device.

What is HDMI Capture?

HDMI (High-Definition Multimedia Interface) is the standard interface for transmitting audio and video signals between devices. HDMI capture records the video and audio signals transmitted over an HDMI cable. In digital forensics, this technique is employed to capture the screen output of a gaming console, providing investigators with a visual record of the activities taking place on the device.

How is HDMI Capture Used in Forensic Investigations?

ADF now allows you to capture from the HDMI output directly into ADF PRO, DEI, or MDI, giving you the ability to tag and comment during the collection process and document the date, time, and integrity hash of the captured picture or video. If you are working with a victim, witness, or consensual situation, you can quickly grab only the data you need quickly. Gaming systems (Xbox, PlayStation, Nintendo), Chromebooks, Streaming devices such as FireTV and Roku, Mobile devices that have HDMI output, and internal and external cameras attached to your device. 

Common Scenarios for Gaming Console Investigations

• Cybercrime: Gaming consoles can launch cyberattacks, such as DDoS attacks or malware distribution. HDMI Capture can help identify the source of these attacks and the techniques used by the attackers.
• Child Exploitation: Online gaming platforms can be used to groom and exploit children. HDMI Capture can be used to monitor these interactions and gather evidence of child exploitation.
• Fraud and Theft: Gaming consoles can facilitate fraudulent activities, such as identity theft or online scams. HDMI Capture can help identify and investigate these activities.

By leveraging the power of HDMI capture, law enforcement agencies can improve the efficiency and effectiveness of their investigations, leading to stronger cases and better outcomes. 

The post Game On! Investigating Gaming Consoles with HDMI Capture appeared first on ADF Solutions.

ADF’s Digital Forensics Age Detection capabilities allow investigators to take advantage of automated facial analysis and image recognition to filter results. The system can automatically find and detect images of:

• Infants
• Toddlers
• Children
• Adults

Combined with ADF’s built in support for Project VIC and CAID hashsets, as well as ADF’s hashing, matching and photo probability capabilities, and built in Search Profiles, investigators are empowered to start identifying victims and suspects to make intelligent, on-scene decisions. 

In this short 3-minute video, you’ll learn how Internet Crimes Against Children investigators can get the most out of ADF triage and digital forensic software. 

Investigating Child Exploitation Material 

ADF tools are designed to make it easy for field investigators to triage mobile phones, tablets, computers and digital devices and include capabilities built specifically for ICAC Task Forces and law enforcement agents dedicated to investigating cybercrimes against children. 

• Project Vic and CAID – Classifying and auto tagging gives investigators and forensic examiners the ability to remove these images from the gallery and analysis.
• Hashing – Provides investigators the ability to auto tag and remove from view.
• Matching – Automatically indicates and moves images to the top for easy tagging images that match a keyword or hash value.

Photo Probability

• Age Detection – Is set in the Search Profile and when customized can be enabled or disabled – it can also be prioritized before picture and video classification.
• Default Search Profiles – Are configured to run age detection and can be paused if not required for an investigation.
• Classification Button – To display post-scan processing tasks progress. These tasks include the visual classification of pictures, videos, age group detection, and entity extraction which is included with the Rosoka Add-On. This functionality also enables examiners to pause and resume post-scan tasks.

Investigators can also access Pictures or Video views filtered by a visual class once the classification is finished or paused.

How to Use Age Group Detection

Forensic examiners and digital media investigators can use the Age Group property filter to quickly eliminate pictures of adults to focus on different age groups – or select all – if the goal is to have all children as you may not be looking for a specific age group in an investigation. Once tagged items can be filtered out thereby reducing the gallery of items to be analyzed.

You might also like:

• How to Prepare a Sanitized CSAM Report 
• How to Add Project VIC and CAID Hashes to a Search Profile
• Anti-Human Trafficking Search Profiles (for Law Enforcement)
• Digital Evidence Investigator PRO Field Tablet

The post Digital Forensics Age Detection and Facial Analysis appeared first on ADF Solutions.

This blog post highlights a critical webinar designed to equip ICAC (Internet Crimes Against Children) units with the latest mobile forensics tools. These powerful tools empower investigators to dismantle these heinous crimes and protect vulnerable victims.

