EviTrack Assure - Detail
EviTrack’s Assure is an easy to use forensic data imaging application, currently available in two forms which we call PenDrive & Solo. Further details regarding the differences between the two as well as some of the terminology used are set out below.
Both are provided on bootable version of Ubuntu 20.04 with full disk encryption capable of working on Windows, Linux and MacOS systems.
To get an idea of Assure’s functionality, why not take a few minutes to watch this no frills video.
Assure PenDrive, is the basic application. Provided on a USB key similar to the first two shown here. It’s a self-contained application with its own fully functional operating system.
As with other digital forensic tools, for Assure to work it needs to be attached to a computer, that normally runs Windows, MacOS* or Linux operating systems.
With PenDrive a separate case data storage, such as a portable hard drive is needed. This can be formatted to ext3, ext4, ntfs or Bitlocker to go.
An unencrypted downloadable version of PenDrive is now available
Assure Solo, is a self-contained version of the application, with full disk encryption. Solo has been tried and tested on all of devices shown here.
As with PenDrive, Assure Solo needs to be attached to a computer, that normally runs Windows, MacOS* or Linux operating systems.
Assure’s flexibility means that the application can be provided on a wide variety of platforms where the cost will vary according to the specification of the host drive. EviTrack’s basic solo package comprises: Assure Solo built on a USB 3.0 – 4 TB portable external hard, USB3 to USB-C connector and carry case.
If you would prefer an alternative host drive please email firstname.lastname@example.org with your request.
For more regular users we also offer a kit version, which gives the provides the greatest flexibility. This includes a Solo package combined with a USB C 8 in 1 hub/docking station that includes 3 x USB 3.0 ports, USB C data ports, 100W PD and SD/TF Slots.
Again, prices will vary if an alternative host drive is required. If you would prefer an alternative host device please email email@example.com with details of your request.
Terminology used with Assure
Set out below are explanations of the terminology used in relation to Assure.
Host or Target Computer
A host computer is a computer you have complete control over. Used as a vehicle to acquire data from other devices. These could be portable devices, such as USB Keys or portable drives or of electronic media that has been removed, temporarily, from its normal place of residence.
A target computer is one that houses the data you are looking to get copied.
Forensic and intelligence copies
From experience we have found that on occasions the circumstances of a case make it impossible to either seize or know when a device is likely to be available, with acquisitions needing to be undertaken at very short notice.
It may also not be necessary to go through the entire forensic process as there is no prospect of any legal proceedings taking place.
For these reasons we have provided the option of creating forensic or intelligence copies.
Acquiring a forensic copy has four steps.
- Obtaining a hash or checksum of the source data
- Making a copy of the source data
- Getting a hash of the copy
- Comparing the two hashes
Acquiring an intelligence copy is quicker because it has just the one step.
- Obtaining a copy of the source data
Note: Aspects that affect the speed at which a process completes are determined by the:
- The computer’s specification
- The size of the device being acquired
- The rate at which data can be transferred to the storage device
Differences in acquisition file formats
EWF or Expert Witness Format.
This file format has probably become the industry standard for acquiring digital data in relation to forensic analysis.
The EWF file function creates bitstream or forensic images. A sector-by-sector copy of the source, replicating the structure and contents of the device. As with ‘DD’ below, the image consists of the entire disk space, including any file fragments that reside in unallocated space as well as deleted files that have yet to be overwritten.
EWF files consist of one or more sections, each with their own header and section-level fixity data. The ability to split images into smaller chunks as well as being able to apply compression historically made the whole images easier to deal with. If you can remember 1.44mb floppy disk drives, EWF images could be spread over however many floppies it took to store the entire image! Where applicable Assure’s Solo features a gamble option which utilises these features
DD – Data Dump
As with other Linux distributions designed for digital forensics. EviTrack Assure is configured not to mount connected storage media.
Data Dump or the ‘DD’ command is available on all Linux distributions and is able to read and write to unmounted devices because it is not bound by a logical file system.
Like EWF, the DD command captures all file space, slack space, and unallocated data areas.
Note: If you were trying to provide the same functionality using a Windows operating system, which by default automatically mounts connected storage devices. You would need to prevent Windows from writing to the mounted drive by deploying some form of write-blocking to prevent this happening.
If a drive is mounted the likelihood is that file meta-data will be modified, changing evidence’s state and definitely not in accordance with ACPO guidelines.