Inside the Evimetry Stack
Evimetry delivers the fastest forensic workflow by adopting a toolkit approach. Learn about it's pieces here.
Controller: For acquistions and analysis of remote computers, or for scaling up local acquisitions, the Controller provides a single pane for managing multiple acquisitions across Evimetry Deadboot, Live and Cloud Agents.
Imager: For bare metal acquisitions of non-networked computers we provide a simple GUI as a part of the Deadboot. Select the suspect device that you want to acquire, where you want to store it, add case information, and go, with a minimum of keystrokes. Management of write blocking is foolproof and automatic.Learn more about Evimetry Imager
Whether you are pulling a disk from a workstation, acquiring a RAID from a live server, acquiring soldered-in flash storage from laptop, or acquiring from a cloud server, Evimetry provides the engine for a fast, reliable and simple acquisition.
Evimety's forensic agents are the core engine of Evimetry, managing write blocking of suspect devices, high speed acquisition, storage of evidence, hashing, live analysis and IO scheduling.
The Live Agent is for remote suspect computers or local computers that cannot be switched off. The Deadboot Agent is for suspect computers that can be powered off and rebooted using so-called liveCD forensic processes. It also serves as a network based store for evidence. The Cloud Agent is for using as a cloud or virtual machine based store for evidence.Learn more about the Live Agent
Evimetry uses widely accepted techniques for preserving the integrity of evidence, combined with a foolproof means of management. The Deadboot and Cloud agents use kernel-level software write blocking. The Live agent is incapable of writing to local storage, and has minimal impact on live hosts.
Existing Raw and E01 evidence containers are a bottleck to forensic workflows. Evimetry is able to achieve its speed and agility through using the Advanced Forensic Format v4 (AFF4) for storing evidence. The format is available as an open standard, has been scientifically peer reviewed, and is usable from your current forensic toolset.
Evimtry's AFF4 physical images are simply accessible from you current forensic toolkit, using Evimetry's freely available filesystem bridge. It even speeds up many processing activities in traditional tools.
We have been working with leading forensic tool makers (both commercial and open source) to grow the AFF4 ecosystem. The growing list of AFF4 native tools capable of reading Evimetry produced images includes X-Ways, Forensic Explorer, Sleuthkit, Volatility & Rekall.Learn more about the Filesystem Bridge