Automated network triage

In many police investigations today, computer systems are somehow involved. The number and capacity of computer systems needing to be seized and examined is increasing, and in some cases it may be necessary to quickly find a single computer system within a large number of computers in a network. To investigate potential evidence from a large quantity of seized computer system, or from a computer network with multiple clients, triage analysis may be used. In this work we first define triage based on the medical definition. From this definition, we describe a PXE-based client–server environment that allows for triage tasks to be conducted over the network from a central triage server. Finally, three real world cases are described in which the proposed triage solution was used.