+7 (495) 532-10-96
- AccessData helps law acquired data, assess its evidentiary value, and use it for corporate purposes.
AD Enterprise makes it possible to carry out detailed computer investigations. It includes strong filtering and search capabilities, as well as accessing remote systems in your network.
AD Enterprise makes it possible to carry out extensive acquisition of digital evidence, including the following:
- - historical (non-alterable data);
- - dynamic (received from the source while the solution is running);
- - remote (received from the computers that are in the corporate network).
Possible options for acquisition of historical data:
-
Acquisition of dynamic data is especially useful for criminal investigations when it is important to know about data compromise. One such example is that a suspicious disk is encrypted and you need to image it in place while the computer is working.
- Dynamic data can be acquired from the network computers, including information in RAM and data from disks.
- In addition, using Remote Disk Management System (RDMS), you can connect any drive, view its contents, and then create your own image of what is relevant.
To optimize the volume of data acquired in AD Enterprise, you can use the Known File Library (KFF) to classify specific information while acquiring and analyzing the evidence. KFF also allows you to automatically assign files the statuses such as “Alert” and “Ignore” for more convenient subsequent work.
While acquiring evidence, you can create indexes of the data and hash values of all the files contained in the data for quick index searches. However, sometimes you need to use a basic search to find things that are not contained in the index.
Evidence analysis is the process of searching and identifying relevant data.
After you have completed data acquisition and created the case, you can add evidence for analysis. Evidence can include images of hard drives, floppy drives, CDs and DVDs, portable media such as USB drives.
Data can be:
Graphic files recognition (OCR)
Optical Character Recognition (OCR) process allows you to extract text contained in graphic files. Subsequently, the text is indexed so that it can be searched and tagged. Start of file OCR creates a new file with analyzed text from the picture. A new OCR file has the same name as the parent graphic, [graphicname.ext], but with an OCR extension, for example, graphicname.ext.ocr.
- OCR is a useful exploration-only tool to find images from index searches. OCR results are not considered the evidence without further consideration;
- OCR may give inaccurate results, considering the error rate of OCR drives;
- Recognition of some large images may lead to that OCR will consume much time.
PRTK/DNA automatic decryption
You can decrypt many types of encrypted files using automatic decryption with the PRTK password recovery tool.
-
To decrypt files, you provide a list of passwords, when the decrypted files are processed, these passwords are used to decrypt the files, if the passwords match, the files are decrypted.
The following types of encrypted files cannot be automatically decrypted during processing: EFS, Lotus Notes (int), Lotus Notes / email, SMIME and Credant;
EFS, Lotus Notes (целое), Lotus Notes / email, SMIME и Credant;
It is also possible to find encrypted files with unknown passwords
The AccessData Password Recovery Toolkit (PRTK) license or Distributed Network Attack Tool (DNA) can recover passwords for encrypted files.
Cerberus allows to analyze the malware for executable binary files. You can use Cerberus to analyze the executable binary file that is located on disk, on a networked resource or in the system memory.
Cerberus includes the following analysis steps:
It is a general analysis of files and metadata for quick breakdown of an executable binary file based on the common attributes it may have. It identifies potentially malicious code, generates and assigns a threat assessment to the executable binary file;
This is a disassembly-wise analysis that requires longer time to examine the code inside the file. It studies the capabilities of the binary code without running the actual executable file.
Cerberus launches the threat analysis first. Once the analysis is completed, it automatically starts static analysis of binary files whose threat score is higher than the specified threshold.
-
Cerberus analyzes the following file types: acm com dll exe lex ocx scr tlb ax cpl dll ~ iec mui pyd so tmp cnv dat drv ime new rll sys tsp WPC.
Search
The system can be used for direct search or index search queries.
-
AccessData products use dtSearch, one of the leading index search tools, to quickly search gigabytes of the text.
Tags setting
As important data is unified from evidence into cases, tags of this data allow you to quickly find and reference evidence, add and attach related files to it, as well as files that are not processed in the current case. Tags can be included in the reports at any stage of investigation and analysis.
