Triage Scoring System
Recommendations
- Assign risk scores to artifacts based on forensic value
- Prioritise high-value artifacts (memory dumps, registry, event logs)
- Generate triage reports
- Flag "MUST INVESTIGATE" items
| Document (.pdf, .doc, .xls) | 5 | User documents | | Other/Unknown | 0 | Unknown forensic value |
2. Pattern Match Count (0-30 points)
Number of suspicious patterns detected in the file:
| Match Count | Score | Assessment |
|---|---|---|
| 0 | 0 | No patterns detected |
| 1-5 | 5 | Minimal suspicious activity |
| 6-10 | 10 | Low suspicious activity |
| 11-20 | 15 | Moderate suspicious activity |
| 21-50 | 20 | High suspicious activity |
| 51-100 | 25 | Very high suspicious activity |
| 100+ | 30 | Critical suspicious activity |
3. Pattern Severity (0-20 points)
Weighted by the criticality of matched patterns using logarithmic scaling:
- More patterns = higher severity score
- Logarithmic function prevents score inflation
- Formula:
min(ln(pattern_count) * 5, 20)
4. File Characteristics (0-10 points)
Additional scoring factors:
- Large files (>1GB): +5 points - May contain extensive evidence
- Very large files (>100MB): +3 points - Significant content
- Memory-related paths (hiberfil, pagefile): +5 points - System memory artifacts
Risk Level Classification
Scores are categorized into five risk levels:
| Score Range | Risk Level | Priority | Icon | Description |
|---|---|---|---|---|
| 90-100 | 🔴 Critical | Immediate | Red | MUST INVESTIGATE - Highest priority items |
| 70-89 | 🟠 High | High | Orange | High priority investigation required |
| 50-69 | 🟡 Medium | Moderate | Yellow | Moderate priority investigation |
| 30-49 | 🔵 Low | Review | Cyan | Review if time permits |
| 0-29 | ⚪ Minimal | Optional | Gray | Low forensic value |
Must Investigate Flag
Files are flagged as "MUST INVESTIGATE" when:
- Score ≥ 90, OR
- High-value file type (Memory Dump, Registry Hive, Event Log) AND 20+ pattern matches
These files should be examined first in any investigation.
Usage
Basic Triage Report
# Generate triage report with default settings
sus /evidence --triage-report
# Output:
# - Console report with top 20 files
# - JSON file: output/triage_report.json
Filtering by Score Threshold
# Only show files with score ≥ 70 (High and Critical)
sus /evidence --triage-report --triage-min-score 70
# Only show files with score ≥ 90 (Critical only)
sus /evidence --triage-report --triage-min-score 90
Custom Output Location
# Specify custom output file
sus /evidence --triage-report --triage-output /investigation/triage.json
Include All Scores
# Include all files in report (not just top 100)
sus /evidence --triage-report --triage-include-all
Combined with Other Features
# Complete forensic workflow with triage
sus /evidence \
--target KAPE_Triage \
--collect \
--system-snapshot \
--parse-registry \
--parse-evtx \
--generate-timeline json \
--triage-report
# Incident response with high-priority filtering
sus /compromised-system \
--profile profiles/composite/incident-response.toml \
--collect \
--triage-report \
--triage-min-score 70
Output Format
Console Output
================================================================================
🎯 TRIAGE REPORT - Generated at 2024-01-15T10:30:45.123Z
================================================================================
📊 Summary:
Total Files: 1543
🔴 Critical: 15 files (score 90-100)
🟠 High: 87 files (score 70-89)
🟡 Medium: 234 files (score 50-69)
🔵 Low: 456 files (score 30-49)
⚪ Minimal: 751 files (score 0-29)
⚠️ MUST INVESTIGATE: 15 files
🔝 Top Priority Files (Top 20):
--------------------------------------------------------------------------------
1. 🔴 Score: 95 | Critical | Memory Dump
Path: /evidence/memory.dmp
Hash: abc123...
