osTriage manual

osTriage
version 2
Eric R. Zimmerman

801-514-4064

[email protected]

[email protected]

Page 1 of 56
Last revised: 3/11/2014 3:23 PM
 osTriage manual

Revision history
10/22/2013 Rev. 1 – Initial release for beta 1

11/21/2013 Rev. 2 – Initial release for beta 2

12/19/2013 Rev. 3 – Initial release for beta 3

03/04/2014 Rev. 4 – Version 2.0 release

Page 2 of 56
Last revised: 3/11/2014 3:23 PM
 osTriage manual

Contents
Requirements................................................................................................................................................ 7
How is osTriage version 2 different than version 1? .................................................................................... 8
osTriage overview ......................................................................................................................................... 9
What are some of the capabilities of osTriage? ....................................................................................... 9
What osTriage doesn’t do ....................................................................................................................... 10
Why should you use osTriage? ............................................................................................................... 10
Supported search targets........................................................................................................................ 11
Live response vs. ‘dead box’ searches .................................................................................................... 11
Some caveats .......................................................................................................................................... 12
Files and directories included in a new installation ................................................................................ 12
Configurations ..................................................................................................................................... 12
Plugins ................................................................................................................................................. 12
ReportFiles .......................................................................................................................................... 13
SearchResults ...................................................................................................................................... 13
osTriage workflow overview ....................................................................................................................... 13
Starting osTriage ..................................................................................................................................... 14
Locating plugins ...................................................................................................................................... 14
Selecting a configuration ........................................................................................................................ 14
Disabling the collection of live response data .................................................................................... 15
Initialize plugins ...................................................................................................................................... 15
Warning dialog displayed........................................................................................................................ 16
Live response plugins .............................................................................................................................. 16
Main interface displayed ........................................................................................................................ 17
New search started ................................................................................................................................. 18
File system search plugins ...................................................................................................................... 18
User requests to exit osTriage ................................................................................................................ 18
Shutdown plugins ................................................................................................................................... 18
Interacting with tabs ................................................................................................................................... 19
Grid based plugins................................................................................................................................... 19
Sorting ................................................................................................................................................. 19
Grouping ............................................................................................................................................. 20
Filtering ............................................................................................................................................... 21
Page 3 of 56
Last revised: 3/11/2014 3:23 PM
 osTriage manual

Changing column order....................................................................................................................... 22

Choosing grid columns to display ....................................................................................................... 23
Splitting grids ...................................................................................................................................... 24
Grid layout persistence ....................................................................................................................... 24
Selecting rows ..................................................................................................................................... 25
Grid context menu .............................................................................................................................. 25
Text based plugins .................................................................................................................................. 29
Custom plugins........................................................................................................................................ 29
Main menu .................................................................................................................................................. 30
File ........................................................................................................................................................... 30
New search.......................................................................................................................................... 30
Cancel search ...................................................................................................................................... 30
Save live response data....................................................................................................................... 30
Exit....................................................................................................................................................... 30
Tools ........................................................................................................................................................ 30
Add log entry ....................................................................................................................................... 30
Take screenshot .................................................................................................................................. 30
Take screenshot (osTriage minimized) ............................................................................................... 31
Help ......................................................................................................................................................... 31
Quick help ........................................................................................................................................... 31
Detailed help ....................................................................................................................................... 31
About................................................................................................................................................... 31
Statistics tab ................................................................................................................................................ 31
Messages tab .............................................................................................................................................. 31
Status bar .................................................................................................................................................... 32
osTriage search philosophy......................................................................................................................... 32
Starting a new search.................................................................................................................................. 33
Case information ..................................................................................................................................... 33
Drives ...................................................................................................................................................... 34
osTriage options...................................................................................................................................... 34
Plugins ..................................................................................................................................................... 35
Plugin options persistence .................................................................................................................. 35
Saved configurations............................................................................................................................... 35
Page 4 of 56
Last revised: 3/11/2014 3:23 PM
 osTriage manual

Selecting a configuration on startup ................................................................................................... 36

The search begins ....................................................................................................................................... 38
The search concludes .................................................................................................................................. 39
Reviewing results ........................................................................................................................................ 39
Bookmarking ........................................................................................................................................... 39
Viewing files ............................................................................................................................................ 40
Copying files ............................................................................................................................................ 40
Text file copy log ................................................................................................................................. 41
HTML file copy log............................................................................................................................... 41
Files of interest tab ................................................................................................................................. 41
osTriage reporting ....................................................................................................................................... 43
Common report features ........................................................................................................................ 43
HTML based ........................................................................................................................................ 43
Self-contained ..................................................................................................................................... 43
Easy to use .......................................................................................................................................... 43
Report folder layout ................................................................................................................................ 43
Copied files directory .......................................................................................................................... 44
Live response report ............................................................................................................................... 45
Search based report ................................................................................................................................ 45
Saving live response data without a search ............................................................................................ 45
Viewing reports ....................................................................................................................................... 45
Header................................................................................................................................................. 46
Content section ................................................................................................................................... 47
Navigation menu ................................................................................................................................. 48
Keyword hits and Hashes of interest .................................................................................................. 48
Extra information ................................................................................................................................ 49
Archiving reports..................................................................................................................................... 52
Customizing osTriage .................................................................................................................................. 53
Keywords................................................................................................................................................. 53
Hashes of interest ................................................................................................................................... 53
Using Hasher to generate Hashes of Interest files.............................................................................. 53
Plugin specific hashes of interest ............................................................................................................ 54
Removing DLLs to remove functionality ................................................................................................. 54
Page 5 of 56
Last revised: 3/11/2014 3:23 PM
 osTriage manual

Creating plugins .......................................................................................................................................... 55

Interfaces ................................................................................................................................................ 55
Example ................................................................................................................................................... 55
Appendix A – Developer information ......................................................................................................... 56
Appendix B – osTriage’s impact on a computer ......................................................................................... 56

Page 6 of 56
Last revised: 3/11/2014 3:23 PM
 osTriage manual

Requirements
osTriage requires Microsoft .net framework 4.0 client to be installed on the target computer. It
is available at http://www.microsoft.com/en-us/download/details.aspx?id=24872.

.net 4 should be found on almost all computers that are using Windows Update to manage
updates to Windows.

If the .net 4 runtime is not installed on the target computer, you will see an error similar to the
one below when starting osTriage.

Should this error occur, osTriage will not work and the runtime will have to be installed (as well
as documenting the fact that the runtime was installed) or another tool will have to be used.

