DIGITAL FORENSICS AT WIRE SPEED
What’s new in Evimetry v3.0.11
Broader volatile memory support
The live agent now uses the most recent version of the winpmem driver on Windows systems, so now supports volatile memory acquisition in the presence of Virtual Secure Mode (VSM) on Windows 10.
More detailed USB metadata
Recent releases have focused on preserving more metadata from USB attached disks – including the VID & PID, and in drives attached to recent USB bridges, the serial number of the disk (as opposed to the serial number of the USB bridge).
Paragon APFS Compatibility resolved
In the pre-release stream (v3.1.8), we have begun using v1 of the Dokan virtual filesystem toolkit, which is used in the Filesystem Bridge. This fixes an issue experienced by users of Paragon APFS, wherein the private v0.8 build of Dokan used by Paragon conflicted with the publicly released v0.8 version released by the Dokan project (and used by Evimetry & X-Ways).
Acquire Faster. Analyse Immediately.
Evimetry is a system for accelerating workflow at the front end of forensic processes, encompassing acquisition, live analysis, triage, and remote forensics.
Cut hours from your forensic workflow.
1TB Macbook Pro (2015 model)
Evimetry scales acquisition and analysis to today’s high IO bandwidth, multi-core computing environment. Spend less time:
- Waiting for acquisitions in the field and the lab.
- Copying and verifying evidence in the lab
- Processing evidence in the lab
Evimetry scales acquisition towards maximal IO rates of evidential source devices by utilising advanced compression and hashing techniques and aggregating the combined bandwidth of multiple output IO channels. Evimetry’s advanced image container format enables the creation of images that span multiple storage devices, storing evidence in a manner similar to RAID striping.
Acquisition rates of 50GB/min to 100 GB/min are commonly acheivable for current generation laptops by striping the resulting image across multiple evidence hard drives directly attached by USB3.
Evimetry closes the gap between acquisition and analysis by enabling examination and triage activities to occurr at the same time as acquisition. Analysis and triage is facilitated by a virtual disk device, enabling you to leverage your preferred forensic toolset.
Evimetry’s advanced non-linear partial imaging technology means that any evidence accessed from the subject storage device is read and transferred only once before being stored in a forensic image. Interactive performance for examination activities is maintained by priority.
Acquire and analyse remotely.
Evimetry is designed from the ground up to be network based. The Evimetry Controller centrally manages acquisition and analysis across multiple suspect computers, regardless of whether they are located on a local network, in a branch office, or across the internet.
Suspect computers are accessed by live forensic, dead boot, or dead disk methods. The Evimetry live agent is deployable live on Windows XP and above, Linux, and Mac OSX 10.7 and above while the Dead boot agent is deployable on any Intel x86 compatible hardware.
Evidence may be stored to direct attached storage, to tactically placed repository agents, or to storage located at the controller.
Acquire only what you choose.
Evimetry’s non-linear imaging technology allows you to create conventional physical forensic images in less time, while at the same time enabling access via analysis tools. In conjunction with this, Evimetry’s partial imaging technology enables one to create partial physical forensic images of the most important evidence, and successively widen scope.
Incident responders might start with an incident response acquisition (which acquires volume metadata blocks, filesystem metadata blocks, log content and registry content), analyse those artefacts and then widen scope for only the systems identified as relevant. The raw forensic evidence underlying such triage analysis methodologies remains available as forensic images.
Live partial acquisition with EnCase
This screencast demonstrates the performance of live analysis and the incremental building of partial physical disk images with Evimetry. Our blog post, titled “Partial Live Acquisition using Evimetry & Encase” describes the salient aspects.
Remote IAAS live cloud acquisition and analysis.
This screencast demonstrates remote live acquisition and analysis of a cloud based server using the Evimetry system. A cloud storage agent is provisioned in the same datacentre as the target server, and then a live agent deployed to the target server.
Dead boot linear acquisition of MacBook Air.
This screencast demonstrates rapid acquistion of an SSD based MacBook Air by dead boot agent and a direct attached hard drive. Using the Evimetry system, acquisition occurrs at an average rate of 22 GB/minute (330 MB/s).