The analysis consists of three simple steps: preparing the key, performing an automated scan and reviewing the obtained results. The review can be done on the suspect or a lab computer.
Preparing the key is simple. After a few quick steps, a forensic examiner can choose from quite a large set of available features - like file collection, USB device history or RAM dump. One can then decide where to look and for what to look. Options can be customized, and the process is clear. The second step is also pretty straightforward. Using the key and bootable CD is easy even for an inexperienced user. Of course, everything takes some time, but that is to be expected. The whole process is automated and does not require the user's vigilance while generating reports.
If someone has problems with using this software, we recommend watching the video tutorials that are provided on the CD. It featured many detailed configuration instructions, all in a well-organized, easy-to-follow format.
Nevertheless, not all programs are as simple as the instructions portray. Viewing and analyzing generated reports take a lot of time. We had to wait a long time to obtain results both on suspect and lab computers. This could be the Triage's largest disadvantage, because it is supposed to be fast. Furthermore, when it is working, the program appears to freeze. Due to this fact, one cannot see how long the report will run.
It is worthwhile to point out that after quite awhile, we've gotten very useful information, which exported to HTML and was well-organized and simple to read. All of our tags have been clearly presented.
The price for this tool is quite high, but users get a license key that allows them to run many parallel scans at the same time.