Introduction

In the fast-paced world of digital forensics, time is often the enemy. Investigators need tools that allow quick, reliable evidence collection without compromising integrity. That’s where ADF Solutions comes in. Their software empowers field examiners to triage computers using a simple USB device. This portable setup turns any compatible USB SSD drive into a powerful “Collection Key” for scanning suspect machines.

Whether you’re dealing with child exploitation cases, corporate investigations, or cyber threats, ADF Software streamlines the process by automating searches for critical artifacts like contraband, chat logs, browser history, and more. In this post, we’ll dive into the two primary scanning methods: live scan and boot scan. I’ll cover how to set them up, their steps, benefits, and when to choose one over the other. Let’s get started!

What is Digital Forensics Triage?

Before we jump into the scans, a quick primer: Triage in digital forensics is like emergency room sorting—it’s about rapidly identifying and prioritizing evidence on devices. ADF Software excels here by using predefined “Search Profiles” that target specific data, such as keywords, hashes for known illicit files (e.g., via VICS or CAID databases), or artifacts from apps like social media, P2P networks, and cryptocurrency wallets.

The magic happens via a USB Collection Key, which you prepare on your forensic workstation. This key is bootable and can include custom profiles for tailored scans. ADF supports Windows, macOS (including T2 and M1/M-series chips), Linux, and ChromeOS, and handles file systems such as NTFS, APFS, and EXT. It even decrypts encrypted volumes (e.g., BitLocker, FileVault) using the provided credentials.

When preparing the Collection Key, you have options to prepare the Collection Key with Search Profiles, which are your set of instructions for what is going to be captured and collected, or they can be set up to only show the individual captures, allowing you to customize on scene right before the scan.

Performing a Live Scan

A live scan is ideal when the target computer is already powered on, and you can’t afford to shut it down. Think volatile data like running processes and RAM contents that could vanish on reboot, or BitLocker encryption for which you do not yet have the credentials. Using a live scan on a running Windows computer with Digital Evidence Investigator (DEI) or ADF PRO can collect RAM, recover Bitlocker credentials, and also collect user credentials saved in browsers.

To conduct a live scan, the Collection Key is inserted, and a batch file is executed to open the ADF interface. The Collection Key can be prepared using Search Profiles that are preconfigured or customized for your investigation with specific keywords, hashes, and only the artifacts you want to collect. At this point, you will have access to the system drive and any attached device you would like to scan, such as physical drives, logical volumes, attached storage, or even network shares.

Once you commence the “Scan.” The process runs in parallel, collecting artifacts while displaying real-time progress, thumbnails, matches (hashes and keywords), and image classifications such as weapons, vehicles, pornography, and more. Once complete, results are stored on the Collection Key. You can view them immediately or transfer them to your workstation for deeper analysis.

Benefits:

• Minimizes Data Loss: Captures live system data, including RAM dumps for volatile memory analysis.

• Speed: No reboot needed, making it perfect for time-sensitive field ops.

• Versatility: Works on locked or encrypted systems with credentials; supports remote agents for macOS.

• Non-Intrusive: Leaves minimal traces Windows log some artifacts from USB insertion and program execution. Once the program is executed, no dates, times, metadata, or files are changed.

However, live scans might not access everything if the OS restricts certain areas, and they’re not “forensically sound” as boot scans since the system is active.

Performing a Boot Scan

For a more controlled environment, opt for a boot scan. This method boots the target computer directly from the USB, ensuring no modifications to the internal drives.

Getting started with the boot scan is simple. Insert the Collection Key and upon powering up, press the one-time boot menu key (available on most modern computers). The Collection Key is built on Windows, so it is trusted; therefore, no secure boot configuration is necessary. Next, select the Collection Key and it will boot to ADF. From here, you have access to the system drive, attached devices, and Search Profiles that are preconfigured or customized to your investigation with specific keywords, hashes and only the artifacts you want to collect. The rest of the process is the same as a live scan.

Benefits:

• Forensically Sound: Read-only access prevents any changes to the target media.

• Comprehensive Access: Bypasses OS restrictions to scan internal storage, recover deleted files, and decrypt volumes.

• Portability: Great for powered-off devices or for imaging the entire drive post-scan.

• Efficiency: Supports multiple OS types, including UEFI Secure Boot and Macs, with parallel artifact collection.

Live Scan vs. Boot Scan: When to Choose What

Use Live Scan for active systems where shutting down risks data loss. Use Boot Scan for thorough, tamper-proof analysis on seized devices (e.g., in lab settings or when full drive access is crucial for CSAM investigations). In both, you can follow up with imaging:

Hybrid approaches work too—start with a live scan for quick intel, then boot for deeper dives.

Conclusion

ADF Software on a USB device revolutionizes computer triage by making it accessible, fast, and reliable for non-technical users. Whether opting for the convenience of a live scan or the rigor of a boot scan, you’ll collect actionable evidence like prohibited files, user activity, and hidden artifacts in minutes. If you’re in law enforcement, HR, or cybersecurity, tools like Digital Evidence Investigator can transform your workflow to triage from a USB device.

Request a demo today at www.adfsolutions.com