Evimetry

Evimetry is a system for accelerating workflow at the front end of forensic processes, encompassing acquisition, live analysis, triage, and remote forensics.

Are you intersted in this product?

1300 55 33 24

contact@cdfs.com.au

Quote Request

DIGITAL FORENSICS AT WIRE SPEED

Acquire Faster. Analyse Immediately.

Evimetry is a system for accelerating workflow at the front end of forensic processes, encompassing acquisition, live analysis, triage, and remote forensics.

Cut hours from your forensic workflow.

1TB Macbook Pro (2015 model)

  • Waiting for acquisitions in the field and the lab.
  • Copying and verifying evidence in the lab
  • Processing evidence in the lab
Acquire faster.

Evimetry scales acquisition towards maximal IO rates of evidential source devices by utilising advanced compression and hashing techniques and aggregating the combined bandwidth of multiple output IO channels. Evimetry’s advanced image container format enables the creation of images that span multiple storage devices, storing evidence in a manner similar to RAID striping.

Acquisition rates of 50GB/min to 100 GB/min are commonly acheivable for current generation laptops by striping the resulting image across multiple evidence hard drives directly attached by USB3.

Analyse immediately.

Evimetry closes the gap between acquisition and analysis by enabling examination and triage activities to occurr at the same time as acquisition. Analysis and triage is facilitated by a virtual disk device, enabling you to leverage your preferred forensic toolset.

Evimetry’s advanced non-linear partial imaging technology means that any evidence accessed from the subject storage device is read and transferred only once before being stored in a forensic image. Interactive performance for examination activities is maintained by priority.

Acquire and analyse remotely.

Evimetry is designed from the ground up to be network based. The Evimetry Controller centrally manages acquisition and analysis across multiple suspect computers, regardless of whether they are located on a local network, in a branch office, or across the internet.

Suspect computers are accessed by live forensic, dead boot, or dead disk methods. The Evimetry live agent is deployable live on Windows XP and above, Linux, and Mac OSX 10.7 and above while the Dead boot agent is deployable on any Intel x86 compatible hardware.

Evidence may be stored to direct attached storage, to tactically placed repository agents, or to storage located at the controller.

Acquire only what you choose.

Evimetry’s non-linear imaging technology allows you to create conventional physical forensic images in less time, while at the same time enabling access via analysis tools. In conjunction with this, Evimetry’s partial imaging technology enables one to create partial physical forensic images of the most important evidence, and successively widen scope.

Incident responders might start with an incident response acquisition (which acquires volume metadata blocks, filesystem metadata blocks, log content and registry content), analyse those artefacts and then widen scope for only the systems identified as relevant. The raw forensic evidence underlying such triage analysis methodologies remains available as forensic images.

Live partial acquisition with EnCase

This screencast demonstrates the performance of live analysis and the incremental building of partial physical disk images with Evimetry. Our blog post, titled “Partial Live Acquisition using Evimetry & Encase” describes the salient aspects.

Evimetry Products:

  • Evimetry Lab
  • Evimetry Imager
  • Evimetry Advanced Imager
  • Evimetry Remote
  • Evimetry Responder

 

/* Omit closing PHP tag at the end of PHP files to avoid "headers already sent" issues. */