The AccessData platform makes it possible to carry out detailed computer investigations of information security incidents that happened.
It includes strong capabilities for acquiring, processing, filtering and searching information from local storage locations, as well as from corporate network systems and endpoints that are accessible remotely.
Incident investigation and evidence acquisition solutions.
  • AccessData helps law acquired data, assess its evidentiary value, and use it for corporate purposes.
enforcement agencies
corporate security
IT specialists access
AccessData allows to implement the following processes:
acquisition of data and storage of digital evidence;
creation of cases and evidence processing;
creation of case reports with creation of full records and summarization of results;
The purpose of AccessData tools
is to create exact copies of digital data, forensic images, where the data is identical to the original,
to preserve the stability of data during acquisition process,
and to encrypt images using AD Encryption.
Choose the tool that helps you solve your forensic tasks to the fullest extent!
AD Enterprise
AD Enterprise
AD Enterprise makes it possible to carry out detailed computer investigations. It includes strong filtering and search capabilities, as well as accessing remote systems in your network.
Data acquisition

AD Enterprise makes it possible to carry out extensive acquisition of digital evidence, including the following:

  • - historical (non-alterable data);
  • - dynamic (received from the source while the solution is running);
  • - remote (received from the computers that are in the corporate network).
Possible options for acquisition of historical data:
Collection from equipment:
acquisition from hardware - cloning disks with read-only access to the hard disk;
Program fee:
acquisition by software - software based cloning - creating a disk image.
  • Acquisition of dynamic data is especially useful for criminal investigations when it is important to know about data compromise. One such example is that a suspicious disk is encrypted and you need to image it in place while the computer is working.

  • Dynamic data can be acquired from the network computers, including information in RAM and data from disks.
  • In addition, using Remote Disk Management System (RDMS), you can connect any drive, view its contents, and then create your own image of what is relevant.

To optimize the volume of data acquired in AD Enterprise, you can use the Known File Library (KFF) to classify specific information while acquiring and analyzing the evidence. KFF also allows you to automatically assign files the statuses such as “Alert” and “Ignore” for more convenient subsequent work.

While acquiring evidence, you can create indexes of the data and hash values ​​of all the files contained in the data for quick index searches. However, sometimes you need to use a basic search to find things that are not contained in the index.

Data analysis

Evidence analysis is the process of searching and identifying relevant data.

After you have completed data acquisition and created the case, you can add evidence for analysis. Evidence can include images of hard drives, floppy drives, CDs and DVDs, portable media such as USB drives.

Data can be:
and you can run searches for specific words such as names and email addresses or other real-time searches.
Graphic files recognition (OCR)

Optical Character Recognition (OCR) process allows you to extract text contained in graphic files. Subsequently, the text is indexed so that it can be searched and tagged. Start of file OCR creates a new file with analyzed text from the picture. A new OCR file has the same name as the parent graphic, [graphicname.ext], but with an OCR extension, for example, graphicname.ext.ocr.

Before start of OCR, make sure to keep in mind the following:
  • OCR is a useful exploration-only tool to find images from index searches. OCR results are not considered the evidence without further consideration;
  • OCR may give inaccurate results, considering the error rate of OCR drives;
  • Recognition of some large images may lead to that OCR will consume much time.
PRTK/DNA automatic decryption

You can decrypt many types of encrypted files using automatic decryption with the PRTK password recovery tool.

  • To decrypt files, you provide a list of passwords, when the decrypted files are processed, these passwords are used to decrypt the files, if the passwords match, the files are decrypted.

The following types of encrypted files cannot be automatically decrypted during processing: EFS, Lotus Notes (int), Lotus Notes / email, SMIME and Credant;
EFS, Lotus Notes (целое), Lotus Notes / email, SMIME и Credant;

It is also possible to find encrypted files with unknown passwords

The AccessData Password Recovery Toolkit (PRTK) license or Distributed Network Attack Tool (DNA) can recover passwords for encrypted files.

Malware analysis (Cerberus)

Cerberus allows to analyze the malware for executable binary files. You can use Cerberus to analyze the executable binary file that is located on disk, on a networked resource or in the system memory.

Cerberus includes the following analysis steps:

1. Threat analysis

It is a general analysis of files and metadata for quick breakdown of an executable binary file based on the common attributes it may have. It identifies potentially malicious code, generates and assigns a threat assessment to the executable binary file;

2. Static analysis

This is a disassembly-wise analysis that requires longer time to examine the code inside the file. It studies the capabilities of the binary code without running the actual executable file.

Cerberus launches the threat analysis first. Once the analysis is completed, it automatically starts static analysis of binary files whose threat score is higher than the specified threshold.

  • Cerberus analyzes the following file types: acm com dll exe lex ocx scr tlb ax cpl dll ~ iec mui pyd so tmp cnv dat drv ime new rll sys tsp WPC.


The system can be used for direct search or index search queries.

  • AccessData products use dtSearch, one of the leading index search tools, to quickly search gigabytes of the text.

Tags setting

As important data is unified from evidence into cases, tags of this data allow you to quickly find and reference evidence, add and attach related files to it, as well as files that are not processed in the current case. Tags can be included in the reports at any stage of investigation and analysis.

