Evimetry Lab delivers answers hours earlier per device. Scale time-consuming indexing and processing across multiple workstations as soon as acquisition begins and proceed immediately to examination. All using your preferred forensic toolset.
A suspect disk is attached to an ingestion node (a computer running the Evimetry Deadboot Agent) and an acquisition started using the Evimetry Controller. The acquisition task plans a prioritised acquisition that first acquires all of the allocated blocks, then all of the unallocated blocks from the device. Acquired blocks are compressed & hashed, then streamed via the 10 GbE network to the Lab Repository Agent, where they are stored in a forensic image.
The image is immediately available as a virtual raw file via the Evimetry Filesystem Bridge on any number of analysis workstations or servers in the network (you don’t need to wait for the acquisition to complete to access the image). For example, if you are imaging a 1TB drive, the image will be accessible via a 1TB raw file.
Simply open the .raw file using your forensic tool of choice and start analysis or processing. When the tool reads from the virtual .raw image, the read goes to the in-progress image in the Lab Repository. If the underlying blocks have already been acquired, they are returned from the image. If they haven’t been acquired yet, they are acquired from the suspect disk, stored in the image, and returned.
All images in the Evidence Repository (including in-progress images) are accessible as virtual raw files via the Evimetry Filesystem Bridge. The analyst uses the Filesystem Bridge to mount the Evidence Repository to a drive such as W: .
Underneath the W: drive is a folder hierarchy of images in the repository.