Category: Live Forensics
The Evimetry Wirespeed system enables remote live analysis using your existing forensic toolkit. In doing so, a partial physical image is created. Analysis activity drives the partial acquisition process, which in-turn results in an increasingly complete physical disk image. Acquisition may be incrementally widened to categories of evidence, such as Windows Registries, Log Files, Office documents, Allocated, and all of disk. An important aspect in balancing live analysis with bulk acquisition is interactive latency (liveness).
Introducing Evimetry: digital forensics at wire speed
Digital forensics is full of waiting. Waiting for acquisitions to complete. Waiting for images to process. Waiting for flights and waiting in data centres. We set out to remove this wait. In November 2014, Schatz Forensic quietly opened a beta program for a new forensic tool aimed at speeding forensic workflow. The innovative system accelerates acquisition and processing of evidence and closes the gap between acquisition and analysis. A long beta program has allowed us to listen to our testers, and target the pain points in their forensic process.
Stealth deployment of f-response Enterprise
In the last couple of days I have taken a few moments to familiarise myself with F-Response. The tool has been getting a lot of buzz lately amongst the forensic community, as it allows read-only raw access to the drives of remote computers, using one's regular forensic toolset. Think encase enterprise at a lower price tag and open tool access. For the more technical reader, it does this by setting up an iSCSI target on the remote (target, or suspects) computer.