LiveDetector

Features of LiveDetector
  • Collecting digital evidence:
  • It is a bootable system to collect digital evidence from machines running Windows platform in read-only mode without damaging target evidence. It supports NTFS and FAT filesystem. (additional modules needed for Unix Like filesystem)
  • Supports Bit-Stream disk-to-disk duplicating or creating image files from the whole disk or certain partition. It also creates MD5 HASH value automatically, and the image file being created is able to be analyzed by EnCase
  • Support copying logical files and create MD5 automatically
  • Support collecting the MBR sector(512 Bytes)
  • Support collecting the web-surfing history
  • Web Cookie
  • Browser History
  • Browser Cache
  • Registry related to web-surfing
  • Support collecting E-mail digital evidence from some mailbox format as follows:
  • Outlook express (DBX format)
  • Outlook (PST format)
  • Support collecting and viewing the Registry info on windows platform
  • Support collecting and duplicating files being Accessed, Modified, Created during a certain period
  • Support collecting digital evidence by the file signature including collecting suspect evidence like extension filename being changed on purpose
  • Support collecting important system info and logs
  • System Date & Time
  • System version and updates and patches
  • Login account and history if auditing function is on
  • Security log and event log
  • IIS log
  • Current auditing policy

  • Preservation of digital evidence:
  • Generate MD5 HASH value when collecting digital evidence by coping logical files or bit-stream duplicating
  • Wipe every bit to 0 to make sure the rigorousness of evidence collecting
  • Use external DVD recorder to burn all evidence files and MD5 HASH values into read-only DVD Discs to make sure the non-repudiation and integrity
  • Support file split function in case the evidence may be very huge, and support IDE/SCSI/USB/NAS/Fiber

  • Search of digital evidence:
  • Support NTFS and FAT filesystem
  • Search by keyword、file modified time、file name、file size and file signature
  • Key word string can support Unicode and Boolean(And/OR/Not)
  • Support multi keywords in the same time, and show the search hierarchical result by key word
  • Support locales as follows:
  • Uni-code (utf8)
  • Uni-code (utf16)
  • Big5 (Traditional)
  • GB2312 (Simplified)
  • EUC_KR (Korean)
  • EUC_JP (Japanese)
  • ASCII
  • Support non-case-sensitive comparing
  • Support office file content search including the latest version Office 2012
  • Support PDF file content search
  • Support HTML and text file content search
  • Support compressed file content search including zip,rar,gz,bzip,tgz format
  • Support Open Office file content search(sxw,sxc,sxi)
  • Support Rich Text Format(rtf) file content search
  • Support Windows help file(chm)content search
  • Support Monodoc file content search
  • Support source code file (Boo, C, C++, C#, Fortran, Java, JavaScript, Lisp, Matlab, Pascal, Perl, PHP, Python, Ruby, Scilab and Shell scripts) content search

  • Search digital evidence in Unallocated area:
  • We can create image file by Bit-Stream Duplicating to deal with data in unallocated area or not unused disk space. Therefore we can search the disk slack, file slack, and unallocated area for digital evidence in this image file
  • Support searching the Binary file content for ASCII data
  • Support keyword locales as follows:
  • Uni-code (utf8)
  • Uni-code (utf16)
  • Big5 (Traditional)
  • GB2312 (Simplified)
  • ASCII
  • Support non-case-sensitive comparing

  • Viewing of digital evidence:
  • Support viewing of digital evidence at the scene or in the lab
  • Support Office file(doc ,ppt, xls,rtf,pdf) content view
  • Support Html,htm,xml content view
  • Support Outlook / OutlookExpress/Tunderbird content view
  • Support pure text file content view
  • Support uncompressing compressed files
  • Support image file(jpg,bmp,gif,png,tif) view
  • Support audio or video files(avi、mov、wmv、mpeg1、mpeg2、mpeg3、mp3) content view
  • Support web cookie content view
  • Support web-surfing history index binary content view
  • Support HexCode 16 view

  • Viewing and recovering of files deleted:
  • View and recover files deleted on NTFS and FAT filesystem
  • Recover the data still not being overwritten and still exist in the filesystem
  • Show the status of files being overwritten
  • Recover the data for the disk being formatted

  • more...