The Evolving Threat Landscape

The online world, unfortunately, provides a breeding ground for human trafficking and CSAM distribution. Criminals constantly evolve their tactics, making it vital for investigators to stay ahead of the curve. Our latest webinar delves into the ever-changing landscape of online child exploitation and CSAM threats. By understanding how these criminals exploit mobile devices, ICAC units can be better prepared to identify and track them.

Mobile Forensics: A Game Changer

Mobile forensics has become an invaluable weapon in the fight against human trafficking and CSAM. Our webinar will showcase the capabilities of cutting-edge tools that can revolutionize ICAC investigations. Here are some key features of ADF’s software:

• Instant Mobile Preview: This allows investigators to extract crucial data from mobile devices right at the scene, eliminating the need to wait for lab analysis. This can be critical in time-sensitive situations where immediate action is crucial.
• Screenshots and Screen Recordings: These tools can capture and secure fleeting evidence, such as chats, social media interactions, or screen recordings. This can provide valuable insights into criminal activity and victim identification.
• Comprehensive Analysis: Investigators can deeply dive into the extracted data, uncovering a wealth of information, including photos, videos, call logs, text messages, app activity, and more. This comprehensive analysis allows investigators to build a stronger case and identify potential leads.
• Advanced Search & Filtering: Sifting through mountains of data can be a time-consuming process. These tools offer powerful search options that allow investigators to pinpoint the needed evidence quickly, streamlining the investigation process.
• Streamlined Reporting: Generating professional, court-admissible reports can be tedious. However, these tools enable investigators to easily create reports, saving valuable time that could be better spent rescuing victims and dismantling criminal operations.

Empowering ICAC Units

By attending this webinar, ICAC investigators will gain a vital edge in their fight against human trafficking and CSAM. The webinar will equip them with the latest mobile forensics techniques and provide them with the tools they need to make a real difference in protecting vulnerable children.

Join the Fight for Justice

This critical webinar is essential for any ICAC unit looking to stay at the forefront of the fight against online child exploitation. By employing the power of mobile forensics, ICAC units can dismantle criminal networks, rescue victims, and bring perpetrators to justice.

The post How Mobile Forensics Can Dismantle Human Trafficking and CSAM appeared first on ADF Solutions.

Before you begin:

• Ensure accessibility: You’ll need physical access to the Chromebook.
• Adjust Chromebook settings: Some changes are necessary before proceeding.

Requirements:

• Linux environment: Enable it in the Chromebook settings.
• Android Debug Bridge (ADB): Activate it. This change is permanent, turning on ADB makes it accessible to all Chromebook accounts. Disabling it triggers a factory reset (Powerwash).

Connecting to your Chromebook:

You have three options, with the direct connection being the recommended method:

• Direct connection (recommended): This utilizes a peer-to-peer Ethernet cable connection. A USB-to-Ethernet adapter might be required.
• Wired connection: Both the Chromebook and your Windows machine connect to a router using Ethernet cables.
• Wireless connection: Both devices connect to the same Wi-Fi network.

Recommended Method: Direct Connection (Step-by-Step):

1. 1. Connect the ChromeOS device and the computer running the ADF software via an ethernet cable.
   2. On the ChromeOS device, select the time at the bottom right.
   3. Select Settings.
   4.  Using the left-hand side menu, select “Network”.
   5.  Within the “Network” section, select the connected network.
   6.  Scroll down to expand the “Network” section.
   7.  Switch off “Configure IP address automatically”.
   8.  Assign a static IP address. The IP addresses must start with “169.254”, but the rest of the address (.x.x) can be anything between 0 – 255. For example, “169.254.1.1”.
   9. Assign the Subnet mask value to “255.255.0.0”.
   10. Ensure the Gateway values are left blank.
   11. The ChromeOS device will now be discovered automatically by the ADF software

Utilizing ADF Solutions:

• Acquire first, scan later: Go to “Acquire” to save a logical acquisition in the default location.
• Cast, Acquire, and scan together: Use the “Scan Screen” with a mobile profile for simultaneous casting, acquisition, and scanning.
• Screencast only: Navigate to the “Screencasting” menu, choose the Chromebook as the source, and proceed. You can further opt for acquisition or screen captures upon completion.

ADF is actively developing this feature and welcomes your feedback and suggestions.

By following these steps and leveraging the functionalities of ADF Solutions, you can effectively investigate Chromebooks and gather valuable evidence for your investigations.

The post Investigating Chromebooks to Speed Your Digital Investigations appeared first on ADF Solutions.