Work with images
Export of images

You can export images to the following types:

  • - AD1 (AD Custom Content);
  • - E01 (EnCase Compatible);
  • - S01 (Smart);
  • - 001 (RAW/DD).
Work with the images of evidence files

The disk image can be altered or damaged due to bad environment, bad communication during image creation or deliberate interference. This function works with the file types that store hash in the disk image itself, for example, EnCase (E01) and SMART (S01).

The hash of the current file is created and it allows to compare it with the hash of the original disk image to check the integrity of the evidence image. Installation of a disk image allows to create a read-only disk or physical unit based forensic image, which allows you to open the image as a disk and view the contents in Windows and other applications.

Supported types are RAW / dd images, E01, S01, AD1 and L01.

RAW / dd, E01 and S01 full disk images can be physically installed. The sections contained in a complete disk image, as well as customized AD1 and L01 content images can be installed logically.

Key features:
  • Acquisition of current or deleted data from multiple computers outside your network from the center, with secure research, centralization, work with remote computers. For example, laptops of employees, who travel and connect via VPN in a public network - hotels, airports.
  • Automatic classification, indexing and demonstration of data using the data processing wizard.
  • Acquire static or dynamic data using the Report Wizard, which makes it easy to share information and generate the required reports.
  • Analysis of all active processes with a robust incident response technology.
It allows to:
stop it during incident investigation;
recover the file using the graphic interface;
view and analyze key changeable data items, such as processes, drivers, ports, users, DLL libraries, etc., in the incident response console;
exercise support for huge datasets with a fully integrated database;
perform decryption, as well as use password hacking and recovery technology. [ЮЮ1]
Easy and efficient company-wide search. Target acquisition of reliable data for computer forensics, systematization, storage for litigation, processing, assessment of data and full legal due diligence - at reasonable costs and with less risk.
AD eDiscovery Solution and EDRM Model

The established eDiscovery process is determined by the EDRM reference model and is independent of which tools the organization is using. As part of EDRM, it is required to at least identify data, then acquire, process for analysis, verify within the organization and select the required data. This prepared dataset shall be imported into a legal checker used by an external legal counsel.

AD eDiscovery finds and acquires the relevant data by processing the broadest range of structured and unstructured sources across any platform available in the market.

Using easy-to-use templates that follow base workflows, AD eDiscovery acquires data without installation of agents in the following environments:

  • - Box™;
  • - CSC CloudMail® POP & IMAP;
  • - CMIS;
  • - Documentum®;
  • - DocuShare®;
  • - Domino™ Notes;
  • - Druva2 AD Client;
  • - Enterprise Vault™ 8.0;
  • - Exchange EWS 2010 SP1, 2013, O365 mail & calendar, SilverSky®;
  • - Exchange MAPI 2007, 2010, 2013;
  • - Gmail™ Administrative;
  • - OpenText™ ECM LiveLink™;
  • - SharePoint® 2007, 2010, 2013, Office 365®;
  • - WebCrawler® Web 1.0;
  • - OneDrive® for Business O365.
Advantages of AD EDISCOVERY

AD eDiscovery is a single, fully integrated platform allowing you to discover reliable data for computer forensics throughout the organization — search, collect data, store for litigation, process and assess, and perform their full legal due diligence.

  • AccessData Group is at the origin of the technologies for litigation and computer forensics and has been used in this field for over 25 years so far.

During this time, the company has created both individual products and corporate-class solutions, synergistic interaction of which helps detect e-data for investigation of civil and criminal offenses.

AccessData solutions support all stages of EDRM: from discovery to final validation and preparation for submission. With a single platform for all products and a common back-end database, eDiscovery solutions help litigation teams control the volume of data, mitigate the risk associated with data migration, and reduce detection costs. They are based on forensic technology - Forensic Toolkit (FTK).

Key features:
Processing structured and unstructured data;
Advanced interactive data visualization;
Emails acquisition - even updated / Exchange / O365 transferred emails directly into your AccessData environment as separate files ready for MD5 hashing;
Seamless data acquisition, thanks to support of newest Enterprise Vault® and OneDrive® environments;
Ability to assign secure web access based on roles;
Processing over 700 types of data (including PST / NSF) with full forensic registration;
Function of direct export via web API ensures smooth transfer of data from AD eDiscovery to Relativity® without using boot files.
AD Lab solution by AccessData will simplify separation of job duties while carrying out any investigation.
  • AD Lab is an investigative platform that ensures separation of job duties, centralized case management and web-based access. It is based on FTK technology.
  • You can manage all processes from a single database using different levels of user control.
  • If additional resources are needed to process large volumes of data, distributed information processing function implemented in AD Lab utilizes multi-hardware tools. This will provide the required capacity and allow to reduce case consideration time.
  • Computer forensics requires the involvement of many specialists. The “divide and conquer” principle allows all employees to access a common information database using the AD Lab web interface.

Key features:
Assignment of roles
The ability to provide each user with access only to data related to his area of investigation. This role distribution system ensures that the entire electronic evidence database is not accessible to all users. Separation of evidence creates a more efficient and secure workflow, thereby allowing engagement of non-technical users to work without any threat to the data;
A centralized architecture and a single database ensure consistency of information for all involved parties and allows to process cases as quickly as possible. Thanks to the web-based analysis system, non-technical users, such as legal, HR and legal advisers, may participate in the process without any delay, regardless of their location;
Handy solution designed for non-specialized user access;