Evimetry Advanced Imager



Evimetry Advanced Imager provides a flexible toolkit for live analysis and acquisition of physical disks, booting from a USB flash drive or hard drive.



All the features of Imager and more.

In addition to all the features of Evimetry Imager, the Advanced Imager provides advanced acquisition techniques enabling prioritised evidence acquisition live analysis. The resulting physical images are still usable in regular forensic tools.

Complete, live & profile based acquisitions.

Evimetry’s technical advance is the non-linear partial physical forensic image. Acquire the highest-value evidence by category first, widen the scope of acquisition by live analysis via virtual disk, or take a complete image. The choice is yours.

Allocated only acquistions.

Allocated only acquisitions enable rapid acquisition of all allocated volume and filesystem metadata and content. Useful for acquiring high value content in time critical situations.

Remote control of acquisition.

Scale to acquiring multiple devices at the same, with centralised control from a single pane.

Analyse immediately.

Evimetry closes the gap between acquisition and analysis, with examination and triage activities to occurring at the same time as acquisition. Leverage your preferred forensic toolset for live analysis and triage while you acquire, via a virtual disk device view of your live acquisition.

Remote deadboot acquisition

This tutorial steps you through using Evimetry Advanced Imager to acquire the disk of a computer booted from the Evimetry Deadboot. The acqusition is controlled remotely, using the Evimetry Controller.

Learn how to acquire remotely with the Deadboot

All the features

Evimetry Responder contains all of the features of Evimetry Remote and Evimetry Imager.

Profile based acquisition with Evimetry Collector.

This screencast demonstrates the creation and use of a single disk Collector, configured to acquire a partial physical image of log files, pictures, office documents, windows artefacts, and the remainder of the disk by priority. Despite the acquisition being stopped part way through, the resulting image is still usable with regular forensic tools.

Live partial acquisition with EnCase

This screencast demonstrates the performance of live analysis and the incremental building of partial physical disk images with Evimetry. Our blog post, titled "Partial Live Acquisition using Evimetry & Encase" describes the salient aspects.

Dead boot linear acquisition of MacBook Air.

This screencast demonstrates rapid acquistion of an SSD based MacBook Air by dead boot agent and a direct attached hard drive. Using the Evimetry system, acquisition occurrs at an average rate of 22 GB/minute (330 MB/s).

Buy Evimetry Imager.

Please contact us to purchase at the following pricing. Prices are in US Dollars.

Imager   Imager Multi   Advanced Imager   Responder
$150   $600   $1,200   $2,500
Fast bare metal acquisition   Fastest multi-destination bare metal acquisition   Live analysis & multi destination bare metal acquisition.   Local and remote accelerated acquisition & live analysis.
Dead boot single destination acquisitions      
Dead boot multi-destination striped acquisitions -      
Remote network control of acquisition operations -   -    
Collector based acquisitions -   -    
Concurrent dongle free acquisitions 1   1   2   2
Concurrent advanced acquisitions (using dongle) 1   1   2   2
Remote Live agent network based operations (Windows, Linux) -   -   -  
Remote transient evidence storage agent -   -   -  
Concurrent advanced acquisitions 1   1   2   2
Remote Volatile Memory acquisition (Windows, Linux) -   -   -  
Complete Physical Disk acquisition      
Partial Physical acquisition of allocated only -   -    
Partial Physical acquisition (profile based) -      
Convert AFF4 to EWF & RAW      
Mount local images as virtual file or disk      
Mount remote images as virtual file or disk -   -    
Node to node image transfer -      
Communications encrypted with strong TLS 1.2 crypto -   -