Data Triage
Posted by Jack H. Ward, Last modified by on 02 February 2018 09:26 AM

Electronic Evidence Examiner allows you to view email databases, chat databases, Internet browsers installed on the investigated computer. Also, you can view recently used files and My Document folders. Electronic Evidence Examiner auto-detects this data in the registry and displays it in the subnodes of the Data Triage node.

 Auto-detection is available only for the following types of evidence:

  • Physical drives and images of physical drives that have a system partition.
  • System logical drives and images of system logical drives.
  • Registry hives.

 The Data Triage node is placed under the partitions node if physical drive/physical drive image evidence is added and on the same level with the Root node if system disk/system disk image evidence is added.

Since Data Triage information is extracted from system registry, there can be email archives in the physical drive/physical drive image that are not associated with the registry and therefore will not be displayed in the Data Triage.

To view detected data:

1. Add the physical drive or system drive evidence to the case.

2. In the Case Content pane, expand the evidence tree.
3. Click the arrow icon near the Data Triage node. The following nodes are displayed:

  • Email Databases: Detected installed email databases.
  • Chat Databases: Detected installed chat databases.
  • Internet Browser Data: Detected installed Internet browsers (including Internet Browser data).
  • My Documents Folders: Detected My Documents folders (their number depends on the number of users on the investigated computer).
  • Recently Used Files: The list of most recently opened files.
  • Media Data: Detected SQLite databases that contain paths to user’s media collections
  • Windows Search & Communication: Folders with Cortana search suggestions, search results and voice commands, as well as Communications Apps data (data from the People and Mail and Calendar apps)
  • Cloud Storages: Detected files stored in OneDrive and Dropbox
  • Windows Apps and Packages: Folders with Windows applications and Windows packages installed on the user’s computer, as well as a folder with deleted Windows applications
  • File History: Information on the backup files saved to the File History folder and their location
  • Parsed Registry Data: Groups of registry keys including information about autorun programs, list of installed programs that can be uninstalled, list of Windows services, etc.

Each subnode (except the Parsed Registry Data node) has two numbers displayed in two columns:

  • In: The number of available items of the selected category. Available items are those that were not deleted or not located on the other logical/physical disk and that can be investigated with the help of Electronic Evidence Examiner.
  • Total: The total number of detected items of the selected category (including those deleted and located on the other logical/physical disk).

Items of the selected category that are available and can be examined with the help of Electronic Evidence Examiner are marked black; items that were deleted or moved are marked in red; items that are located on another logical/physical disk are marked in grey.

 Data Triage.png (19.07 KB)
(0 vote(s))
Not helpful

Comments (0)