Evimetry Overview

Evimetry is built for integrity, reliability, security and speed. Instead of acquisition to evidence containers such as EWF, Evimetry uses the AFF4 forensic container to manage evidence storage.

AFF4 evidence containers provide similar forensic soundness properties as conventional images, with a focus on abstractions such as virtualised storage, sparse regions, lightweight compression, and block hashing. These abstractions allow flexibility around how much and in which order suspect data is acquired and where it is stored. Importantly, they also enable higher utilization of available CPU, network, and IO resources. This means faster acquisitions, faster evidence processing, and the ability to access evidence while it is being acquired.

Evimetry supports forensics on almost any computing conventional Intel/AMD computer, including PC & Mac, and virtualization environments such as Amazon EC2 & VMWare.

Let’s walk through each of the building blocks of Evimetry — the AFF4 forensic container, the Controller, the Dead Boot & Live Agents, the Filesystem Bridge, and the Evimetry protocol.

Store evidence using AFF4


scale imaging across multiple devices

The main building block of the Evimetry System is the scientifically peer reviewed AFF4 evidence container format. Like conventional forensic containers such as EWF, AFF4 containers enable storing regular linear bitstream images and corresponding metadata and integrity hashes. AFF4 images significantly outperform conventional forensic images when creating, verifying and accessing evidence, even when interoperating with conventional forensic tools.

Beyond conventional images, AFF4 enables non-linear, partial images and striping of images over multiple evidence storage devices. These approaches enable new approaches to forensically reproducible partial imaging of devices, live analysis and e-discovery collection. Image striping can double and triple the rate of acquisition by employing the aggregate output bandwidth of multiple output storage devices.

Interoperability with your current forensic toolset is simple and painless, with a range of methods for accessing AFF4 images, suiting a wide range of workflows.

Access preserved evidence using the filesystem bridge

scale imaging across multiple devices

The evimetry filesystem bridge provides transparent access to forensic images via a virtual filesystem. AFF4 containers appear as virtual folders in the drive, with a virtual raw image appearing as a child file. You can then access the regular raw image using your regular forensic toolset just as you would a regular raw image.

In general this approach outperforms the usage of EWF and regular Raw images.

Evimetry additionally provides the ability to convert to and from EWF and Raw images, along with an iSCSI based virtual disk emulator, providing flexibility in evidence management and access.

More Information

Read more about the Filesystem Bridge

Access live suspect devices with Light Agent

scale imaging across multiple devices

The Evimetry light (lighweight) agent provides network based write blocked access to suspect storage, streaming evidence to evidence containers across the network. The wirespeed agent is small, easily downloadable, and simple to run on a live system.

The light agent currently runs on Windows XP and above (x86 & x64), OSX 10.7 and above (x64) and Linux (x86 & x64).

More Information

Read more about the Light Agent

Access dead suspect devices with the Dead Boot Agent

scale imaging across multiple devices

The Evimetry dead boot agent provides read-only access to suspect storage, and carefully controlled access to directly attached storage for storing AFF4 images. The dead boot agent runs directly on suspect computing devices using live forensic CD techniques. Currently supports Intel hardware (virtual and physical), including Mac, PC, and Cloud VM's.

More Information

Read more about the Dead Boot Agent

Manage acquisition and analysis across multiple devices with the Controller

scale imaging across multiple devices

The Evimetry Controller GUI centrally controls acquisition and analysis activities across multiple network attached agents, and provides access to evidence both via a local virtual device (iSCSI), or by exporting to industry standard image formats. Supports dynamically shifting between the following acquisition modes:

  • Linear: Traditional image starting from LBA 0 ending at the largest LBA.
  • Allocated: Acquire all allocated storage.
  • Metadata: Volume and filesystem metadata only.
  • Incident response: Registries, logs, and swap/pagefile; executable files.
  • Documents: documents by category.
  • Trace based: acquire only blocks accessed via virtual block device.

Access remote evidence using the Evimetry protocol

scale imaging across multiple devices

The Evimetry protocol provides cryptographically secure, compressed, high speed transport of evidence, using industry standard cryptographic TLS 1.2 communications over TCP/IP, configured by default to Suite B (US NSA, Australian ASD) ciphersuite specifications. Authentication is user configurable using standard OpenSSL certificates.