Page 7 of 56
Last revised: 3/11/2014 3:23 PM
 osTriage manual

How is osTriage version 2 different than version 1?

osTriage 2 differs from its predecessor on several levels. The biggest difference is that osTriage 2
is no longer a single, monolithic application with an all or none approach when it comes to live response
and searching.

osTriage 1 allowed for little customization when collecting live response related data or
searching a computer. This resulted in inefficiencies in that information was collected whether needed
by an investigator or not. osTriage 2 solves this problem in two primary ways.

First, osTriage 2 allows investigators to create configurations that enable only certain
functionality. osTriage 1 was initially designed to investigate crimes against children cases and as such,
most of the functionality revolved around these kinds of cases. osTriage 2 far exceeds the capabilities of
version 1 for child exploitation cases and includes functionality that can be used for any type of
investigation involving a computer. Configurations can be created for different types of investigations
such as child exploitation, computer hacking, and so on. It also allows for differing levels of triage to be
done depending on need, how much time is available, etc.

Second, osTriage 2 uses plugin architecture as opposed to a single executable. Plugins are
dynamic link library (DLL) files that serve a single purpose such as displaying browser history, finding
pictures, displaying information from the Windows registry, etc. In addition to the over 40 plugins
shipped with osTriage v2, anyone with a small amount of programming knowledge can write a plugin.
This allows for anyone to extend the capabilities of osTriage 2 beyond what is included by default.
Ideally, these plugins can then be shared with other users and possibly be included in the main
distribution. A subsequent section will fully explain how to write plugins.

osTriage 1 reporting consisted of a collection of several kinds of files including Excel

spreadsheets and text files. Because of this, investigators had to manually review and collate various
individual reports. Version 2 uses HTML files for its reporting and presents a single, cohesive interface
for reviewing the results of a search, keyword hits, hashes of interest, file copy history, and so on. This
allows investigators and other interested parties to quickly and easily view triage reports with nothing
more than a web browser.

Finally, osTriage 2 has significantly improved in speed, interface consistency, and user
interaction with data (including bookmarking items of interest). What used to take minutes in osTriage 1
now takes seconds in osTriage 2.

Unless specifically stated otherwise, any reference to osTriage refers to version 2 of osTriage in
the remainder of the manual.

Page 8 of 56
Last revised: 3/11/2014 3:23 PM
 osTriage manual

osTriage overview

What are some of the capabilities of osTriage?

osTriage uses plugins to provide functionality. The following list is a brief overview of the kinds
of data plugins provide:

 Displays comprehensive details about a computer including user accounts, physical and logical
hard drives, mapped network drives, NIC information, running processes, open ports, installed
applications, etc.
 Displays USB devices that have been inserted into the computer including make, model, and
serial number
 Displays browser history for Internet Explorer®, Firefox®, Safari®, and Chrome®.
 Displays recent searches on Internet search engines such as Yahoo®, Google®, etc.
 Warns when encrypted containers are mounted to a drive letter (TrueCrypt, PGP, BestCrypt)
 Detects cloud storage such as DropBox® and Microsoft SkyDrive®
 Warns when applications are running on a computer (P2P apps such as LimeWire®, encryption
apps like TrueCrypt®, etc.)
 Locates encryption, P2P, instant messaging, utility applications, and virtual machine
applications and other related files
 Decodes .lnk files showing various dates and times, target file, source drive, etc.
 Locates GUID and related identifiers for eMule, Ares, Gigatribe, Shareaza and various Gnutella
clients
 Displays the contents of the clipboard (text, images, files names, etc). If one or more images
have been copied to the clipboard, thumbnails of those images will be displayed.
 Extracts saved passwords for Internet Explorer®, Firefox®, email clients, instant messaging
clients, Chrome®, Gigatribe, etc.
 Extracts chat messages from programs such as Gigatribe and Skype®.
 Extracts a list of all recently opened files, by extension. Any filenames containing keywords are
highlighted in yellow.
 Extracts a list of recently accessed programs and files those programs opened or saved.
 Searches one or more directories (network, mounted container, logical, UNC path), finds
images/videos and displays thumbnails for fast image and video triage of computers during on-
site consent searches, executing a search warrant, forensic review, etc. osTriage also supports
viewing EXIF data if present.
 Compares images and videos hundreds of thousands of hashes. osTriage supports MD5, SHA1
(base16 and base32), and InfoHash (used by BitTorrent)
 Checks file names, browser history, etc. against a list of 300+ keywords
 Has built in image viewer to preview full size image
 Verbosely logs all activity
 Writes nothing to the computer being scanned (short of an entry in the registry for the USB
device osTriage is run from)
 Allows for copying of files from a target computer to the drive osTriage is run from

Page 9 of 56
Last revised: 3/11/2014 3:23 PM
 osTriage manual

 Allows for custom searches to be done, including wildcard support and the ability to copy these
files including hash matching, etc
 Looks inside zip, rar and 7z archives for filenames containing keywords
 Generates a complete file listing of every file seen by osTriage on a search including path, MAC
dates, etc. with optional file signature verification.
 Optionally captures RAM using winpmem on startup
 Displays a list of all known networks including LAN and wireless connections including network
name or SSID, initial connection date, last connection date, etc.
 Decodes prefetch files and displays information about program execution including first
executed, last executed, and the number of times a given program was executed.
 Displays ARP cache records and resolves the manufacturer of the MAC address of the NIC card
to aid in identifying other devices communicating on a network.

In short, osTriage can do just about anything on a computer that is of interest to an investigator.
Where needed functionality is not included out of the box, a plugin can easily be written in little time
and everything else “just works” from reporting to displaying and interacting with data.

Each plugin contains both a synopsis of what the plugin does as well as detailed help. A full set of
plugin documentation can be generated via the Help menu in osTriage. Because of this, each and every
plugin will not be detailed in this manual. Rather, the focus of this manual is how osTriage works with
plugins and how an end user can interact with osTriage.

What osTriage doesn’t do

 It cannot find things that aren’t there. For example, if a user is clearing browser history, osTriage
cannot display it.
 It does not carve for deleted files (but a plugin could be written to do this!).
 In general, it does not look at file headers to identify files.
 It does not waste your time.

Why should you use osTriage?

