9. Evaluation Guide

This page outlines how to use the evaluation version of Cyber Triage.

9.1. Process

We recommend the following steps as you evaluate the software:

  1. Install: Install Cyber Triage on a typical Windows workstation. The installer comes with an evaluation license that will work for 7 days after its first launch and can fully analyze two of your data sets. See Standard Installation for detailed instructions, but you can just choose the defaults for an evaluation.

  2. Read: Read the Overview section of the user manual. This should take only a few minutes and provides a basic understanding of how the application works. You may not need this if you already saw a demo of the tool.

  3. Launch: Launch the Cyber Triage software, and you will see the evaluation dialog.

../_images/eval_dialog.png
  1. Demo Data: Choose the Demo Data option to give you a chance to use the interface and basic workflow. This data set is from a laptop compromise. Your goal with using this data set is to get a basic idea of the user interface and workflow. You can watch a video of this data set from here .

  2. Your Data: Next, you can analyze up to two of your data sets. The goal of this step is to see what kinds of items get scored and how easily you can find the evidence. Refer to Using Your Data below for suggestions on this step.

9.2. Evaluation License Limitations

There are two ways to run Cyber Triage for an evaluation:

  • If you have not evaluated it before, you can get a 7-day license that can ingest two hosts. To do this, simply launch Cyber Triage and choose Evaluation Mode.

  • If you have previously evaluated before or your 7-day evaluation ended, you can get a longer license from the sales team (sales@cybertriage.com). This license will have the same capabilities as a paid license.

9.3. Evaluating the Team Version

If you are interested in the Team version, then we recommend you first fully evaluate the Standard version in order to understand the general capabilities.

Configuring servers adds time and complexity and it is most efficient if you fully evaluate Standard first because they have the same user experience.

9.4. Using Your Data

Cyber Triage supports many ways of importing data and the options can be overwhelming. You should refer to Getting Data Into Cyber Triage to help choose how you will use it in production, but we recommend you start off simple for your evaluation.

Note

It is very important to understand that the main Cyber Triage application will not be run on the computer being investigated. The stand alone “Collector” program will be.

  • The main Cyber Triage application is run on your trusted analysis system

  • The Collector tool (see Cyber Triage Collector Tool) is run on the target system and it copies data to your analysis system.

To use your data:

  • If you have a live, test system that has a compromise scenario on it, then:
    • Extract the Collector from Cyber Triage using the “Extract Collector” button in the upper right (see Extracting the Collector).

    • Copy the folder to the test system.

    • Manually launch CyberTriageCollectorGUI.exe on the test system and save the artifacts to a file. This is the default behavior of the Collector. It will save it in the same folder that it was run from.

    • Copy that file to the computer running Cyber Triage and import it using “Cyber Triage File” (see Add a Cyber Triage Collector File).

    • You can watch our Training Video on this.

  • Or, if you have a disk image from a previous case, then import that using the “Disk Image” option (see Add a Disk Image).

  • You can also use a KAPE or Velociraptor collection from a previous case and import it using “KAPE” (see Add KAPE and Velociraptor Output). Note that this will not produce as much data as other methods, but it is OK for an evaluation.

Once you are comfortable with one of the above methods, then you can use the other methods that rely on networks and certificates, such as:

More information on importing data into Cyber Triage can be found at Getting Data Into Cyber Triage.