We all face the problem of growing amounts of evidence on a regular basis. Improving raw acquisition speed is one way to limit the impact of this, and Evimetry has been consistently delivering the fastest acquisition speeds bar none since we launched two years ago. Yet we aren’t the only solution claiming to be the “fastest” or have “unparalleled” speeds. Led by a practitioner and forensic scientist, it is in Evimetry’s DNA to value substantiation.
How to analyse AFF4 linux memory images
In my last post I described Evimetry's support remote memory acquisition. In this post I'll give a quick walkthough on setting up Volatility for analysis of those images. I prefer to make a python virtualenv specifically for working with volatility. In this example, I'm using MacOS with brew for my python (the python shipped with MacOS is broken in regard to pip's TLS authentication). Hence the -p argument. mkdir volmem cd volmem virtualenv -p /usr/local/bin/python volmem source volmem/bin/activate Install all the dependencies with the following (the last two aren't strictly necessary, but prevent a load of complaints from Volatility).
How to acquire Linux memory images using without a driver
For a long time now, operating systems such as Windows and MacOS have prevented user space applications from accessing the raw physical memory of the machine. Physical acquisition and virtualisation approaches aside, this has led the field to require the use of kernel drivers to export physical ram for acquisition. In the linux realm, Joe Sylve's LiME is the go-to for many. It appears not widely known that on Linux x64, acquisition of physical memory is possible without using a driver such as LiME.
Announcing Evimetry Lab: changing the game for in-lab forensics
When it comes to preserving evidence, DF labs generally fall into two camps. Those that acquire in the field, and those that collect evidence in the field, only later doing acquisition in-lab. Over the last two years, Evimetry's product offerings have been primarily aimed at the former. Practitioners have benefited from the fastest in-field acquisitions, while at the same time enabling meaningful analysis work to occur while waiting for acquisition complete.
Simple Deadboot provisioning and acquisition with Evimetry
We have just shipped two releases of Evimetry: v3.0.7 (in our stable stream) & v3.1.5 (in our pre-release stream). Recent releases bring native Deadboot media creation, and introduce an improved Deadboot Imager UI. Native Deadboot Media Creation. We can now create Evimetry Deadboot USB's directly from the Controller, and for larger drives, use the additional space for evidence storage. With a single hard drive serving both as an Evimetry Deadboot and Evidence Repository, scarce USB ports are freed up on target devices, workflow is simplified, and the number of devices to manage limited.
Native AFF4 read support for X-Ways & Forensic Explorer
In the last two weeks, two of our favourite disk forensic tools integrated native read support for the AFF4 forensic format. Forensic Explorer released v4 of their product, with native AFF4 read support, and X-Ways Forensics released v19.5, which has a plugin API supporting our AFF4 read plugin. This represents a big step forward towards general adoption of the next-generation image format. Background Evimetry's filesystem bridge provides a straightforward and efficient way of consuming AFF4 images from any commercial forensic tool, and results in faster analysis & processing than E01's.
AWS EC2 Cloud Storage Acquisition with Evimetry
You have been tasked with forensic acquisition of 6 servers in the AWS cloud, with a total of 2TB of storage. How do you do it? This post will describe the method I applied in a recent case, where we collect the storage, acquired it into forensic images, and pulled down the images into our custody overnight. While I will be describing how I did it using Evimetry, the method is easily translatable to other tools.
Updated slides: Accelerating your forensic & incident response workflow
Late last year I had the pleasure of attending the F3 conference in Gloucestershire, UK. It is quite unlike any other digital forensics conference I have ever been to; a community run, practitioner focused, 2 day conference situated in a stately manor in the English countryside. I can thoroughly recommend it. I had the opportunity to present an updated version of my presentation: "Accelerating your forensic & incident response workflow: the case for a new standard in forensic imaging".
Evimetry v3 Released: Remote volatile memory support
We recently released Evimetry 3, the newest release of our revolutionary approach to forensic acquisition and analysis. Whats new? The big news is that we now support remote volatile memory acquisition. This means that in addition to being able to acquire remote disks, you can now acquire the volatile memory of live Windows, MacOS, and Linux hosts. We primarily support Windows XP and above (x86 and x64) and OSX Mountain Lion and above (x64).
Introducing Evimetry Community Edition
Evimetry Community Edition provides a subset of the Evimetry system for free. The purpose of this is to grow the AFF4 ecosystem, firstly by providing a pain free path for Evimetry licensees to provide AFF4 images to non-licensees. Secondly, we wanted to provide practitioners, researchers and educators a freely available implementation of the AFF4 standard v1.0 which can be used to gain familiarity with the format. Schatz Forensic, the creators of Evimetry, drove the standardisation effort behind the AFF4 Standard v1.
Live Partial Acquisition with Evimetry Wirespeed and EnCase
The Evimetry Wirespeed system enables remote live analysis using your existing forensic toolkit. In doing so, a partial physical image is created. Analysis activity drives the partial acquisition process, which in-turn results in an increasingly complete physical disk image. Acquisition may be incrementally widened to categories of evidence, such as Windows Registries, Log Files, Office documents, Allocated, and all of disk. An important aspect in balancing live analysis with bulk acquisition is interactive latency (liveness).
Introducing Evimetry: digital forensics at wire speed
Digital forensics is full of waiting. Waiting for acquisitions to complete. Waiting for images to process. Waiting for flights and waiting in data centres. We set out to remove this wait. In November 2014, Schatz Forensic quietly opened a beta program for a new forensic tool aimed at speeding forensic workflow. The innovative system accelerates acquisition and processing of evidence and closes the gap between acquisition and analysis. A long beta program has allowed us to listen to our testers, and target the pain points in their forensic process.