Law Enforcement – Overview
WindowsSCOPE Cyber Forensics allows law enforcement to conduct thorough live memory forensics that not only provides insight as to what was actually running on the machine, extracts and identifies key data artifacts, but also the necessary information to determine if the machine was infected with malicious software. First, WindowsSCOPE is equipped with advanced search capabilities to extract critical data from raw memory. This can include visited URLs, credit card numbers, names, social security numbers, logins, etc. Second, provided information is critical in context of proving that the information recovered from the system under investigation was or was not a result of the machine being infected with a malware. Further, WindowsSCOPE has all capabilities integrated into one easy-to-use graphical interface with several industry-unique features that do not exist elsewhere. Given the size of volatile data (> 4GB) resident in today’s computers, it is not only unacceptable to ignore what this memory contains but it can also have defense and liability implications.
WindowsSCOPE has unique software and hardware-assisted acquisition methods that are not only low footprint but industry-unique in the sense that they guarantee that the information is not compromised by the operating system itself and that evidence is not affected. As known, attackers will try to hide their attacks with rootkits, timestamp manipulation, and other malware avoiding detection by end-point security systems. WindowsSCOPE can follow these tracks. WindowsSCOPE provides and supports standard memory imaging file and acquisition formats.
As opposed to tools that only provide acquistion methods and have limited analysis capabilities, WindowsSCOPE has a user-friendly interface in addition to several methods of capture. It has a most powerful engine to decompile content to shed light on processes and information in memory including kernel structures, communications, registry, DLLs, etc, but also all other software, activity and associated data. Associated CaptureGUARD accessories enable forensics in locked computers.