AD Triage is an easy-to-use forensically sound triage tool for the on-scene preview and acquisition of computers that are live or have been shut down. Built on FTK technology, AD Triage is ideal for users who are inexperienced with computer forensics software, but need to preserve evidence in the field. Now, forensic examiners and non-forensic personnel alike can acquire volatile and all or targeted hard drive data from a system in just minutes. It’s a great option for corporate and government teams who often need to acquire data from live or dead boxes for internal investigations, FOIA or even subpoenas. Law enforcement officers can preserve evidence securely without having to wait hours for a forensics expert to arrive on scene. Finally, attorneys, paralegals and litigation support personnel can easily preserve ESI for the purposes of e-discovery when handling smaller legal matters.

Using AD Triage you can preview the file system and target data by criteria, including keyword(s), hash, regular expression, file size, date and time, extensions, file path and illicit images. In addition, users can collect network and system information, as well as live memory. It allows you to acquire the full disk, a volume, or peripheral devices, saving data to a USB device, an external hard drive or exporting the data to a designated location on the same network. You can preconfigure your AD Triage device to automatically acquire only the data you’ve selected, allowing inexperienced users to safely and effectively use the tool. Or experienced forensic examiners can use AD Triage in manual mode for true triage at the scene.


  • Built on proven FTK technology with seamless integration and consistent features.
  • Preview and acquire full disk, targeted data, or copy an external hard drive (AD1, E01, RAW, or SMART).
  • Acquire data from a live system with an active USB port.
  • Built-in explicit image detection and scoring.
  • Save multiple collection profiles to a single device.
  • Advanced automated collection allows you to target only pertinent data.
  • FIPS 140-2 compliance with support for encrypted USB devices, such as Kanguru® and IronKey® devices.
  • Expand, search and extract data from compound files and archives.
  • Manual mode allows you to search the file system prior to collection.
  • Pre-configured options for reporting on collected data.
  • Save acquired data to your configured USB drive anexternal hard drive or export data to a designated network location.



  • Chrome Browser History
  • Default Browsers
  • Firefox Browser History
  • Internet Explorer History
  • Internet Explorer Registry Keys
  • Typed URLs


  • Desktop Files
  • MS Office Recently Opened
  • Recent Files
  • Recently Accessed Media Player Files
  • Temporary Executables
  • Archive Expansion


  • ARP Table
  • DNS Cache
  • Domain Systems
  • Local Shares
  • Network Adaptors
  • Network Connections
  • Remote Shares
  • Routing Tables
  • IP Addresses


  • Acrobat History
  • Application Usage History
  • Installed Software
  • Manually Launched Applications
  • Microsoft Management Console
  • Program Files Software
  • Start-up Programs


  • Clipboard Data
  • Device Drivers
  • Memory Dump
  • Processes
  • Scheduled Tasks
  • Screenshot
  • Services
  • User Accounts
  • User Groups
  • Acquire Registry
  • System Information
  • Typed Paths
  • USB Devices


  • Owner Information
  • SAM Users
SC Magazine 5 star recommendation

Triage allowed us to effectively increase the headcount of our data collection staff without incurring consulting or hiring new staff. Now many of us can fill this role and do so with the confidence of complete chain of custody.

State Law Enforcement Investigator