Desktop Triage
An intelligent evidence collection tool for intrusion and case scene investigation,
preserving evidence and identifying potential sources
desktop triage UI

Desktop Triage

  • Supports Windows systems in a booted state to collect key digital evidence.
  • Quickly performs a thorough search of the hard drive to uncover any suspicious areas.
  • Automatically captures web pages and scrolling screenshots, preserving firsthand information.
Product Brief Offical Website

Desktop Triage is a field evidence collection and trace analysis tool designed to minimize the impact on target evidence while quickly and thoroughly collecting critical digital evidence to external devices. It generates file hashes to ensure the data's integrity as evidence. For hard drives, it searches for and copies deleted and important files. Special focus is placed on collecting both non-volatile and volatile evidence, constructing a timeline to understand potential criminal activity. Screenshots, OCR technology, and step-by-step recording procedures are also employed to generate valid reports, preventing future disputes.

Description
  • Supports a Chinese-language user interface.
  • Supports the collection of volatile digital evidence, including data that disappears after shutdown, such as:
    1. Processes
    2. Network Resources
    3. Network Connections
    4. Opened Files
    5. ARP Cache
  • Supports the collection of non-volatile digital evidence, including:
    1. System Services
    2. Detailed System Services
    3. Startup Programs
    4. Wireless Information
    5. Installed Software
    6. System Info
    7. USB Device Info
    8. Shortcuts
    9. User Profiles
    10. MUI Cache
    11. Prefetch
    12. Security Logs
    13. Application Logs
    14. System Logs
    15. Task Scheduler
    16. User Assist
    17. ShellBags
    18. Recent Files
    19. JumpList
    20. Windows Activity
    21. Network Usage
  • Browser support:
    1. Firefox: Login credentials, browsing history, bookmarks, cache, and cookies
    2. Chrome: Login credentials, search history, download and browsing history, bookmarks, cache, and cookies
    3. Edge: Login credentials, browsing history, bookmarks, cache, and cookies
    4. Internet Explorer: Cache and browsing history
  • Collected host information supports overall timeline analysis, displaying a graphical timeline, and allows for time range filtering by dragging directly on the timeline.
  • Includes the ability to create critical logical images, packing key files from critical paths on the hard drive.
  • Supports exporting collected evidence results in CSV format.
  • Provides analysis capabilities for both physical and logical disk data.
  • After analysis, file information can be searched by keywords, file size, time, and other related data.
  • Includes functionality to recover deleted files and copy regular files.
  • Includes a Windows step-recording program to track and record operations.
  • Supports single screenshots, webpage captures, and other types of screenshots, with OCR capabilities for text recognition in captured images.
  • The software can be run directly without installation.