 Perhaps the biggest reason to use osTriage, aside from capturing evidence, is for a better initial
interview. More often than not you will only get one shot at interviewing a subject. By using
osTriage, you will be equipped with key details regarding a computer, the network it is
connected to, files and programs recently opened, etc., all of which will help the interview
process.
 Windows 7 Professional and Ultimate editions come with built in virtualization software which
means a user may have one or more additional computers in addition to the physical one you
see. VirtualBox® is a free virtual machine program that allows dozens of guest operating systems
to be hosted on a computer.
 Windows Vista® and newer come with Bitlocker® which enables users to use strong encryption
to protect their files. When a machine boots up, the files are protected. If the user unlocks the
Page 10 of 56
Last revised: 3/11/2014 3:23 PM
 osTriage manual

files, they appear as expected. If files are unlocked and a machine is powered down, the files will
be encrypted and you may lose access to them unless the subject tells you what his encryption
keys are.
 There are a multitude of free and low cost encryption programs out there that are increasingly
easy to use. You can pretty much guarantee a savvy computer user will have some form of
encryption on their computers!
 It is easy to use and easy to customize.
 It is multithreaded and allows you to review things as they are found.
 It will gather volatile data from a computer before it is shutdown.
 osTriage is very fast and designed to deliver relevant information while eliminating noise.
 There is nothing else available that does everything osTriage does.

Supported search targets

osTriage is capable of searching any directory accessible by Windows on the computer osTriage
is running on. This includes raid arrays, external hard drives, USB thumb drives, network drives, floppies,
CDROMs, DVDs, Blu-ray® discs, UNC paths, logical volumes, individual directories, etc.

In some instances network mapped drives do not appear in the list of available search targets.
This is due to Windows not presenting these drives as available programmatically. You can however,
manually add drive letters or UNC paths to search.

In short, if a device has a drive letter or is otherwise accessible in Windows, osTriage can
search it.

Live response vs. ‘dead box’ searches

osTriage works exactly the same way regardless if used on a subject’s running computer (live
response) or if the subject’s hard drive is connected to another computer via a write blocker, etc. (dead
box).

The difference between these two scenarios is in where the live response data comes from. If
osTriage is executed on a subject’s machine, it will gather and display live response information from
that computer. If osTriage is executed on a law enforcement controlled computer with a subject drive
connected to it, the live response data gathered is from the law enforcement controlled computer.

All of the searching capabilities of osTriage will work exactly the same in either of these
scenarios, but the live response data from the subject’s machine ceased to exist as soon as the subject’s
computer was turned off.

When performing a dead box search, the collection of live response data should be disabled to
avoid collecting the live response data of the computer osTriage is executed on.

One of the goals of osTriage is to display as much data on a search of a dead box as is found
during live response. Of course there are certain things that will never be possible to find on a dead box
search, such as active network connections or running processes.

Page 11 of 56
Last revised: 3/11/2014 3:23 PM
 osTriage manual

Some caveats
osTriage must be executed from writable media. This is because osTriage must have some place
to save reports, work with temporary files, etc. osTriage will detect and refuse to run if executed from
non-writable media such as a CDROM.

osTriage will not allow searching of the drive letter osTriage is executed from (so do not extract
to the Desktop and try to search the C:\ Drive). The reason for this is because osTriage stores logs,
images, videos, and temporary files on the same drive osTriage is executed from. This protects both the
investigator and the person whose computer you are searching from misattributing files that exist on the
device osTriage was executed from.

osTriage can be executed from any type of writable device (a standard hard drive, thumb drive,
etc.). When using osTriage in the field, it should be run osTriage from the fastest external device
available. IronKey thumb drives are extremely fast and offer hardware based encryption, but are more
expensive than other models.

osTriage requires very little disk space to operate, but 4GB is the minimum recommended size
and NTFS is the preferred file system. The size of the file system osTriage is executed from determines
how much data can be copied from a suspect machine.

Files and directories included in a new installation

In addition to the manual, osTriage is distributed as a single executable and several directories.

The following is a brief overview of what each of these directories does. Subsequent sections of
the manual will further explore these concepts.

Configurations
This directory contains any saved configurations. By default, no configurations are included.
Creating and working with configurations will be covered in more detail later.

Plugins
This directory contains DLLs, either as single files or directories containing files related to a given
plugin. In addition to the plugins themselves, there are several other text files containing hash values,
directories to skip, and keywords.

Page 12 of 56
Last revised: 3/11/2014 3:23 PM
 osTriage manual

ReportFiles
This directory contains files used when generating reports such as an agency logo, agency name,
and a cascading style sheet (CSS) that can be edited to change the look and feel of the report from a
single location.

SearchResults
This directory contains individual reports based on each search performed.

osTriage workflow overview

Before diving into how to use osTriage, it is helpful to have an understanding of the general
workflow osTriage uses. As mentioned above, osTriage functionality is contained in plugins. osTriage
plugins operate at different stages of a search: Initialize, Live response, File system search, and
Shutdown. These will be explored in more detail below as the phases are discussed.

A high level summary of the phases of osTriage is listed below.

1. Start osTriage2.exe
2. osTriage locates plugins
3. User selects a configuration to load
4. Initialize plugins are run
5. Warning screen displayed with results of Initialize plugins
6. Warning screen closed by user
7. Live response plugins are started
8. Main interface displayed
9. New search started
10. Enabled File system search plugins are run
11. User requests to exit osTriage
12. Shutdown plugins are run

Page 13 of 56
Last revised: 3/11/2014 3:23 PM
 osTriage manual

Starting osTriage
Starting osTriage is as simple as right clicking osTriage2.exe and selecting “Run as administrator”
from the context menu. It is important to always run osTriage as an administrator. While osTriage can
still gather a substantial amount of information when run as a non-administrator, osTriage will not have
access to the entire computer when run in non-administrator mode.

Locating plugins
When osTriage is started, it looks for files in the Plugins directory and subdirectories with file
names that match the pattern: osTriagePlugin.*.dll

Any files matching this file mask are then checked to make sure they are in fact osTriage plugins.
The results are recorded and displayed on the Messages tab in the osTriage interface.

Selecting a configuration
osTriage ships with one configuration, default, that includes executing all available plugins. If the
default configuration is the only one that exists it will not be displayed to the user. After launching
osTriage, a splash screen will be shown that lets a user select which configuration to load. osTriage will
select the default configuration automatically after waiting five seconds.

Page 14 of 56
Last revised: 3/11/2014 3:23 PM
 osTriage manual

Disabling the collection of live response data

The collection of live response data (includes both Initialize and Live response plugins) can be
disabled by checking “Do not collect live response data.” This is useful when running osTriage on a non-
subject computer against a write blocked hard drive or mounted forensic image.

More information about selecting a configuration will be explained after discussing how to
create configurations.

Initialize plugins
Initialize plugins are similar to regular live response plugins (covered below) in that they know
where to look for data they are interested in. The difference is that initialize plugins are run even before
standard live response plugins. The reason for this is that initialize plugins are used for such things as
encryption detection, running processes of interest, anti-virus detection, etc. By running these kinds of
plugins very early on, the results of these plugins can be reported on a warning screen to inform the
user of the presence of the items mentioned above.