Patterns: 45 matches
Reasons:
• High-value artifact type: Memory Dump
• 45 suspicious patterns detected
• ⚠️ MUST INVESTIGATE
2. 🔴 Score: 92 | Critical | Registry Hive
Path: C:\\Windows\\System32\\config\\SYSTEM
Hash: def456...
Patterns: 38 matches
Reasons:
• High-value artifact type: Registry Hive
• 38 suspicious patterns detected
• ⚠️ MUST INVESTIGATE
...
JSON Output (triage_report.json)
{
"total_files": 1543,
"critical_count": 15,
"high_count": 87,
"medium_count": 234,
"low_count": 456,
"minimal_count": 751,
"must_investigate_count": 15,
"generated_at": "2024-01-15T10:30:45.123Z",
"top_scores": [
{
"path": "/evidence/memory.dmp",
"sha256": "abc123...",
"score": 95,
"risk_level": "Critical",
"file_type_score": 40,
"pattern_count_score": 25,
"pattern_severity_score": 19,
"characteristics_score": 11,
"pattern_matches": 45,
"file_type": "Memory Dump",
"reasons": [
"High-value artifact type: Memory Dump",
"45 suspicious patterns detected",
"Large file size",
"Memory/hibernation file detected",
"⚠️ MUST INVESTIGATE"
],
"must_investigate": true
}
],
"all_scores": null
}
Forensic Workflows
1. Incident Response Triage
# Identify critical evidence quickly
sus /compromised-system \
--target KAPE_Triage \
--collect \
--system-snapshot \
--triage-report \
--triage-min-score 70 \
--triage-output ir_triage.json
# Focus on top findings:
# 1. Review MUST INVESTIGATE items first
# 2. Investigate Critical and High priority files
# 3. Collect high-scoring artifacts
Limitations
Current Limitations
- Pattern-Based Scoring: Relies on pattern matches, may miss sophisticated attacks
- File Type Detection: Based on path and extension, not deep file analysis
- Static Scoring: Does not adapt to investigation context
- No Machine Learning: Uses rule-based scoring, not ML-based risk assessment
Best Practices
1. Start with Must Investigate Items
Always review files flagged with "MUST INVESTIGATE" first - these represent the highest-priority evidence.
2. Use Score Thresholds Appropriately
- Incident Response: Use
--triage-min-score 70to focus on actionable items - Comprehensive Analysis: Use default (0) to see full picture
- Quick Triage: Use
--triage-min-score 90for critical items only
3. Combine with Other Features
Triage scoring is most effective when combined with:
- Artifact collection (
--collect) - Timeline generation (
--generate-timeline) - Registry parsing (
--parse-registry) - Event log analysis (
--parse-evtx) - System snapshot (
--system-snapshot)
4. Iterative Analysis
- Run initial triage to identify high-priority files
- Analyze top-scoring items in detail
- Refine profiles based on findings
- Re-run triage with updated profiles
5. Export and Share Reports
- Export triage reports to JSON for sharing with team
- Include triage scores in investigation documentation
- Use scores to justify analysis priorities
Limitations
Current Limitations
- Pattern-Based Scoring: Relies on pattern matches, may miss sophisticated attacks
- File Type Detection: Based on path and extension, not deep file analysis
- Static Scoring: Does not adapt to investigation context
- No Machine Learning: Uses rule-based scoring, not ML-based risk assessment
Recommendations
- Assign risk scores to artifacts based on forensic value
- Prioritise high-value artifacts (memory dumps, registry, event logs)
- Generate triage reports
- Flag "MUST INVESTIGATE" items
2. Large-Scale Forensic Collection
# Triage thousands of files efficiently
sus /forensic-image \
--profile profiles/composite/forensic-investigation.toml \
--triage-report \
--triage-include-all
# Prioritize analysis:
# 1. Export triage report
# 2. Filter by risk level
# 3. Focus on high-value artifacts
3. Malware Analysis
# Score files for malware indicators
sus /malware-samples \
--profile profiles/base/malware.toml \
--triage-report \
--triage-min-score 50
# Review:
# 1. High-scoring executables
# 2. Suspicious scripts
# 3. Files with multiple pattern matches
4. Data Breach Investigation
