CUT HOURS FROM IN-LAB FORENSIC WORKFLOW.
Evimetry Lab delivers answers hours earlier per device. Scale time-consuming indexing and processing across multiple workstations as soon as acquisition begins and proceed immediately to examination. All using your preferred forensic toolset.
When it comes to preserving evidence, DF laboratories generally fall into two camps. Those that acquire in the field, and those that collect evidence in the field, only later doing acquisition in-lab. Over the last two years, Evimetry’s product offerings have been primarily focused on the former. Practitioners have benefited from the fastest in-field acquisitions, while at the same time enabling meaningful analysis work to occur while waiting for acquisition to complete.
Evimetry Lab changes the game for the latter group. This groundbreaking approach enables analysis and time-consuming processing tasks (such as indexing) to begin immediately after acquisition begins, across multiple computers or servers. The traditional delay between waiting for acquisition to complete prior to beginning processing is removed, leading to processing tasks completing hours earlier, and answers sooner.
How much sooner? The comparison above shows a time-consuming indexing job using NUIX completing hours earlier when using Evimetry Lab as opposed to traditional forensic imaging workflows. There is also some live analysis using EnCase thrown in for good measure.
While we are using NUIX here, this works with any tools that support the standard RAW image format. And multiple tools at the same time.
How does it work?
Evimetry Lab exploits high speed storage for evidence, and high speed networking to keep multiple tools processing evidence as fast as they can consume it. Evidence is compressed and hashed on the ingestion node and acquired into an AFF4 image in the central SAN storage.
Analysis tools access images in the repository via a virtual filesystem, as a RAW image file (actually a virtual raw image). Reads of the virtual image then are read from the in-progress AFF4 image on the SAN storage if they have already been acquired. If they haven’t yet been acquired, a read is triggered from the suspect disk, where the target blocks are read at the highest priority, compressed and hashed, streamed back to the lab server, stored in the image, and then returned to the reading tool. This all happens fast enough that live analysis can proceed with minimal perceivable lag.
Evimetry Lab Ingest Node (EN3)
For optimum performance on the ingestion side, we have custom built forensic hardware. Shown below, atop its two prototypes, the EN3 is no mere forensic duplicator.
Evidence is acquired through the four 6GB/s powered SAS connectors on the front, and the two USB3 and a a single 4x PCIE slots on the back. All the ports are write blocked. Evidence is streamed out the 10GbE network interface on the back.
Are you interested in this product?
or Please contact CDFS for more information
1300 55 33 24 | E-mail: contact@cdfs.com.au