Initialize plugins often look for the most critical kinds of information an investigator would be
interested in so the investigator can make an informed decision about the best way to proceed. For
example, if osTriage determined that drive letter T:\ was a mounted TrueCrypt container, an
investigator can at the very least search the T:\ drive for files of interest and ideally create a forensic
image of T:\ before shutting down the computer.

Page 15 of 56
Last revised: 3/11/2014 3:23 PM
 osTriage manual

Warning dialog displayed

Initialize plugins report their results via a warning screen that contains three different types of
messages: critical, informational, and anti-virus related. An example of a critical message would include
a TrueCrypt container being mounted or other encryption related information. An informational
message may include running processes of interest. Finally, anti-virus applications displays any detected
anti-virus and whether it is necessary to manually pause or stop the anti-virus program before
continuing.

Note: It is best to always manually pause any running anti-virus software to avoid false positives
when osTriage is running. This should be done before clicking the OK button.

If there are no messages to display from Initialize plugins the warning screen will not be
displayed.

Live response plugins

Live response plugins are executed after dismissing the warning dialog and are responsible for
gathering such things as open network ports, browser history, USB device history, physical and logical
drives, etc. Live response plugins do not get their data as the result of any kind of systematic search of a
computer’s files. Rather, these kinds of plugins know where relevant data is located, look for the data,
and display it.

Page 16 of 56
Last revised: 3/11/2014 3:23 PM
 osTriage manual

Main interface displayed

After live response data is gathered the main interface is displayed. osTriage uses tabs to display
information to the user. Only two tabs exist by default in osTriage: Statistics and Messages. All other
tabs are generated dynamically as plugins are executed.

The Statistics tab contains information about active plugins, search statistics such as the number
of directories and files found, search velocity, etc. The Statistics tab serves as a centralized place to see
the number of items processed by each plugin as well.

The Messages tab contains information both osTriage as well as plugins have reported such as
finding a plugin, starting a search, search results summary, etc.

Plugins are often grouped into high level categories such as System information, Registry, and
Network information. By grouping related plugins, it makes finding similar information easier.

Plugin tabs contain the name of the plugin followed by the number of items found by that plugin
in parenthesis. The number of items is updated as new items are found.

Plugins can optionally include an icon to the left of the plugin name on a tab. The presence of an
icon (or lack thereof) does not convey any additional information.

Plugins that contain live response data will have their names italicized.

Finally, only plugins that have found information are displayed. This prevents having to look
through empty tabs.

Page 17 of 56
Last revised: 3/11/2014 3:23 PM
 osTriage manual

New search started

A new search is started via the File menu. Full details related to search options will be covered in
a subsequent section. If any live response data was found, a report is generated containing the live
response data at the initiation of a new search. If more than one search is conducted, a new report is
generated with the results of the previous search before starting a new one.

File system search plugins

File system search plugins are made aware of files they are interested in after osTriage starts
searching directories on a computer. Plugins of this variety maintain a list of the file extensions they are
interested in (*.jpg or *.doc for example). As osTriage searches a computer and files are found, any
plugins that are interested in these files are told about the files. The plugins then process the files
according to the plugin’s purpose and display them accordingly. As with live response based plugins,
only tabs for plugins that have processed items are displayed.

User requests to exit osTriage

Search results can be reviewed while a search is ongoing. An ongoing search must be canceled
via the File menu before exiting osTriage.

Shutdown plugins
Shutdown plugins run when osTriage is closed by the user. This allows for any cleanup or other
end of search activity to be performed before the program exits.

Page 18 of 56
Last revised: 3/11/2014 3:23 PM
 osTriage manual

Interacting with tabs

Grid based plugins
The vast majority of plugins report their findings via grids. These grids typically contain a single
layer of data but certain plugins can contain data that is displayed in a Parent/child relationship.

To expand Parent/child rows, click the “plus” sign to the far right of the row.

Sorting
Grids can be sorted by clicking the column header. Columns can be sorted in ascending or
descending order. A triangle will appear to the left of the column name indicating the sort direction.

Page 19 of 56
Last revised: 3/11/2014 3:23 PM
 osTriage manual

To sort by more than one column, click the first column to sort by, then hold the SHIFT key and
click on the subsequent column to sort by.

Grouping
Groups can be created for each unique value in a column by left clicking (and holding down the
left button) on a column header and dragging it to the “Drag a column header here to group by that
column” box.

A group will be created for each column header that is dropped. Clicking a group name sorts by
that column. By default the groups are not expanded. Clicking the “plus” sign to the far left of each
group expands the group to display the records on that group.

To ungroup simply drag and drop the column header from the grey box to the column header
area.

Page 20 of 56
Last revised: 3/11/2014 3:23 PM
 osTriage manual

Filtering
Below each column name is a filter row. For most fields it will be a text box that will filter the
grid to only those rows that contain the value entered. Enter values in more than one column to filter by
multiple columns. Boolean columns use a check box for filtering.

To the left of each filter is a button that allows to change the kind of filtering being done. The
default is “contains” but a wide variety of options exists.

To the far right of each filter is a button that, when clicked, clears any filter for that column.

To remove ALL filters from the grid, click the button to the far left of the entire filter row.

Page 21 of 56
Last revised: 3/11/2014 3:23 PM
 osTriage manual

When the filter has focus (i.e. hover the mouse over the filter or click in the filter box), a
dropdown button is displayed that contains each unique value contained in that column as well as
options to display blanks, non-blanks, custom, etc. Using a custom filter allows for much greater
granularity to be used as it allows for composing much more complicated filters.

Changing column order

To move a column, left click and hold on a column header, drag it to a new position, and let go
of the mouse button. Black arrows will point to the column’s new position.

Page 22 of 56
Last revised: 3/11/2014 3:23 PM
 osTriage manual

Choosing grid columns to display

To the far left of the column headers is the Field Chooser button. Clicking this button allows for
hiding/showing fields in the grid. Once the Field Chooser is visible, check or uncheck the fields as
desired, then click the X in the upper right to close the Field Chooser.

Page 23 of 56
Last revised: 3/11/2014 3:23 PM
 osTriage manual

Splitting grids
It is possible to make copies of a grid by dragging the small horizontal line above the scroll bar
downward. This allows for one or more copies of the data in the grid to be displayed simultaneously and
scrolled independently. Drag the bar back to the top to remove copies.

