We’re expanding our product line with a new tool: Elcomsoft Quick Triage. With this release, we are expanding into an area we had not previously covered – digital forensic triage. EQT is designed to address a very specific need that arises at the earliest stages of an investigation, when time is limited and quick decisions matter. The new tool is not intended to replace full-featured forensic platforms or in-depth analysis. Instead, it focuses on a different phase of the workflow: fast identification, collection, and review of the most relevant evidence before committing resources to a complete examination.

Forensic triage

Digital forensic triage is the process of quickly assessing a system or device to determine whether it contains evidence relevant to an investigation. At this initial phase, the goal is not to conduct a thorough analysis, but to make informed decisions about where to focus effort and resources. Triage is most critical in situations where time is limited: field operations with multiple devices to evaluate, incident response scenarios requiring rapid containment, or cases where investigators must prioritize which systems warrant full forensic examination. Speed and relevance take priority over completeness at this stage.

The benefits of effective triage are straightforward. First, it enables faster decision-making – within minutes or hours, an investigator can determine whether a particular system is worth pursuing. Second, it reduces unnecessary workload by eliminating irrelevant devices from the analysis pipeline before they consume lab resources. Triage answers a fundamentally different question than full forensic analysis: not “what does this system contain?” but rather “what should we examine first?” This distinction shapes both the methodology and the tools required.

We evaluated a wide range of existing triage solutions, both commercial and open-source, and found many solid products in this space. However, common limitations became apparent across different tools: workflows that require multiple steps or too much skilled labor, processing speeds that undermine the goal of rapid assessment, narrow focus on specific artifact types or the opposite approach – extracting everything within reach without making an effort to prioritize what’s really important. These constraints motivated us to develop our own solution. Our goal with Elcomsoft Quick Triage was to make triage faster, simpler, and more focused on what investigators actually need in the field: quick answers, minimal overhead, and a straightforward path from collection to decision.

Live system analysis vs. cold systems

Triage scenarios fall into two broad categories: cold systems and live systems. Cold triage involves powered-off disks, forensic images, or systems accessed through a bootable environment such as Elcomsoft System Recovery (ESR) – the focus here is on stored data, with the advantage of working methodically without time pressure from a running system. Live triage, by contrast, deals with active Windows machines where the operating system is running. This approach provides access to volatile data and recent user activity that may not persist after shutdown, but it introduces time pressure and operational constraints. Each scenario demands a different set of priorities and methods. Elcomsoft Quick Triage is designed to handle the latter, collecting evidence from a live system for later examination.

Elcomsoft Quick Triage

Elcomsoft Quick Triage is designed for rapid evidence collection and initial analysis from live Windows systems. The tool collects multiple data sources and extracts artifacts from the most forensically relevant ones. Collected data includes user documents, browser data such as Web history or search requests, emails from many popular email clients, Windows Registry, event logs, and much more. Collection covers both user-level evidence such as recent files, saved credentials and communication history, and system-level artifacts such as installed applications, USB device history, scheduled tasks, and application launches. Select pieces of data are processed on the fly with automatic indexing, allowing investigators to search and filter results.

All extracted evidence is stored in a single VHDX-based container that preserves original file structure and metadata. The container format supports immediate search and review while maintaining data integrity for subsequent analysis. EQT includes built-in viewers for common file types, global search across multiple artifact categories, and timeline filtering by date ranges. The resulting evidence package can be transferred for deeper examination with other forensic tools or used directly for quick assessment and reporting. This design supports both field operations where time is limited and lab workflows where EQT serves as an initial collection step before full forensic analysis.

Notably, Elcomsoft Quick Triage only supports live systems and mounted disk images at this point. We are working on adding support for common forensic disk image formats such as E01. For the time being, however, use tools such as OSFMount and FTK Imager (the free tier) to mount disk images as drive letters.

Open Container Format

As mentioned earlier, we tested a number of forensic triage tools before we started developing EQT. One major issue that plagued most of those tools was the undocumented, proprietary formats in which those tools stored collected evidence. This essentially means that one is locked into using the same tool for both collecting and analyzing evidence – an approach that is far from ideal. We wanted to change that. The VHDX format we selected to store acquired data is an open, cross-platform container format that preserves both the file system structure and associated metadata. In a lab environment, VHDX containers can be mounted either in a “raw” form or with reconstructed paths for each data source. The open and fully documented container format allows access to the data not only through EQT itself, but also by using third-party forensic tools – which was exactly the goal we aimed for.

