CUT HOURS FROM IN-LAB FORENSIC WORKFLOW.
Evimetry Lab delivers answers hours earlier per device. Scale time-consuming indexing and processing across multiple workstations as soon as acquisition begins and proceed immediately to examination. All using your preferred forensic toolset.
CASE STUDY: FULL INDEX-BASED KEYWORD SEARCH IN HALF THE TIME
The above diagram shows the time taken to acquire, verify, and process a 1 TB Seagate 3.5” SATA spinning disk, acquired to a 4xSSD RAID0 array, via 10GB ethernet. For the test run labeled “Win2016 SMB3 10 GbE”, the disk was acquired from a 6-core i7 using X-Ways to the evidence array using standard Windows 2016 file sharing over 10 GbE networking. On completion of acquisition, a complete NUIX processing job was started on the acquired image and Encase was used for an initial triage-oriented examination. For the test run labeled “Evimetry Lab 10 GbE”, the disk was acquired from a 6-core Xeon-D to the evidence array using Evimetry’s native network protocol over 10 GbE networking. Just after beginning the acquisition, EnCase was used for an initial triage-oriented examination, and a complete NUIX processing job was started.
HOW IT WORKS: Example Usage
A suspect disk is attached to an ingestion node (a computer running the Evimetry Deadboot Agent) and an acquisition started using the Evimetry Controller. The acquisition task plans a prioritised acquisition that first acquires all of the allocated blocks, then all of the unallocated blocks from the device. Acquired blocks are compressed & hashed, then streamed via the 10 GbE network to the Lab Repository Agent, where they are stored in a forensic image.
The image is immediately available as a virtual raw file via the Evimetry Filesystem Bridge on any number of analysis workstations or servers in the network (you dont need to wait for the acquisition to complete to access the image). For example, if you are imaging a 1TB drive, the image will be accessible via a 1TB raw file.
Simply open the .raw file using your forensic tool of choice and start analysis or processing. When the tool reads from the virtual .raw image, the read goes to the in-progress image in the Lab Repository. If the underlying blocks have already been acquired, they are returned from the image. If they haven't been acquired yet, they are acquired from the suspect disk, stored in the image, and returned.
All images in the Evidence Repository (including in-progress images) are accessible as virtual raw files via the Evimetry Filesystem Bridge. The analyst uses the Filesystem Bridge to mount the Evidence Repository to a drive such as W: . Underneath the W: drive is a folder hierarchy of images in the repository.
HOW IT WORKS: Technical Background
Suspect storage generally reads data much slower than 10 GbE+ networking; 10x slower for laptop spinning disks, 5x slower for current generation 3.5” commodity SATA drives, and 2x slower for current SSD’s. Evimetry’s patent-pending non-linear acquisition technology enables multiple existing forensic tools to work with the same forensic image, as it is being created, by emulating the image as a raw file. Reads of blocks in the emulated image are either read from the image if they have already been acquired, otherwise reads cause the blocks to be acquired from the suspect device, stored in the image and returned.
The fastest in-lab forensics requires a new approach
Evimetry Lab leverages high-speed networking (10 GbE and higher), centralized high-speed storage and Evimetry’s patent pending non-linear acquisition technology to enable both acquisition and analysis tasks to occur at the same time, without the delays of traditional approaches.
Simple to use
All evidence is accessible using your regular toolset via a Windows drive letter.
Avoid the suspect device bottleneck
The suspect device is typically a bottleneck, with speeds of around 100-200 MB/s for spinning disks, and much lower under random IO. Evimetry Lab keeps data flowing from the suspect device at maximal rates, and never reads the same block twice.
Multi-tool forensics at unparalled data rates
Simultaneous reads of suspect blocks from multiple tools help drive the creation of the forensic image. Once a block is stored in the image, subsequent reads are satisfied from the image, at rates many times faster than reading from the suspect device.
Accelerate existing high end forensic labs
High-speed networking & storage alone only achieves a fraction of the gains achievable with Evimetry Lab. Forensic labs that have already deployed such infrastructure can easily shift to Evimetry Lab, leveraging their existing investment in hardware and software.