Grid layout persistence

Each grid will remember the fields displayed, their order, sorting, grouping, and so on. Each time
osTriage exits the layouts for plugins is saved to the <osTriageRoot>\Plugins\ __layouts directory. To
reset a grid to the default layout, simply delete the corresponding layout file in this directory

Page 24 of 56
Last revised: 3/11/2014 3:23 PM
 osTriage manual

Selecting rows
Clicking an individual row will make that row the active row. The active row has a black triangle
to the far left of the row.

Multiple rows can be selected by clicking and dragging down to select a range of rows, clicking a
row, then holding the SHIFT key and clicking the last row to select, or by holding the CTRL key and
clicking rows.

These techniques replace the concept of tagging in osTriage version 1.

Grid context menu

Most grids will have a context menu very similar to what is shown below. The hotkeys listed to
the right of the menu item acts as a shortcut for that operation.

Page 25 of 56
Last revised: 3/11/2014 3:23 PM
 osTriage manual

These options allow for bookmarking/unbookmarking of one or more rows in a grid. When
bookmarking with a comment, an additional dialog is displayed as shown below.

Certain plugins contain more items in their context menus. For files that know about the full
path of a file, options to copy the selected files and view the active row are available.

Page 26 of 56
Last revised: 3/11/2014 3:23 PM
 osTriage manual

Copy selected files

Most plugins that track the full path to a file allow for copying that file from the target machine
to a directory on the medium osTriage was executed from. osTriage allows for copying more than one
file at a time by highlighting all the rows to be copied before invoking this option.

A detailed log will be created that contains the source file name, destination file name, created,
modified, and accessed dates, SHA-1 hash value, etc.

osTriage is smart enough to know when a given filename already exists in the destination
directory. If osTriage detects such a situation, the destination name will be appended with an
incremental counter (0_, 1_, 2_, etc.) until a unique filename is generated. The destination filename will
reflect this new name.

The files copied from a target computer will be saved in a directory under the corresponding
search directory. This concept will be fully explained in a future section.

Page 27 of 56
Last revised: 3/11/2014 3:23 PM
 osTriage manual

View file
osTriage contains several viewers such as text, Excel, Word, Rich text, binary, PDF, etc. osTriage
will determine the most appropriate viewer to use when opening a file.

The text file viewer displays the contents of files similar to Notepad.

Page 28 of 56
Last revised: 3/11/2014 3:23 PM
 osTriage manual

For files where no other viewer is available, a hex view will be displayed which shows the
contents of the file as they are stored on disk.

More than one file can be viewed at a time. Each file viewed will be opened in its own window.

Text based plugins

Text based plugins are far less capable than grid based plugins and are useful for simpler plugins.
Text based plugins still have the ability to bookmark snippets of text with or without a comment as well
as removing comments. Copying files are not supported with text based plugins.

Custom plugins
For circumstances where a grid or text based plugin is not sufficient, osTriage allows for the
creation of custom plugins that can display data any way the author of the plugin decides. Custom
plugins are used when additional processing or more advanced data display techniques are needed.

In most cases custom plugins still choose to use some kind of grid interface to display data. The
pictures and videos plugins are examples of custom plugins. At a minimum most of the context menu
options that are available for a grid plugin are available for custom plugins (but again this is at the
discretion of the plugin author).

Page 29 of 56
Last revised: 3/11/2014 3:23 PM
 osTriage manual

Main menu
File
The File menu provides a means to initiate searches or save live response data.

New search
Begins a new search. This will be explored in a future section.

Cancel search
Cancel the active search. When canceling a search, be patient while osTriage finishes processing
any files it is currently working on.

Save live response data

Generates a report for any live response data reported by plugins. Typically, live response data is
captured at the beginning of a new search, but if a circumstance arises where a search is not to be
conducted but a report on live response data is needed, this option can be used to do so.

Exit
Exits osTriage. This is the same as clicking the X in the upper right corner. osTriage will not exit
while it is busy gathering live response data or if a search is active.

Tools

Add log entry

This allows you to manually add information to the Messages tab. It can be used to document
something about the computer that isn’t otherwise recorded or for other information pertinent to a
search.

Take screenshot
Takes a screenshot of all monitors exactly as they appear, including the osTriage interface.

Page 30 of 56
Last revised: 3/11/2014 3:23 PM
 osTriage manual

Take screenshot (osTriage minimized)

The same as the previous option, except osTriage minimizes itself before capturing screenshots.

An entry in the Messages tab is created when taking screenshots. Screenshots are saved in a
directory under the SearchResults folder. If there is more than one monitor connected to a computer,
several screenshots will be created, one for each monitor.

Help
The help menu provides version information as well as various levels of help about osTriage and
any discovered plugins.

Quick help
Displays the summary help for each plugin. Reviewing this serves as a way to get familiar with
the functionality provided by each plugin. You can optionally generate a PDF of this information as well.

Detailed help
Displays detailed help as the capabilities of each plugin, including what the plugin does, how it
gets its data, when it gets its data, etc. You can optionally generate a PDF of this information as well.

About
Provides version number and contact information for the developer

Statistics tab
The Statistics tab contains information about osTriage performance, which directories are being
processed by search threads, and a list of all active plugins along with the total number of items found
by each plugin, their options, etc.

After a search is started, the Statistics tab can be used to review the settings for the search.

Messages tab
The Messages tab serves as a centralized place for osTriage and plugins to report information.
This includes the source of the message, the severity level, a summary message, and a detailed message.
Clicking on a message in the list results in the detailed message being displayed at the bottom of the
window.

The Messages grid can be sorted, filtered, grouped, etc. like any other grid in osTriage.
Page 31 of 56
Last revised: 3/11/2014 3:23 PM
 osTriage manual

Status bar
The status bar at the bottom of the main interface shows the active configuration, the refresh
interval, the number of keyword (in yellow) and hash hits (in red), general status information, and, when
a search is underway, the number of directories and files processed per second. The far right side shows
the amount of RAM being used by osTriage.

The Refresh interval determines how often the interface is updated with new information found
by plugins. Part of osTriage’s speed is related to buffering of updates in that updating the interface in
real time incurs a substantial performance penalty. By updating the interface at X second intervals, more
resources are dedicated to finding and processing files.

Hovering over the general status information portion of the status bar will display a tooltip with
further information.

osTriage search philosophy

osTriage was designed to present relevant data to investigators in the shortest amount of time
possible while eliminating as much noise as possible. By starting with a tight, narrow search focus and
expanding as needed, investigators can quickly get to the data that is relevant to their case as opposed
to finding “everything” and having to wade through 90% irrelevant data to find the needle in the
haystack.

If no items of interest are found using the default search options, another search can be
performed with slightly expanded search criteria. This can continue until literally every file is processed.

The default settings in osTriage have been selected to focus investigators in on relevant data. In
most cases it is not necessary to deviate from the default options.