What is extracted?

There is an important distinction between what is collected (the data sources) and what is processed (the artifacts). The tool collects hundreds of data sources – the entire email and messaging databases, user documents, images, Windows Registry files, and many more. Only select part of these data sources is processed, resulting in many hundreds of different forensic artefacts – such as Web browsing history, USB device connection events, application launches, and many more. The full list would be unfeasibly long and boring, so we selected just a few entries that look interesting.

System Artifacts (File System)

• Third-party application data
• Active Directory data
• Amcache, Shimcache
• Program Compatibility Assistant
• SRUM (System Resource Utilization Monitor)
• Recycle Bin
• Scheduled Tasks
• Windows Events, Windows Prefetch, Windows Error Reporting
• Wi-Fi network configurations and saved passwords
• Windows Search database
• DPAPI, system credentials, Vault, cryptographic keys and certificates
• System Registry
• Windows notifications
• Various logs

System Artifacts (Registry)

• List of executed programs
• List of Bluetooth devices, displays, ACPI devices, and PCI/SCSI/USB devices ever connected
• Information about battery, BIOS, CPU, other hardware, storage devices, and RAM
• Installed Microsoft Office applications and add-ons
• Complete network configuration
• List of applications installed from the Windows Store
• Usage status: location services, microphone, and webcam
• List of installed drivers, updates, driver packages, running services, and DLL libraries
• List of system default programs for opening files
• List of tasks in the Task Scheduler
• Paths to allowed files in Controlled Folder Access
• Windows Defender and Windows Firewall data

User Artifacts (File System)

• Third-party application data and logs
• Microsoft Office application data
• ActivitiesCache
• Notifications
• Crash dumps
• Files in Desktop / Documents / Downloads / Videos folders
• RDP cache
• Recycle Bin
• Recent files
• Windows Mail / Calendar / Phone / Contacts databases
• User credentials, Vault, cryptographic keys, and certificates
• User Registry
• Browser data (Chrome and all Chromium-based browsers, Microsoft Edge, Mozilla, etc.)

User Artifacts (Registry)

• List of devices ever connected to the computer (smartphones, tablets, etc.)
• Microsoft Office user registration information
• List of recently opened files using Microsoft Office applications
• List of programs configured to run at startup
• Usage status: location services, microphone, and webcam
• List of user default programs for opening files
• Taskbar data: list of pinned applications, right-click actions, application switches
• List of files opened or saved via file dialogs, recent files, recently executed commands
• List of searches performed in File Explorer
• Username of the last logged-in user
• List of archive names recently created

Elcomsoft System Recovery

Elcomsoft System Recovery is a bootable forensic environment based on Windows PE that provides controlled access to systems without booting the installed operating system. This makes ESR particularly suitable for cold triage scenarios where investigators need to access a system that cannot or should not be booted into its installed OS – the bootable environment ensures that the original OS remains untouched while still allowing access to local disks and user data. ESR and EQT complement each other in triage workflows: ESR handles system access and control and captures images of available disks and partitions, while EQT performs the actual evidence collection, indexing, and analysis. This combination allows investigators to maintain forensic integrity while still achieving the speed necessary for effective triage. The approach offers flexibility depending on operational requirements – ESR can be used when cold triage is the only viable option, or bypassed entirely when working with live systems or pre-acquired images.

Future development and closing remarks

This is just the beginning. Elcomsoft Quick Triage is under active development with ongoing improvements planned across several areas. Future updates will expand artifact coverage to include additional applications and data sources, deepen analysis capabilities for existing evidence types, and introduce automated reporting. We are also working on direct support for common forensic disk image formats such as E01, eliminating the need for intermediate mounting steps. Our vision for EQT remains clear: it is designed as a first step in the investigative process, not as a replacement for comprehensive forensic platforms. By enabling faster initial decisions and more efficient resource allocation, EQT helps investigators focus their efforts where they matter most. As we continue to develop and refine the tool, EQT will become an integral part of the Elcomsoft forensic ecosystem, working alongside our other products to support investigations from initial triage through complete analysis.