We are introducing a new tool expanding our product line. Elcomsoft Quick Triage (EQT) is a forensic triage solution designed for rapid in-field data acquisition and initial analysis of Windows systems. While not a replacement for full-scale forensic suites, EQT focuses on speed and relevance, enabling investigators to process the most significant artefacts within minutes rather than hours.

Elcomsoft Quick Triage operates on both live systems and externally connected storage devices. Disk images are currently supported when mounted as a drive letter; native support for common forensic image formats such as E01 is under active development.

The primary design goal of Elcomsoft Quick Triage is maximum acquisition and analysis speed with minimal operational overhead. The tool targets data most valuable during the early stages of an investigation or on-site triage, allowing examiners to quickly assess evidentiary value and make informed decisions without lengthy processing.

Supported evidence types

The tool collects a broad range of data sources related to system and user activity, including communications data (such as instant messenger databases), email databases, user documents and photo libraries, as well as registry and file system data. These sources are extracted in their original form – for example, binary messenger databases and native Outlook data files – and preserved inside the evidence container for subsequent in-depth examination.

From the collected data, Elcomsoft Quick Triage processes a selected subset into forensic artefacts stored in an indexed, instantly searchable database accessible directly from the EQT interface. The most forensically significant artefacts are indexed, including user communications and productivity data such as searchable Outlook email messages with attachments and Microsoft Office documents, with original source files optionally preserved inside the container.

EQT also processes evidence of user activity, including recent application usage, recently accessed files and folders, and other user-initiated system actions that help establish timelines and behavioral patterns. This includes web activity (browser history), Windows Registry data, and SRUM (System Resource Usage Monitor) information, providing insight into application execution, resource usage, and system interactions over time. In addition, EQT processes system-level information such as hardware configuration, operating system details, and stored Windows credentials.

Quick data analysis

All acquired data is stored in a single container file based on the open VHDX format and supplemented with additional metadata. The resulting container can be examined later manually or using third-party forensic tools.

During acquisition, EQT performs on-the-fly indexing, enabling near-instantaneous search across collected data. Multiple extractions can be combined into a single case, simplifying evidence management across multiple systems or acquisition sessions.

Elcomsoft Quick Triage supports data export. Automated reporting is not yet available but is planned as part of ongoing development. EQT is under active development, with significant expansion of capabilities planned for future releases.

Elcomsoft Quick Triage is intended for forensic specialists, law enforcement officers, and digital forensic experts who require a fast and efficient triage solution for Windows-based systems during field operations.