Page 32 of 56
Last revised: 3/11/2014 3:23 PM
 osTriage manual

Starting a new search

Click File | New search or press F4 to bring up the new search dialog.

Case information
The upper left contains basic case information. The information entered will be used in other
areas of the program as well as the reports. The fields with a red border are required. Once properly
filled out the red border disappears. The value entered for Investigator will be persisted across restarts.

Be as detailed as possible when filling out Computer description and include the make, model
and serial number of the computer being searched. It is also often helpful to include a room designation
or other indicator of where the computer was found if available.

Page 33 of 56
Last revised: 3/11/2014 3:23 PM
 osTriage manual

Before starting a new search, the checkbox at the bottom of the Case information section must
be checked. This should be done after verifying the date and time is accurate against a known good time
source such as a cell phone, watch, etc. The reason for this is to provide a valid point in time which can
later be used during a more in depth forensic review.

Note: On smaller resolution devices the buttons at the bottom may not be visible. Clicking the
minus sign to the left of the plugins group will collapse the plugins grid and allow for clicking the Search
or Cancel button.

Drives
Allows for selecting one or more drive letters, UNC paths, or individual directories. This allows
for flexibility in determining exactly what to search rather than an all or none approach.

NOTE: In some cases osTriage does not show all available drive letters. This primarily happens with
network mapped drives. If a drive letter is not visible in the list of drives it can always be added manually
via the Select Directory button.

osTriage options
The Limit search to files with the following option allows for filtering files by date and time
down to the second.

Ignore browser cache (Temporary Internet Files) Folders, when checked, tells osTriage to not
look at any files (primarily pictures) created by web browsers. In many cases the data in the browser
cache is irrelevant and therefore should not be searched by default.

Skip directories listed in ‘SkipDirs.txt’, when checked, tells osTriage to skip over any directories
listed in the SkipDirs.txt file which is located in the <osTriageRoot>\Plugins directory.

SkipDirs.txt contains a list of directories that osTriage should NOT look at when searching for
files. The reason for this is that, in most cases, user created data is not found in the directories listed in
SkipDirs.txt. By not looking at these folders by default, a search can be sped up by approximately 75%.

SkipDirs.txt contains documentation on how the file is to be formatted if additional directories

are added. Any line starting with a semicolon is ignored.

Page 34 of 56
Last revised: 3/11/2014 3:23 PM
 osTriage manual

Plugins
This section contains a list of all plugins found by osTriage. By default, all plugins are enabled. If
a configuration was selected from the splash screen, only the plugins listed in the configuration will be
enabled. The active configuration is also reflected in the window title and in the status bar at the bottom
of the window.

The plugins grid can filter and group like any other grid.

The Plugin group allows for identifying similar plugins based on the kinds of information they
collect. Quick help is a brief overview of what the plugin will do.

For plugins with additional options, a button will be listed in the Options column. Clicking the
button brings up a plugin’s options.

Read-only options are greyed out. Editable options can be changed by clicking on them and
changing the value.

Plugin options persistence

osTriage will save plugin options to the <osTriageRoot>\Plugins\__options directory. Plugin
options are named using a pattern of <PluginName>_<PluginGUID>.pluginsettings.

osTriage also persists its settings to a file in the same directory. The settings for osTriage are
stored in a file named ‘osTriage.Settings.’

To reset any of the options, simply delete the appropriate settings file.

Saved configurations
By default, osTriage enables all plugins when starting. There are situations where this may not
be desirable. For example, if an investigator is only interested in network related artifacts such as ARP
cache, DNS cache, and open ports, it is inefficient to have to wait for all other plugins to execute. By

Page 35 of 56
Last revised: 3/11/2014 3:23 PM
 osTriage manual

enabling only those plugins that are relevant and then creating a configuration with a name reflective of
the selected plugins or investigative need, osTriage can be tailored to any type of investigation.

The Saved configurations dropdown displays all saved configurations. The Config options menu
allows for loading, saving or deleting configurations. The A, N, and I buttons select All plugins, No
plugins, or Inverts the enabled status of plugins.

To quickly create a configuration, click the N button to disable all plugins. Filter by plugin group
or plugin name and enable plugins as needed. When finished, click Config options | Save and a dialog
box will be displayed where the name of the configuration can be entered. There is also an option to
disable live response by default for a given configuration as well. If you enter the name of the
configuration in the Saved configurations dropdown, this name will be used by default.

To load an existing configuration, select it from the Saved configurations dropdown, then click
Config options | Load.

All saved configurations exist in the <osTriageRoot>\Configurations directory. Configurations are

named using a pattern of ‘<Name of config>.ostConfig.’

Configurations can be deleted by deleting the file from the Configurations directory or selecting
the configuration from the Saved configurations dialog, then clicking Config options | Delete.

Selecting a configuration on startup

Any user created configurations will be displayed on the osTriage splash screen on startup.

Page 36 of 56
Last revised: 3/11/2014 3:23 PM
 osTriage manual

To load a configuration, double click a configuration or select a configuration and click the Load
button.

osTriage will then only execute the plugins as defined in the configuration. If a new search is
conducted, additional plugins can be enabled as required by the search, a different configuration can be
loaded, etc.

Page 37 of 56
Last revised: 3/11/2014 3:23 PM
 osTriage manual

The search begins

After a search is started, osTriage starts working in the background to identify all directories
found underneath the directories selected to search. Worker threads are started that look at each
directory found, find files in those directories, and determine which plugins, if any, are interested in the
files found by a worker thread.

When a new search is started, osTriage determines all file masks active plugins are interested in.
As files are found, the files are compared to this list of file masks. If any are found, each plugin that is
interested in the file is told about the file. The plugin then processes the file and adds it to its internal list
of processed items.

When all directories have been searched and all files have been processed, the search is
complete.

Search results can be reviewed in real time while a search is ongoing. There is no need to wait
for a search to conclude to review results.

Page 38 of 56
Last revised: 3/11/2014 3:23 PM
 osTriage manual

The search concludes

When a search finishes or is canceled, a message indicating the results of the search will be
displayed. The summary lists the number of items found by each plugin as well as files per second, how
long the search took, etc.

The above summary came from searching a hard drive with over 37,500 directories and 227,289
files across 39.6 GB of data.

Reviewing results
Search results can be viewed while a search is ongoing and after a search completes.

Bookmarking
To bookmark a file, select one or more rows, then right click and choose one of the bookmark
options. Shortcut keys are also available for both options. To remove a bookmark, select one or more
rows and choose the appropriate option.

