Time saving features
Evimetry Wirespeed cuts hours off your forensic workflow regardless of whether your target device is local, or across the internet.
Evimetry Wirespeed scales acquisition towards maximal IO rates of evidential source devices by utilising advanced compression and hashing techniques and aggregating the combined bandwidth of multiple output IO channels. Evimetry’s advanced image container format enables the creation of images that span multiple storage devices, storing evidence in a manner similar to RAID striping.
IO rates exceeding 400MB/s are commonly acheivable by striping the resulting image across multiple SATA evidence hard drives directly attached by USB3.
Evimetry Wirespeed closes the gap between acquisition and analysis by enabling examination and triage activities to occurr at the same time as acquisition. Analysis and triage is facilitated by a virtual disk device, enabling you to leverage your preferred forensic toolset.
Evimetry’s advanced non-linear partial imaging technology means that any evidence accessed from the subject storage device is read and transferred only once before being stored in a forensic image. Interactive performance for examination activities is maintained by priority.
Acquire and analyse remotely.
Evimetry is designed from the ground up to be network based. The Evimetry Controller centrally manages acquisition and analysis across multiple suspect computers, regardless of whether they are located on a local network, in a branch office, or across the internet.
Suspect computers are accessed by live forensic, dead boot, or dead disk methods. The Evimetry live agent is deployable live on Windows XP and above, Linux, and Mac OSX 10.7 and above while the Dead boot agent is deployable on any Intel x86 compatible hardware.
Evidence may be stored to direct attached storage, to tactically placed repository agents, or to storage located at the controller.
Acquire only what you choose.
Evimetry’s non-linear imaging technology allows you to create conventional physical forensic images in less time, while at the same time enabling access via analysis tools. In conjunction with this, Evimetry’s partial imaging technology enables one to create partial physical forensic images of the most important evidence, and successively widen scope.
Incident responders might start with an incident response acquisition (which acquires volume metadata blocks, filesystem metadata blocks, log content and registry content), analyse those artefacts and then widen scope for only the systems identified as relevant. The raw forensic evidence underlying such triage analysis methodologies remains available as forensic images.