Export of images
You can export images to the following types:
- - AD1 (AD Custom Content);
- - E01 (EnCase Compatible);
- - S01 (Smart);
- - 001 (RAW/DD).
Work with the images of evidence files
The disk image can be altered or damaged due to bad environment, bad communication during image creation or deliberate interference. This function works with the file types that store hash in the disk image itself, for example, EnCase (E01) and SMART (S01).
The hash of the current file is created and it allows to compare it with the hash of the original disk image to check the integrity of the evidence image. Installation of a disk image allows to create a read-only disk or physical unit based forensic image, which allows you to open the image as a disk and view the contents in Windows and other applications.
Supported types are RAW / dd images, E01, S01, AD1 and L01.
RAW / dd, E01 and S01 full disk images can be physically installed. The sections contained in a complete disk image, as well as customized AD1 and L01 content images can be installed logically.
- Acquisition of current or deleted data from multiple computers outside your network from the center, with secure research, centralization, work with remote computers. For example, laptops of employees, who travel and connect via VPN in a public network - hotels, airports.
- Automatic classification, indexing and demonstration of data using the data processing wizard.
- Acquire static or dynamic data using the Report Wizard, which makes it easy to share information and generate the required reports.
- Analysis of all active processes with a robust incident response technology.
It allows to:
AD EDISCOVERY
Easy and efficient company-wide search. Target acquisition of reliable data for computer forensics, systematization, storage for litigation, processing, assessment of data and full legal due diligence - at reasonable costs and with less risk.
The established eDiscovery process is determined by the EDRM reference model and is independent of which tools the organization is using. As part of EDRM, it is required to at least identify data, then acquire, process for analysis, verify within the organization and select the required data. This prepared dataset shall be imported into a legal checker used by an external legal counsel.
AD eDiscovery finds and acquires the relevant data by processing the broadest range of structured and unstructured sources across any platform available in the market.
Using easy-to-use templates that follow base workflows, AD eDiscovery acquires data without installation of agents in the following environments:
- - Box™;
- - CSC CloudMail® POP & IMAP;
- - CMIS;
- - Documentum®;
- - DocuShare®;
- - Domino™ Notes;
- - Druva2 AD Client;
- - Enterprise Vault™ 8.0;
- - Exchange EWS 2010 SP1, 2013, O365 mail & calendar, SilverSky®;
- - Exchange MAPI 2007, 2010, 2013;
- - Gmail™ Administrative;
- - OpenText™ ECM LiveLink™;
- - SharePoint® 2007, 2010, 2013, Office 365®;
- - WebCrawler® Web 1.0;
- - OneDrive® for Business O365.
AD eDiscovery is a single, fully integrated platform allowing you to discover reliable data for computer forensics throughout the organization — search, collect data, store for litigation, process and assess, and perform their full legal due diligence.
-
AccessData Group is at the origin of the technologies for litigation and computer forensics and has been used in this field for over 25 years so far.
During this time, the company has created both individual products and corporate-class solutions, synergistic interaction of which helps detect e-data for investigation of civil and criminal offenses.
AccessData solutions support all stages of EDRM: from discovery to final validation and preparation for submission. With a single platform for all products and a common back-end database, eDiscovery solutions help litigation teams control the volume of data, mitigate the risk associated with data migration, and reduce detection costs. They are based on forensic technology - Forensic Toolkit (FTK).
AD LAB
AD Lab solution by AccessData will simplify separation of job duties while carrying out any investigation.
- AD Lab is an investigative platform that ensures separation of job duties, centralized case management and web-based access. It is based on FTK technology.
- You can manage all processes from a single database using different levels of user control.
- If additional resources are needed to process large volumes of data, distributed information processing function implemented in AD Lab utilizes multi-hardware tools. This will provide the required capacity and allow to reduce case consideration time.
-
Computer forensics requires the involvement of many specialists. The “divide and conquer” principle allows all employees to access a common information database using the AD Lab web interface.
Key features:
