Digital Evidence Investigator

Digital Evidence Investigator (DEI) has been designed to meet both forensic lab and field triage requirements. DEI is used by both forensic examiners and investigators who have training to run and configure the tool (advanced mode only). DEI also offers advanced search configurations, and separate authentication and collection keys which allows users to scan multiple computers simultaneously. DEI does not offer stealth mode during live scans or the ability to switch to basic user mode.

Digital Evidence Investigator (DEI) software is an automated digital forensic tool for collecting files and artifacts - with evidence presented in a timeline view.

Automated / easy-to-use digital evidence collection & analysis
Rapid artifact & file collection
Out-of-the-box forensic scans
Highly configurable to build your case fast
Can be deployed with ADF Triage-Investigator software
Standalone report viewer (share with prosecutors!)
Upgrade to PRO to add iOS/Android capabilities with Mobile Device Investigator
ADD-ON: Rosoka Entity Extraction and Language Translation Gisting (230 languages) available
ADD-ON: Certified Online Training - self paced learning and Certification

DEI Key Features

Digital Evidence Investigator can also be licensed to a computer instead of a physical Authentication Key (dongle) as an option.

Collect

Prioritize speed in evidence collection and use in the field or in the lab investigations with minimal training.

Highly configurable file and artifact collection including web browser cached files, social media, P2P, Cryptocurrency, cloud storage, user login events, anti-forensic traces, saved credentials, files shared via Skype, USB history, user connection log, etc.
Recover deleted records from apps using the SQLite database
Supports collection of forensic artifacts from Windows and macOS (including High Sierra and Mojave)
Search and collect emails including MS Outlook, Windows Mail, Windows Live Mail 10, Apple Mail
Investigate attached devices, live powered on computers, boot scans from powered off computers, forensic images, the contents of folders and network shares (including shares made available by NAS devices)
Prepare a Collection Key without Search Profiles to select Captures just before a scan
Prepare a Collection Key with pre-configured or custom Search Profiles
Enter keywords just before a live/boot scan
Rapidly search suspect media using large hash sets (>100 million), including Project VIC (VICS 2.0) and CAID
Find relevant files and artifacts using DEI’s powerful keyword and regular expression search capability
Image drives Out-of-the-box with image verification and imaging log file
Use password and recovery key to decrypt and scan or image BitLocker volumes including those using the new AES-XTS encryption algorithm introduced in Windows 10
Process APFS partitions, NTFS, FAT, HFS+, EXT, ExFAT, and YAFFS2 file systems, compute MD5 and SHA1 on collected files for integrity validation
Capture RAM / acquire volatile memory
Collect password protected and corrupted files for later review
Collect iOS backups on target computers
Detect and warn of BitLocker and FileVault2 protected drives
Leverage DEI’s powerful boot capability (including UEFI secure boot and Macs) to access internal storage that cannot easily be removed from computers

Analyze

Use the single timeline view that combines files and artifact records with a user’s actions.

View results while a scan is running
View chat conversations with bubbles to easily identify the senders and receivers with “Message Thread” hyperlink to select individual conversations - New
Filter search results with sorting and search capabilities (dates, hash values, tags, text filters, more)
View pictures and videos organized by visual classes such as people, faces, currency, weapons, vehicles, indecent pictures of children
View links between files of interest and user’s activities such as recently access files, downloaded files, attachments, and more
Inspect video using DEI’s comprehensive video preview and frame extraction
Automatically tag hash and keyword matches
Define new file types and select individual ones to be processed
Display provenance, including comprehensive metadata, of all relevant files and artifacts
Reorder or disable post-scan tasks (classification of pictures, videos, or entity extraction) to run in the Viewer
ADD-ON: Rosoka Entity Extraction and Language Translation Gisting (230 languages) available

Report

Digital Evidence InvestigatorⓇ software lets you create a standalone portable viewer for further analysis and reporting for prosecutors and other investigators.

Powerful reporting capabilities (HTML, PDF, CSV)
Export in VICS format (to Grifffeye Analyze Platform or other JSON compatible tool)