If more than one row is selected, the bookmark or remove bookmark operation is performed on
all selected rows.
Page 39 of 56
Last revised: 3/11/2014 3:23 PM
 osTriage manual

A checkbox will indicate when a row is bookmarked as shown below. If a comment was entered
it will also be shown.

Viewing files
To view a file, double click on a row. osTriage will open the file in the most appropriate browser.
In the case where osTriage does not have a default viewer, a binary or hex view of the file will be shown.

osTriage currently supports viewing archive files (7z, zip, rar), images, PDF files, spreadsheets
(csv, xlsx, xls, xlsm), Word and similar documents (doc, docx, rtf, odt), HTML, and text (txt, log, asc, xml,
c) files.

Most plugins also have a view option in the context menu and a corresponding shortcut key.

Copying files
To copy files, select one or more files, then right click and choose Copy select files. A shortcut
key is also available for copying files.

Once the files are copied, a message will be displayed with the copy results as shown below.

All file copy operations are logged in two places: in a text file in the same directory where the
files were copied to and to an HTML based report that is included in the search results (more details on
this log will be shown in the reporting section of the manual).
Page 40 of 56
Last revised: 3/11/2014 3:23 PM
 osTriage manual

Text file copy log

HTML file copy log

Files of interest tab

When plugins choose to use the global keyword and hash list, any files with a hash of interest
and/or contains one or more keywords will be added to the Files of interest tab. An example is shown
below.

Page 41 of 56
Last revised: 3/11/2014 3:23 PM
 osTriage manual

Information about files is displayed along with whether or not the files have been copied from
their location. This tab can be used to copy all files of interest at any time. If files are copied from the
plugins that found them, the ‘Copied’ column will reflect this.

Page 42 of 56
Last revised: 3/11/2014 3:23 PM
 osTriage manual

osTriage reporting
Common report features
Like osTriage version 1, osTriage saves each search in a unique directory. These directories are
all created in the <osTriageRoot>\SearchResults directory. The naming convention used when creating
directories is <yyyyMMddHHmmss>_<name of subject>_<GUID> where yyyyMMddHHmmss reflects the
date and time of the search, name of subject is the value entered in the new search dialog, and GUID is a
unique value to guarantee search results can never be comingled.

Creating directories in this fashion allows for conducting multiple searches of different machines
without needing many different copies of osTriage on different devices. A directory found in the
SearchResults folder is referred to below as a report folder. An example is shown below.

SA Devon Ackerman created the default report styling. The default style can be changed by
editing/changing the files found in <osTriageRoot>\ReportFiles. The contents of agency.txt is displayed
at the top of osTriage reports. Logo.png is also displayed at the top of reports. Editing report.css allows
for customization of colors, fonts, borders, etc. across the entire report.

HTML based
Reporting in osTriage is HTML based. This allows for easy viewing of osTriage findings with
nothing more than a web browser including video thumbnails, EXIF data, etc.

Self-contained
No additional software is required to view a report other than a web browser.

Easy to use
Search results are both easy to understand and navigate. This makes it easy for non-technical
people to review reports.

Report folder layout

Directly below a report folder will be several other directories. These directories correspond to
live response data, search data, and optionally, copied files.

Page 43 of 56
Last revised: 3/11/2014 3:23 PM
 osTriage manual

The live response data and search report directory will contain a main index.html file as well as
several other directories. Double clicking on index.html will open the report in the default browser.

Directories for each plugins category are created and the plugin’s data is created underneath
the category directory. The _meta directory contains support files such as the agency logo, file copy log,
hashes of interest, etc.

As mentioned above, the appearance of the reports can be adjusted by editing report.css in the
_meta folder. To make these changes permanent, edit report.css in the <osTriageRoot>\ReportFiles
directory.

Copied files directory

If any files were copied from a target device, directory will be created in the main report
directory named ‘Files from <computer description>’ where <computer description> is the value
entered in the new search dialog. In the example above, the directory is named Files from Dell
Dimension.

A text based log file is created with details for each file copied and includes the total number of
files copied for each copy operation, the time to copy the files, and a details on each file copied such as
source file name, destination file name, source hash, file size, and created, modified, and accessed
(MAC) dates. The MAC dates of the original files are preserved when files are copied as well.

The information present in the text based log will be duplicated in the primary HTML based
report. The HTML based log allows for clicking on copied files to open them.

Page 44 of 56
Last revised: 3/11/2014 3:23 PM
 osTriage manual

Live response report

If live response data is found it will be saved to a directory named ‘!Live response data’ when a
new search is started. This report contains all of the information found in all of the tabs at the onset of a
new search.

Search based report

If data is found during a search, a folder named ‘Search report’ will be created in the main
report directory. This directory contains all of the information found as a result of the search.

Saving live response data without a search

When using the File | Save live response data option, a directory will be created using naming
convention <yyyyMMddHHmmss>_ Live Response data for <Machine name>_<GUID> where Machine
name is the name of the computer osTriage was executed on.

Viewing reports
Below is an example of what will be displayed when index.html is opened.

Page 45 of 56
Last revised: 3/11/2014 3:23 PM
 osTriage manual

Header
Across the top of the report are the agency logo and name of the agency. These can be changed
by replacing ‘logo.png’ and editing agency.txt in the _meta directory.

To make these changes permanent, replace/edit the files in the <osTriageRoot>\ReportFiles

directory.
Page 46 of 56
Last revised: 3/11/2014 3:23 PM
 osTriage manual

Content section
The content section is where data is displayed as the report is navigated. The default view is a
summary of the search including case information, search options, directories searched, etc.

Page 47 of 56
Last revised: 3/11/2014 3:23 PM
 osTriage manual

Navigation menu
The left side contains two sections. The General section contains menus for returning to the
default report view, viewing the file copy log, messages, and detailed information on plugins.

The Plugins section is segregated by plugin category and plugin. Clicking a plugin name will load
the results in the content section.

Keyword hits and Hashes of interest

When keywords and/or hashes of interest are found, an additional menu item is created.
Clicking these items shows all the keywords/hashes found during the search along with a link to a text
file containing the keywords or hashes. These files can be used to import the keywords and hashes into
other forensic tools.

Page 48 of 56
Last revised: 3/11/2014 3:23 PM
 osTriage manual

Extra information
Some plugins, such as the Pictures plugin, generate reports that contain additional links for
things like EXIF data, etc. This extra information becomes available when a file is copied.

Clicking on the True hyperlink displays the EXIF data for a given picture.

Page 49 of 56
Last revised: 3/11/2014 3:23 PM
 osTriage manual

Other examples of such functionality are the Videos plugin. When videos are copied, the contact
sheet is available by clicking on the file name of the video.

