Evimetry Australia
Request a Quote

Cut hours from your forensic workflow

1TB Macbook Pro (2015 model)

Evimetry Wirespeed scales acquisition and analysis to today’s high IO bandwidth, multi-core computing environment. Spend less time:

  • Waiting for acquisitions in the field and the lab.
  • Copying and verifying evidence in the lab
  • Processing evidence in the lab

Time saving features

Evimetry Wirespeed cuts hours off your forensic workflow regardless of whether your target device is local, or across the internet.

Acquire faster.

Evimetry Wirespeed scales acquisition towards maximal IO rates of evidential source devices by utilising advanced compression and hashing techniques and aggregating the combined bandwidth of multiple output IO channels. Evimetry’s advanced image container format enables the creation of images that span multiple storage devices, storing evidence in a manner similar to RAID striping.

IO rates exceeding 400MB/s are commonly acheivable by striping the resulting image across multiple SATA evidence hard drives directly attached by USB3.

Analyse immediately.

Evimetry Wirespeed closes the gap between acquisition and analysis by enabling examination and triage activities to occurr at the same time as acquisition. Analysis and triage is facilitated by a virtual disk device, enabling you to leverage your preferred forensic toolset.

Evimetry’s advanced non-linear partial imaging technology means that any evidence accessed from the subject storage device is read and transferred only once before being stored in a forensic image. Interactive performance for examination activities is maintained by priority.

Acquire and analyse remotely.

Evimetry is designed from the ground up to be network based. The Evimetry Controller centrally manages acquisition and analysis across multiple suspect computers, regardless of whether they are located on a local network, in a branch office, or across the internet.

Suspect computers are accessed by live forensic, dead boot, or dead disk methods. The Evimetry live agent is deployable live on Windows XP and above, Linux, and Mac OSX 10.7 and above while the Dead boot agent is deployable on any Intel x86 compatible hardware.

Evidence may be stored to direct attached storage, to tactically placed repository agents, or to storage located at the controller.

Acquire only what you choose.

Evimetry’s non-linear imaging technology allows you to create conventional physical forensic images in less time, while at the same time enabling access via analysis tools. In conjunction with this, Evimetry’s partial imaging technology enables one to create partial physical forensic images of the most important evidence, and successively widen scope.

Incident responders might start with an incident response acquisition (which acquires volume metadata blocks, filesystem metadata blocks, log content and registry content), analyse those artefacts and then widen scope for only the systems identified as relevant. The raw forensic evidence underlying such triage analysis methodologies remains available as forensic images.

Usage demonstrations.

Live partial acquisition with EnCase

This screencast demonstrates the performance of live analysis and the incremental building of partial physical disk images with Evimetry Wirespeed. Our blog post, titled “Partial Live Acquisition using Evimetry Wirespeed & Encase” describes the salient aspects.

Remote IAAS live cloud acquisition and analysis.

This screencast demonstrates remote live acquisition and analysis of a cloud based server using the Evimetry Wirespeed system.

Dead boot linear acquisition of MacBook Air.

This screencast demonstrates rapid acquistion of an SSD based MacBook Air by dead boot agent and a direct attached hard drive. Using the Evimetry system, acquisition occurrs at an average rate of 22 GB/minute (330 MB/s).