Evidor: The
Evidence Collector
No longer maintained since 2004,
superseded by X-Ways
Investigator.
|
Evidor 1.23
Copyright by
X-Ways AG
Idea by
Jerry Saperstein
White Paper (PDF) |
Software for lawyers,
law firms, corporate law and IT security departments, licensed investigators, and law
enforcement agencies.
What it does
Evidor allows to search text on hard disks and retrieves the context
of keyword occurrences on computer media, not only by examining all files (the
entire allocated space, even Windows swap/paging and hibernate files), but also currently unallocated
space and so-called slack space. That means it will even find data from
files that have been deleted, if physically still existing.
Evidor is a small subset of just the search functionality in
X-Ways Forensics. Please note that Evidor cannot access
remote networked hard disks. For a more powerful solution please use
X-Ways Investigator.
Electronic evidence aquisition and discovery
Evidor is a particularly easy and convenient
way for any investigator to find and gather digital evidence on computer media. Evidor
also comes most handy in civil (pre-)litigation if one party wants to examine (inspect)
the computers of the other party. Evidor can be used on site for electronic
discovery, will usually not disclose unrelated proprietary or confidential information and
does not impose an undue burden on the responding party in terms of personnel, time and
money. Evidor serves as an automated forensic examiner, saving you the cost of many hours
of hard manual expert work. Evidor produces reliable, replicable, neutral, and simple
results, just as needed before court.
IT security
Evidor is also an excellent tool for proving the
presence or absence of confidential data on computer media, either to detect a security
leak or confirm a lack thereof. With Evidor you often finds remnants (or even intact
copies) of classified data that should have been encrypted, securely erased, or should not
have existed on a media in the first place.
Additional Toolset
The following products are included in Evidor:
a powerful, yet very easy to use data recovery tool (Davory,
professional license), a tool that deciphers Internet Explorer's internal browsing log
file (X-Ways Trace), and a DOS-based hard disk
cloning tool (X-Ways Replica).
Important: For more up to date and
more powerful, yet still relatively easy to use search functionality
(and a lot of other functionality such as viewing, printing, and
commenting on documents, extracting metadata, report creation), we
now recommend X-Ways
Investigator. If you only need search functionality and is has
to be as simple as possible, then Evidor might still be better.
|
How to use and What it does
Evidor is a hard drive search tool. Simply select the
disk to examine and provide a list of keywords (such as people's names, e-mail
addresses, name of traded goods, etc.). Evidor will then retrieve the context of all
occurrences of the keywords on the disk. When viewing the output file, you will
likely find excerpts from documents that are closely related to the keywords, e.g.
purchase orders, e-mail messages, address books, time tables, etc.
Evidor can either produce HTML documents (recommended)
or plain text files. HTML documents can be easily imported and further processed in MS
Excel. In MS Excel you can sort the search term occurrences by search term and occurrence
location, you can cut irrelevant results, etc. Plain text files can be viewed in any text
editor, MS Word, etc. In plain text files, matches are separated in the output file by line breaks and a line
with six asterisks and the corresponding keyword.
Samples
This sample output HTML file
created by Evidor shows occurrences of the city names Los Angeles, San
Francisco, New York, London, and Paris on a
user's drive F:. These names occur in postal addresses, as company headquarters, as font
descriptions, etc.
This sample output plain text
file shows all occurrences of an Internet URL (here: http://www.microsoft.com) on a
user's hard drive. Evidor quotes the context from temporary Internet files (browser
cache), from Internet Explorer's hidden log file (which memorizes all visited web sites),
and from free space (apparently previously allocated to the browser's cache).
Screenshot
DOS-based disk cloning tool included
A simple DOS-based hard disk cloning tool is included
because it is generally highly advisable to work on a copy, not on the original
drive. Most Windows environments tend to access a newly attached drive without asking,
thereby e.g. altering the last access dates of some files. This is avoided under DOS. X-Ways Replica
Related software:
X-Ways Forensics
What's?
v1.2 |
- Evidor is now available in French.
- Report file starts with a full description of the media examined (drive
model number, serial number, etc.)
- Search terms within extracted context marked in blue in HTML output
|
v1.01 |
- Error fixed that caused Evidor to report wrong sector numbers in some
cases.
- Exact offset (address) of each occurrence is reported, in decimal
notation.
|
|