computer forensics, computer forensics expert, mobile phone forensics, expert witness

Inside Out

Simple Deadboot provisioning and acquisition with Evimetry

We have just shipped two releases of Evimetry: v3.0.7 (in our stable stream) & v3.1.5 (in our pre-release stream). Recent releases bring native Deadboot media creation, and introduce an improved Deadboot Imager UI.

Native Deadboot Media Creation.

We can now create Evimetry Deadboot USB's directly from the Controller, and for larger drives, use the additional space for evidence storage. With a single hard drive serving both as an Evimetry Deadboot and Evidence Repository, scarce USB ports are freed up on target devices, workflow is simplified, and the number of devices to manage limited.

Creation of a Deadboot USB flash drive in the Controller.

Small USB flash drives are setup solely as a Deadboot, just like our former workflow.

Read more about this feature here.

Improved Deadboot Imager UI.

For a while now the Deadboot agent has included a simple ASCII console-based Imager application. This is useful for acquiring single computers, when it is either inconvenient or unfeasable to use the Controller and a network.

While we love the retro feel and simplicity of an ASCII/curses interface, the world is no longer friendly to text-mode UI's, with high-DPI monitors and text-mode free UEFI implementations meaning that text-mode no longer works everywhere. A graphical window based UI is now necessary.

Acquisition almost completed using Evimetry Imager

In the v3.1.3 pre-release we launched a graphical Imager application, and in today's prerelease (v3.1.5) the layout of the Imager UI has been refined.

Pulling it all together.

The following video demonstrates the workflow of preparing a Deadboot USB and then subsequent acquisition of a 500G NVMe drive in under 6 minutes.

More information.

Full release notes are available via the releases page. The software may be downloaded from the portal.