LOTS of AD Triage Questions

 I have read through the "AccesData Triage Quick Start Guide", but did not find the answers to the below questions.  Can someone help with these?

Do collectors have to be USB devices?  Could one use any type of bootable (and writeable media)?  I'm thinking about the possibility of SD cards or even drives connected by firewire...

When licensing a new device, does it actually overwrite the previous contents, or should the device be sanitized in between cases/collection jobs?

What are the benefits and drawbacks of "re-partitioning" the device during the license process?  If one chooses to re- partition the device, does that mean that the collected data will remain on its own partition separate from the partition where the bootable/program files are? 

When creating a triage device (applying profiles), what is the "Agent Name" field used for?

Is there a repository where the actions and data sources of each time in each profile is explained? 

Is there a repository where users can create and exchange custom profiles? 

Are there additional instructions for working with hosts with encrypted hard drives, or a combination of TPM/drive encryption?

Can the collected data be exported to another external USB device like an external SSD or HDD?  Network options might be risky if an analyst needs to triage a suspected infected system...

After a licensed and configured AD Triage device is used to acquire data, should it be write protected until the collection(s) are saved? 

I'm sure I will  have more questions as I test AD triage.  Thank you for your assistance. 

1 comment

Post is closed for comments.