Enterprise 6.5.1 From AccessData
Posted Tuesday October 02, 2018 (12:21:05)
Reviewed by Jade James
AccessData are well known throughout the digital forensics world for products such as FTK, AD Triage and FTK Imager. Their forensic investigation software tools help law enforcement officials, corporate security, and IT professionals access and evaluate the evidentiary value of files, folders, and computers.
AD Enterprise 6.5.1 allows you to process large volumes of data quickly, remotely and covertly whilst maintaining the chain of custody. It is available as a virtual license or on a physical dongle and can be installed on Windows 7, Windows 10, Windows Server 2012 and Windows Server 2016.
Some of AD Enterprise’s most notable features include the following.
Live Memory Analysis
With AD Enterprise it is possible to analyse live memory, which is useful for locating malware, gaining insight into potential threats, and investigating unknown activity. It is also possible to preview live data at different endpoints, then filter and retrieve only data which is of interest, which can save time and money. It is also possible to preview live data at different endpoints, then filter and retrieve only data which is of interest, which can save time and money.
AD Enterprise 6.5 allows investigative teams to work together across departments to share notes, access resources and escalate incidents.
AD Enterprise 6.5 provides visibility into all activity on endpoints, network shares and peripheral devices. It is also possible to remotely investigate up to 20 computers simultaneously. Furthermore AD Enterprise 6.5 permits the previewing and acquisition of data from multiple remote end points, including assets in geographically dispersed offices.
With this forensic software you are able to perform investigations without employees or colleagues suspecting they are under surveillance, thus preventing disruption of business operations. As it is a live response tool, you are able to work proactively or reactively to monitor content, scan the network for violations, investigate IP theft and track employee misconduct.
Ultimately, AD Enterprise can help with the restoration of partially deleted data, fragmented files, hidden processes and volatile data from a wide array of file types and data sources.
The new Enterprise Suite Installation Wizard lets you install all the components required such as PostgresSQL, CodeMeter and Enterprise Processor/Examiner, through one installer. There is added support for SecureDoc WinMagic AES
Encryption. When processing data that is encrypted with WinMagic, you are
prompted to enter the necessary credentials. The Compound File Expansion options list can now be filtered by category. Lastly, filter builder enhancements make it possible to search the attribute list using keywords.
Using AD Enterprise 6.5
I encountered difficulty setting up the software on my laptop which required support from the Technical team at Access Data to resolve. After the initial installation and setup of AD Enterprise 6.5, you are presented with several options (such as ‘create a new case’, ‘open existing cases’, ‘restore an image to disk’, and so on). Users of FTK will be familiar with the GUI presented. If you choose to set up a new case, it will be necessary to capture the details for continuity.
There are 5 predefined one-click processing profiles which have been set up to carry out certain functions ; these cannot be reconfigured, however it is possible to use them as templates and create a new custom profile.
You can then acquire static, live or remote evidence.
Adding evidence to a case is very simple, you are able to add pre-acquired images, the contents of a directory, and more.
When acquiring from a physical drive, you are warned that you are about to add ‘live’ evidence to your case and to ensure that the media is accessible. It is also advised that you create an image using FTK Imager then add the image of the evidence later. You are given information as to when processes start but it is not evident how long it will take to acquire a physical drive, however a log is provided at the end of the processing with sufficient logs of activity. One limitation of the software is that you have to wait for AD Enterprise to fully finish acquiring and processing before you can access the data for analysis.
Editor's Note: This can be overcome with the latest update to the software that enables live data preview at the endpoint. This allows initial analysis without creating an image, so investigators can begin to analyze their target drives within a few minutes, without waiting for it to finish processing.
Additional analysis allows you to use functions such as file carving, indexing, and expanding compound files which have not already been carried out in the initial processing. You are able to queue additional analysis, live searches and other jobs.
The tabs offer several options to view indexed files. Files within these tabs can be viewed as hex, text, filtered or in their natural state and it is also possible to view files in an external program. Further to this, you can highlight a file of interest and find out exactly where it is located on the disk, copy the hex and if required, and then use another tool for further analysis.
Remote Data Acquisition (RDA) lets you acquire a forensic image from up to three live systems simultaneously. RDA requires you to have a current licence; adequate permissions and the Enterprise agent must be installed on the target computer(s). The Enterprise agent can be pushed on to endpoints which are connected to the network.
Editor’s Note: AccessData have now also incorporated Volatility into their agent and Enterprise Examiner. Volatility is the go-to tool for memory forensics, and its inclusion allows AD Enterprise to perform memory analysis on remote live machines. As well as analysing live endpoints, AD Enterprise can also perform analysis on existing memory images. AD Enterprise can pull the memory images as well as the swap file and use Volatility to analyse these.
You are able to customise a report to import or export by selecting artefacts of interest (i.e. case information, bookmarks, graphics, videos, file paths etc.) Report formats include PDF, HTML, XML, RTF, WML, DOCX, ODT and Load file. The contents of the report have sufficient detail to satisfy the requirement of full disclosure for a lab working towards accreditation.
AD Enterprise is a resourceful tool. It has many functions which would be useful in a digital forensics lab, however in my opinion it is not particularly suitable for an individual or small lab due to the expense of the tool. To really experience the benefits of AD Enterprise it might be more suitable for a larger organisation which has more of a focus on e-discovery or corporate investigations.
Once you get past the initial setup, the tool is easy to use and navigate. The support team who offer technical support in various forms are very knowledgeable and come back to you efficiently, which means there is less down time.
The documentation supporting the tool could be more simplified, as a 500+ page user guide is not very user-friendly. This tool is primarily used to extract data from Windows, Linux and Apple systems and from usage does not support the extraction of data from mobile devices. However it does have the capability to recognise mobile device data such as iPhone backups.
In earlier versions it was necessary to install all the components for the tool individually, but this has been updated with an installer that does it all automatically, which is a good development.
Those who are familiar with AccessData software will recognise its simple sophistication. I would recommend it for larger digital forensics labs, especially those who are looking to gain accreditation.
About The Reviewer
Jade James BSc (Hons) is currently a Digital Forensic Investigator at the Serious Fraud Office. She has previous professional Digital Forensic experience from working at IntaForensics, Home Office Centre for Applied Science and Technology and the City of London Police. Jade has gained experience from conducting Computer, Mobile devices examinations, Drone Forensics and has been involved with ISO 17025 & Quality Standards both as a Digital Forensic Practitioner and Quality Manager.
AccessData provide digital forensics solutions to clients around the world. AD Enterprise provides deep visibility into live data directly at the endpoint, helping you conduct faster, more targeted enterprise-wide post-breach, HR and compliance investigations in a single, robust solution.
Article content received from: Forensic Focus,