EviPrime Quick Help
 

Introduction
 

EviPrime® is an advanced forensic tool for evidence acquisition from computers using Microsoft Windows operating system. EviPrime® scans a computer for all possible evidence and sorts the findings in a categorical order for future investigation.

This forensic tool has been designed based on behavior modeling of the Microsoft Windows Operating Systems (Microsoft Windows XP and Microsoft Windows Vista) and its computer applications. This methodology made EviPrime® a unique tool for the cyber forensic investigators since it reduces the required time for evidence acquisition and data duplication and classifies and duplicates all possible evidence from the target computer automatically.

The methodology of  EviPrime® and the functionality of it have been filed as a patent in the United Stated of America, Great Britain and the United Arab Emirates; patents pending.

Getting Started

EviPrime® is an advanced forensic tool for evidence acquisition from computers using Microsoft Windows operating system. EviPrime® scans a computer for all possible evidence and sorts the findings in a categorical order for future investigation.

  1. EviPrime® loads by clicking on the EviPrime® executable file (EviPrime.exe) which is located on the Flash Disk you just purchased (only for full version). Loading process is considered complete when the EviPrime® main window is appeared on the screen.
     

  2. You then need to select the Source Drive and the Destination Drive.

  1. The Source Drive is the drive which contains the operating system of the target computer and it will be detected by EviPrime® automatically.

  2. The Destination Drive is the drive or the location where you want to store the duplicate evidence by EviPrime®. It is strongly recommended to use an external  hard disk or a flash disk to store the secured evidence.

  3. The source drive will be write protected while EviPrime® is on process.

  1. Next you may select the specific file extension/s (i.e. .doc or .jpg) to duplicate in addition to actual evidence which will be identify from the target computer based on the behavior modeling of the Microsoft Windows Operating System. You may select one or more extension/s in accordance to the purpose of your investigation. Note that the more extensions you include in your search the more time will it consume to generate the final result.
     

  2. Now select the operating system of the target computer. You can select the operating system of the target computer by clicking either of the two radio buttons in the main window. Note that the EviPrime® needs to indentify the operating system of the target computer prior to start of its process in order to be able to perform correctly and generate accurate results.
     

  3. You then need to select a user account of the target computer. EviPrime® automatically detects the user account; however, in cases that there is more than one user accessing the target computer, you are able to select a different user from the drop down menu. In case you do not find your required user name listed in the drop down menu, you may type the user name or the account name of the user which you would like to investigate in the same area. This feature is designed to help you to secure the possible evidence for the domain users in Microsoft active directory, who used the target computer at any time in the past.

    Remember, the selected user name is the user account which you would like to investigate and secure its evidence. Like previous steps it is necessity for EviPrime® to identify the user account of the examined computer in order to be able to perform correctly and generate more accurate results.
     

  4. Next, you need to choose the type of scan that you like the EviPrime® to perform by selecting either of the two radio buttons in the main windows. EviPrime® is able to function under two modes, Quick Scan and Deep Scan. As the name suggests, the Quick Scan is faster than the Deep Scan as less file extensions are investigated during the Quick Scan mode. In the Deep Scan mode EviPrime® duplicates My Documents, My Pictures, My Videos, My Music, Desktop and Links folders as well.
     

  5. Next you need to identify whether you like the EviPrime® to generate a report of its finding or not. You may select the Generate Report tick box if you wish to have a report of the scan as a reference. The report generation is a time consuming stage depending on your selected mode of scan and the target computer’s processing speed. EviPrime® will generate a report from its process with the name of the files and folders which have been duplicated as evidence with the MD5 checksum and the original paths of the files. In addition, EviPrime® will provide the detail information of the network configuration and connections of the target computer in the report.
     

  6. Finally you click the Start button to start the scanning process and retrieving variety of evidence.

  1. The status of the process will appear in the main window of the application by progress bar.

  2. The scanning process and securing the evidence could be a time consuming process depending on your selected mode of scan.

  3. During the scanning process, most of the system resources are engaged by the EviPrime® thus it is not recommended to run any other application in parallel to scanning function.

  4. The Start button will change to the Pause button during scanning process and you will be able to halt the scanning process by clicking on the Pause button. It means that ongoing operation would come to the halt state till you either press Continue or Stop.

  5. There are two ways to move out from Pause State:

    1. You need to click on Continue button; in this case the application comes out of Pause state and moves on from the point where the application was paused and report will be generated if the report check box has been selected.

    2. You need to click on Stop button; in this case the process would be stopped completely however the report will be generated if the report check box has been selected for the work which was completed before you clicked on Pause button.

  1. You will be informed about the process completion by a message box at the end of processing cycle.

 

Glossary

Main Window

The main EviPrime® window lets you to start and stop the process of automated evidence gathering. 

Source Drive

The Source Drive is the drive which contains the operating system of the target computer; the source drive will be detected automatically with EviPrime®.

Destination Drive

The Destination Drive is the drive which will be used to store the secured evidence. It is recommended to use an external hard disk or flash drive for the evidence integrity.

User Name

The user accounts of the target computer will be detected automatically by EviPrime® and the EviPrime® user is able to select them from the drop down menu. The selected user name is the user account which you want to investigate and secure its evidence.

Operating System

EviPrime® has been designed to function in two operating systems Microsoft Windows XP and Microsoft Windows Vista. The operating system of the target computer shall be selected by the EviPrime® user to perform the evidence scanning.

Type of Scan

EviPrime® is able to function in two modes, Quick scan and Deep scan. In the deep scan the EviPrime® will secure the content of the My Documents, My Pictures, My Videos, My Music, Desktop and Links folders as evidence.

Generate Report

EviPrime® will generate a report from its process with the name of the files and folders which have been secured as evidence with the MD5 checksum and the original paths of them. In addition, EviPrime® will provide the detail information of the Network configuration and connections of the target computer in its report.

Start Button

The process of the EviPrime® to scan the target computer for the possible evidence will be started by pushing the Start button.

Pause Button

The scanning process of the EviPrime® will be halted by pushing the Pause button.

Stop Button

 The scanning process of the EviPrime® will be terminated by pushing the Stop button.

Help Button

The EviPrime® help will be appear by clicking the Help button. Please visit EviPrime® website for more information and white papers. ( http://www.secure1st.com  )

Exit Button

The process of EviPrime® will be stopped and program will be shut down by pushing the Exit button.  In addition, this button can be use to exit from EviPrime® before or after of the scanning process.

Technical Support

Please contact our technical support if you cannot find the answer to your question in the Help file. For technical support please visit: http://www.secure1st.com  

Type of Error Messages

“Corrupted Data File. Cannot proceed forward”:

 The data files of the EviPrime® have been corrupted or the version of the data files and the EviPrime® are different.

“You do not have Authorized Version of the application”:

Either you tried to run an illegal copy of the EviPrime® or the EviPrime® file has been compromised due the malicious activities.

“User [Your Input] never logged into the system”:

The user name or the user account which you entered is not valid and it never logged into the target computer.

“Source and destination drive cannot be same”:

The source drive will be write protected by EviPrime® to shield the source drive and maintain the integrity of the investigation.

 

Copyright © 2009 Secure 1st. http://www.secure1st.com Please read License.txt enclosed with your program for legal disclaimers and terms of use.