AD Enterprise makes it possible to carry out extensive acquisition of digital evidence, including the following:
Acquisition of dynamic data is especially useful for criminal investigations when it is important to know about data compromise. One such example is that a suspicious disk is encrypted and you need to image it in place while the computer is working.
To optimize the volume of data acquired in AD Enterprise, you can use the Known File Library (KFF) to classify specific information while acquiring and analyzing the evidence. KFF also allows you to automatically assign files the statuses such as “Alert” and “Ignore” for more convenient subsequent work.
While acquiring evidence, you can create indexes of the data and hash values of all the files contained in the data for quick index searches. However, sometimes you need to use a basic search to find things that are not contained in the index.
Evidence analysis is the process of searching and identifying relevant data.
After you have completed data acquisition and created the case, you can add evidence for analysis. Evidence can include images of hard drives, floppy drives, CDs and DVDs, portable media such as USB drives.
Optical Character Recognition (OCR) process allows you to extract text contained in graphic files. Subsequently, the text is indexed so that it can be searched and tagged. Start of file OCR creates a new file with analyzed text from the picture. A new OCR file has the same name as the parent graphic, [graphicname.ext], but with an OCR extension, for example, graphicname.ext.ocr.
You can decrypt many types of encrypted files using automatic decryption with the PRTK password recovery tool.
To decrypt files, you provide a list of passwords, when the decrypted files are processed, these passwords are used to decrypt the files, if the passwords match, the files are decrypted.
The following types of encrypted files cannot be automatically decrypted during processing: EFS, Lotus Notes (int), Lotus Notes / email, SMIME and Credant;
EFS, Lotus Notes (целое), Lotus Notes / email, SMIME и Credant;
It is also possible to find encrypted files with unknown passwords
The AccessData Password Recovery Toolkit (PRTK) license or Distributed Network Attack Tool (DNA) can recover passwords for encrypted files.
Cerberus allows to analyze the malware for executable binary files. You can use Cerberus to analyze the executable binary file that is located on disk, on a networked resource or in the system memory.
Cerberus includes the following analysis steps:
It is a general analysis of files and metadata for quick breakdown of an executable binary file based on the common attributes it may have. It identifies potentially malicious code, generates and assigns a threat assessment to the executable binary file;
This is a disassembly-wise analysis that requires longer time to examine the code inside the file. It studies the capabilities of the binary code without running the actual executable file.
Cerberus launches the threat analysis first. Once the analysis is completed, it automatically starts static analysis of binary files whose threat score is higher than the specified threshold.
Cerberus analyzes the following file types: acm com dll exe lex ocx scr tlb ax cpl dll ~ iec mui pyd so tmp cnv dat drv ime new rll sys tsp WPC.
The system can be used for direct search or index search queries.
AccessData products use dtSearch, one of the leading index search tools, to quickly search gigabytes of the text.
As important data is unified from evidence into cases, tags of this data allow you to quickly find and reference evidence, add and attach related files to it, as well as files that are not processed in the current case. Tags can be included in the reports at any stage of investigation and analysis.
You can export images to the following types:
The disk image can be altered or damaged due to bad environment, bad communication during image creation or deliberate interference. This function works with the file types that store hash in the disk image itself, for example, EnCase (E01) and SMART (S01).
The hash of the current file is created and it allows to compare it with the hash of the original disk image to check the integrity of the evidence image. Installation of a disk image allows to create a read-only disk or physical unit based forensic image, which allows you to open the image as a disk and view the contents in Windows and other applications.
Supported types are RAW / dd images, E01, S01, AD1 and L01.
RAW / dd, E01 and S01 full disk images can be physically installed. The sections contained in a complete disk image, as well as customized AD1 and L01 content images can be installed logically.
The established eDiscovery process is determined by the EDRM reference model and is independent of which tools the organization is using. As part of EDRM, it is required to at least identify data, then acquire, process for analysis, verify within the organization and select the required data. This prepared dataset shall be imported into a legal checker used by an external legal counsel.
AD eDiscovery finds and acquires the relevant data by processing the broadest range of structured and unstructured sources across any platform available in the market.
Using easy-to-use templates that follow base workflows, AD eDiscovery acquires data without installation of agents in the following environments:
AD eDiscovery is a single, fully integrated platform allowing you to discover reliable data for computer forensics throughout the organization — search, collect data, store for litigation, process and assess, and perform their full legal due diligence.
AccessData Group is at the origin of the technologies for litigation and computer forensics and has been used in this field for over 25 years so far.
During this time, the company has created both individual products and corporate-class solutions, synergistic interaction of which helps detect e-data for investigation of civil and criminal offenses.
AccessData solutions support all stages of EDRM: from discovery to final validation and preparation for submission. With a single platform for all products and a common back-end database, eDiscovery solutions help litigation teams control the volume of data, mitigate the risk associated with data migration, and reduce detection costs. They are based on forensic technology - Forensic Toolkit (FTK).
Computer forensics requires the involvement of many specialists. The “divide and conquer” principle allows all employees to access a common information database using the AD Lab web interface.