Skip to main content

Overview

About FEX Triage™

FEX Triage is a portable computer forensics field-analysis tool. It enables investigators to make real-time decisions about seizure, forensic acquisition, and dealing with suspects.

FEX Triage has been designed for use by investigators with limited computer forensics training (basic mode) , as well as experience forensic examiners for field or lab use (advanced mode).

FEX Triage can be run on a live machine or by utilizing a forensic boot USB.

FEX Triage uses customize-able search profiles that can reduce any complex task to a single click.

Report profiles include:

  • Search for and report the presence of child abuse material
  • Export selected files to L01 or to Disk
  • Registry analysis (e.g. user information and usage information)
  • Internet browser and chat history
  • Windows Thumbnails
  • Locate and extract email messages and attachments
Purchase Download FEX Triage Field Kit

Quick Links

Key Features

Ease of Use

FEX Triage is easy to use and can be effective with minimal training. Advanced mode options also make it a valuable tool for experienced forensic practitioners.

Integrates with Forensic Explorer

A FEX Triage scan creates a Forensic Explorer case file. It preserves user actions in a forensic sound manner and enables forensic staff to immediately further examine triage results in directly in the Forensic Explorer GUI.

Portable

FEX Triage is portable and is designed specifically to run from a USB. It typically can be run in the following scenarios:

A Forensic Boot-Scan

Boot scan refers to starting a target computer using investigators boot media (i.e. the FEX Triage dongle). A boot-scan is a forensically sound process as it is the investigator media that is controlling the target system.

A Live Scan

Live scan refers to running FEX-Triage on a target live Microsoft Windows computer. In many cases this will be the most appropriate action due to concerns about powering down a running system which is crucial to a business, or may invoke encryption.

Can be effectively used to target file collection over a network file share (e.g. collect .docx files by name or content and export to L01 forensic image format).

A Forensic Desktop Scan

Can be run from the desktop of an investigators computer to scan hard drives or forensic image files.

Other Key Features

  • FEX Triage is provided with a rugged Wibu Codemeter USB3 CmStick_BMC-1011 with 16 GB storage. It contains the software license but also acts as a USB boot and data collection device.
  • Supports collection of data from Windows and MacOS (via USB boot) including iOS backups.
  • Detects BitLocker and FileVault2 protected drives.
  • View search results whilst the search is in progress.
  • Export data directly to disk or to a forensic .L01 file.
  • Creates CSV, PDF and RTF reports. View pictures and video key frames.
  • Search profiles are highly configurable and can be customized for an organization. Default profiles include:

Basic
Cameras by Make Model
Child Protection – Pictures and Video
Encrypted Files
Filename Search
Filename Search – Individual
Internet – Browsers
Internet – Chat
Internet – Mobile
ITunes Backup
Random Sample – Graphics
Random Sample – Video
Registry – Current

Intermediate
Windows – Thumbnails
Email – Attachments (EDB, Mbox, OST, PST)
Email – Find Messages
Email – Keyword Search (EDB, Mbox, OST, PST)
Export – Extensions (Checkbox)
Export – Windows System (Checkbox)
Filename Search (Exact)
Hash Match (Auto) – Graphics and Video
Keyword Search – MS Office
Operating System Artifacts
Random Sample – Graphics
Windows – Shortcuts (.lnk)

Advanced
Email – Find Messages (Regex)
Export – Custom Global Search
Filename Search (Regex)
Hash Match (Checkbox) – Graphics and Video
Hash Match (Hard-Coded) – Graphics and Video
List Files to CSV – Custom Global Search

Technical Features

Supported File Systems

Forensic Explorer supports analysis of:

  • Windows FAT12/16/32, exFAT, NTFS,
  • Macintosh HFS, HFS+, APFS
  • EXT 2/3/4

Encryption Support

Unlocks the following (password or recovery key required):

  • Bitlocker (Microsoft Windows)
  • FileVault 2 (MAC)

Supported Bit-Image Formats

FEX-Triage supports common image and forensic image formats including:

  • AD1, AFF, DD, DMG, BIN, RAW, E01, Ex01, L01, Lx01, VMD, VHD, VHDX.

Supported Email Formats

Supports analysis of PST, OST, EDB and MBOX mail formats.

Scripting Language

FEX Triage scripts are written in Delphi Pascal.

Wibu CodeMeter USB

Wibu CodeMeter 16 GB USB3 Data Sheet

Search Profiles

Search profiles are created in .TXML (XML) format. Profiles use TCommandTasks to initiate processing, which includes the ability to call and run scripts and filters. Common TCommandTasks are:

TCommandTask_CacheThumbNails Cache graphics in case.
TCommandTask_CacheVideoThumbNails Cache video in case.
TCommandTask_CreateHash Hash files.
TCommandTask_DataStore Sets the data store (e.g. Email).
TCommandTask_ExpandCompoundFiles Expands compound files.
TCommandTask_ExportEntryList Exports a list of files as CSV.
TCommandTask_ExportFiles Exports files to disk.
TCommandTask_ExportFilesL01 Exports files to L01.
TCommandTask_FileTypeAnalysis Signature analysis.
TCommandTask_Filter Runs a filter script.
TCommandTask_MatchHash Performs a hash match.
TCommandTask_Parallel Runs command tasks in parallel.
TCommandTask_ReportGenerator Creates a report in PDF, RTF, HTML.
TCommandTask_Script Runs a script.
TCommandTask_SearchforKnownFS Locates a file system (e.g. NTFS).
TCommandTask_SearchforKnownMBR Locates a Master Boot Record.
TCommandTask_SearchforLostFiles Carve for files.

Screen Shots

Start window where case information is added:

Select the device, folder or forensic image to be searched:

Select the destination where search results will be saved:

Select the search profile using available filter options if required:

Start the search. Completed reports can be viewed as they complete:

Purchase & Licensing FAQs

License Type

A FEX Triage license is a fixed term license and will expire at the term date (typically 1 year).

Wibu CodeMeter Activation Dongle (Wibu Dongle)

The software is activated by a license on a Wibu Dongle. A FEX Triage dongle has a storage capacity (16 or 32 GB) and can be used as a boot USB.

License Management

Wibu Dongle licenses are managed using the GetData License Manager software (download here). The License Manager is used to:

  • View license information.
  • Add a license to a Wibu Dongle.
  • Rename a dongle.
  • Apply firmware updates.

Learn more about license management here.

License Delivery

Wibu Dongles are shipped worldwide by FEDEX. Web tracking information is provided for each shipment. Courier delivery costs are included in the checkout process.