# Identify sensitive data exposure
sus /file-server \
--profile profiles/composite/pci-compliance.toml \
--triage-report \
--triage-min-score 60
# Focus on:
# 1. Files with PII patterns
# 2. Configuration files
# 3. Log files with credentials
Interpretation Guidelines
Critical Risk (90-100)
Action Required: Immediate investigation
Typical Files:
- Memory dumps with 20+ suspicious patterns
- Registry hives with malware indicators
- Event logs with security violations
- Large files with extensive pattern matches
Investigation Steps:
- Prioritize these files first
- Perform deep analysis
- Correlate with other evidence
- Document findings thoroughly
High Risk (70-89)
Action Required: High priority investigation
Typical Files:
- Prefetch files with suspicious executions
- Browser artifacts with credential patterns
- Scripts with obfuscation
- Executables with multiple indicators
Investigation Steps:
- Review after Critical items
- Look for attack patterns
- Timeline correlation
- Check for persistence mechanisms
Medium Risk (50-69)
Action Required: Moderate priority
Typical Files:
- Log files with some suspicious entries
- Configuration files with weak settings
- Archives containing suspicious files
- Documents with embedded content
Investigation Steps:
- Review during detailed analysis phase
- Look for supporting evidence
- Context-based evaluation
Low Risk (30-49) & Minimal (0-29)
Action Required: Review if time permits / Optional
Typical Files:
- Standard system files
- Benign documents
- Empty or minimal content files
Investigation Steps:
- Defer until higher priorities complete
- May skip in time-constrained investigations
- Useful for comprehensive reports
Planned Enhancements
- Pattern Severity Weighting: Individual pattern risk scores
- ML-Based Scoring: Anomaly detection and behavioral analysis
- Investigation Context: Adjust scoring based on investigation type
- Historical Baselines: Score deviations from normal patterns
- Threat Intel Integration: Incorporate IOC databases
Security Considerations
- Triage ≠ Analysis: Scoring supplements investigation, doesn't replace it
- False Positives: High scores may occur for benign files with many patterns
- False Negatives: Low scores don't guarantee files are safe
- Verification Required: Always verify high-scoring findings
- Context Matters: Consider organizational environment and threat model
Troubleshooting
No Files Scored
Issue: Triage report shows 0 files
Solutions:
- Ensure analysis completed successfully
- Check if
--triage-min-scoreis too high - Verify files were analyzed (not skipped)
All Files Have Same Score
Issue: Scores are not differentiating files
Solutions:
- Check if patterns are matching effectively
- Review profile configuration
- Verify file types are being detected
Report Export Fails
Issue: Cannot write triage report to file
Solutions:
- Check output directory permissions
- Verify disk space availability
- Try different output path
Integration with Other Tools
Timeline Tools
Triage scores can be exported and imported into timeline analysis tools:
# Export triage report
sus /evidence --triage-report --triage-output triage.json
# Use with timeline
sus /evidence --generate-timeline csv --triage-report
# High-scoring files appear in timeline with risk indicators
SIEM/SOAR Integration
# Export for SIEM ingestion
sus /evidence --triage-report --triage-output /siem/import/triage.json
# Use JSON output for:
# - Automated alerting on Critical findings
# - Playbook triggering for High-risk items
# - Investigation case enrichment
Forensic Platforms
Triage reports can be imported into forensic platforms (Autopsy, X-Ways, etc.) to prioritize review queues.
References
Version History
- v1.0.0 (2024-01-15): Initial triage scoring implementation
- Four-factor scoring model
- Five risk levels
- Must Investigate flagging
- JSON and console output