For plugins that display data using a Parent/child relationship, such as the Bittorrent plugin, a
hyperlink will exist in the Link to details column. When the hyperlink is clicked, the related child rows are
displayed.

Page 50 of 56
Last revised: 3/11/2014 3:23 PM
 osTriage manual

Page 51 of 56
Last revised: 3/11/2014 3:23 PM
 osTriage manual

Archiving reports
After searching one or more computers, it is important to preserve the report files and an exact
copy of osTriage that was used to conduct the search. To do this, zip and burn the ENTIRE osTriage
folder and all subfolders to CD or DVD and follow your organization’s policy for handling such items.

By copying the entire osTriage folder you are ensuring all relevant logs and the tools used to
produce those logs are preserved.

Your notes should reflect the date and time you inserted the device which contains osTriage and
when you started osTriage on the computer. Once started, osTriage will log everything else including the
current time on the computer as well as the time zone the computer is set to. Once osTriage is finished
searching, exit osTriage and remove the device from the computer. Document the time you removed
the device. Make sure your report reflects these times so the activity can be account for during a
forensic review of the computer.

To archive the results of a search, simply zip the main osTriage directory (assuming everything
under the <osTriageRoot>\SearchResults directory belongs to the same case). This serves several
purposes such as helping eliminate issues with long file names, conserving space, etc. The zip file can
then be burned to DVD and added to a case file, etc.

Once the reports are archived, the directories can be deleted. There is NO need to forensically
wipe the storage device osTriage was executed from between uses.

A common reason to forensically wipe the drive is the need to ensure no previous search results
no longer exist on disk. There is no reason to look for deleted files on a drive where osTriage exists, so
wiping a drive serves no purpose and only reduces the life span of the device.

Page 52 of 56
Last revised: 3/11/2014 3:23 PM
 osTriage manual

Customizing osTriage
osTriage allows for customization of keywords to search for, hashes to match against, etc.
osTriage has global lists of keywords and hashes that plugin authors can choose to use, but it is also
possible for plugins to override the list of hashes used for comparison, etc.

osTriage must be restarted if any of the following files are edited while osTriage is running.

Keywords
Keywords.txt exists in the <osTriageRoot>\Plugins directory. It contains one keyword per line. By
default no keywords ship with osTriage, but lists exist on the forums for common investigation types.

osTriage will look for file mask ‘Keywords*.txt’ when loading keyword files. This allows for the
creation of different keyword lists such as ‘Keywords CP.txt’ or ‘Keywords hacking.txt’ and osTriage will
load each file. To prevent osTriage from loading a file, ensure it doesn’t meet the criteria outlined above
(i.e. it isn’t named like ‘Keywords*.txt’). Simply adding a ‘_’ to the front of the filename is enough for
osTriage to ignore the file.

When using the global keyword list, any keyword hits will be included in the report.

Hashes of interest
The <osTriageRoot>\Plugins directory contains a file named ‘HashesOfInterest.txt’ and supports
the following hash algorithms: MD5 and SHA1 (base16 and base32 format). HashesOfInterest.txt
contains comments that explain the layout of the file.

Similar to keyword files, osTriage will look for file mask ‘Hashes of Interest*.txt’ when loading
hash files. This allows for creating many subsets of hashes such as ‘Hashes of interest Case1.txt’, ‘Hashes
of interest Case2.txt’, and so on.

Plugins can choose to look at the list of global hashes when processing things, such as pictures
or videos. When using the global hash list, any hash hits will be included in the report.

Using Hasher to generate Hashes of Interest files

Hasher can be used to create osTriage formatted Hashes of Interest*.txt files.

To create your own hash files, use Hasher to hash some files with one of the supported hashing
algorithms in osTriage, then export to one of the supported formats.

Page 53 of 56
Last revised: 3/11/2014 3:23 PM
 osTriage manual

osTriage can also load specially created encrypted files that contain both keywords and hash
lists. This is useful if you wish to distribute such items but do not want a plain text list of hashes or
keywords to be available.

Hasher can also generate these secure files by enabling the Generate secure files option before
saving the results as shown above.

Plugin specific hashes of interest

Some plugins contain the ability to use plugin specific lists of hashes. The Pictures and Videos
plugins are examples of this. If a file named ‘HashesOfInterest.txt’ exists in the Pictures or Videos plugin
directory, the hash values in that file will be used when looking for pictures and videos.

Another benefit of this approach is limiting a search for images and videos to only those files
downloaded from a subject computer. Since the plugin specific list will contain only the hashes of
interest that were downloaded, only those files will show up as hashes of interest.

Note: When overriding the global list of hashes, a list of hash hits will not be recorded unless the
plugin takes specific action to add a hash match to the global hit list.

Removing DLLs to remove functionality

In cases where it is certain a plugin’s functionality will not be needed, the DLL file can be
renamed, moved, or deleted. As a result, osTriage will not be able to find that plugin and will not make it
available to the user.

This allows for making very specific osTriage installations for border guards or other personnel
who do not need the full range of capabilities provided by all plugins.
Page 54 of 56
Last revised: 3/11/2014 3:23 PM
 osTriage manual

Tailoring osTriage in this way also simplifies training and use by field personnel as well as
allowing different agencies the flexibility to tailor osTriage to their policies and laws.

<Documentation below this point will be completed in the release version>

Creating plugins
Interfaces

(shutdown) such functionality may include taking a snapshot of a given directory on startup and then
again on shutdown in order to record what has changed in a given directory. The Windows Prefetch
directory would be a good candidate for such an operation.

Example

Page 55 of 56
Last revised: 3/11/2014 3:23 PM
 osTriage manual

Appendix A – Developer information

osTriage was written and developed by Special Agent Eric R. Zimmerman of the Federal Bureau
of Investigation. He can be contacted at [email protected] or [email protected].

The reporting templates were created by SA Devon Ackerman. He can be contacted at

[email protected].

Appendix B – osTriage’s impact on a computer

When the directions are followed, osTriage writes nothing to the computer it is running on. This
has been verified with Sysinternals® tools as well as WhatChanged (v1.07) in testing during development
and testing by other forensic examiners. The only changes to the computer are the creation of keys in
the Windows Registry by Windows and several prefetch files. All of these changes can be verified by a
forensic examiner based on your notes as to when the thumb drive was inserted into the machine and
the log files osTriage creates.

The only time a file is ever placed on the computer is if an anti-virus application quarantines a
file. This is one of the reasons why osTriage detects the most common anti-virus applications and
prompts the user to ensure they are closed. Again, this is something that should be documented in case
notes.

Page 56 of 56
Last revised: 3/11/2014 3:23 PM