Preview & Triage
“Which computers should we look at first?”
A preview is exactly as the name suggests, a simple way to quickly look at a device and gain an understanding of what is present. The tools we use allow us to examine email, Internet history, photographs, documents and system data, like who logged on last and at what time.
The beauty of a preview is that it provides those running the investigation with early information about the state of the devices they are interested in. Literally ten minutes after hooking up to a computer, the analyst can start giving you useful information about the state of the machine - and all in a forensically sound manner that ensures no changes are made to the device being examined.
Previews are perfect when more than one person is in the frame for a particular action and everyone is protesting their innosense. This allows you to triage the devices and focus the investigation on the correct machines.
Taken from the medical world, to 'triage' is simply to prioritise the devices in question. The preview described above provides the analyst with the information necessary to prioritise a particular device for further scrutiny, or to rule it out completely. This valuable technique reduces the cost of an investigation as irrelevant devices are simply not examined to the same exacting level of detail as those at the heart of the enquiry.
The tools that we use vary depending upon the circumstances and the kind of device we are examining. What they have in common are the ability to clearly display files and folders in an easily recognisable format, to filter content based on type, date, owner or location and to do all of this in a read-only mode so that absolutely nothing is altered.