Live forensics is an emerging field and, although there are a lot of good reasons to use it, there still are caveats. At least two other products in this Group Test perform live forensics, both of which use agents on the target machines to minimize interaction with the computer itself. LiveWire performs an extensive suite of forensic tests on remote running systems, but does not implant an agent on the target. There are arguments on both sides.
On the agent side, the pro is that the agent communicates with the investigator, not the target computer, so there is virtually no forensic interference with the target machine.
The con is that only machines with implanted agents can be analyzed. If a computer without an agent needs to be analyzed, the agent must be installed.
LiveWire gets around both these issues by not implanting agents. Instead, it simply logs into the target and analyzes it while keeping meticulous logs of each activity for comparison with the target’s logs or forensic evidence if the computer needs to be imaged.
We found LiveWire very easy to use, secure and extremely well documented (there is a user’s guide and a 900-page manual, both with lots of detail). As a means of capturing volatile data on a remote machine, it is first rate. It also allows imaging remotely. Its purpose is aligned more with collecting operating states and locating important investigatory data from the target. This allows critical systems to continue to operate during an investigation and reveals activity on the target as it is happening.
We anticipate using LiveWire to monitor computers being tested in the lab to determine their behavior while they are being scanned and undergoing penetration testing. For that and for its utility, we award LiveWire Investigator our SC Magazine Lab Approved rating.
We find the cost of ownership at the low end of the price spectrum, especially since the license is for an unlimited number of target machines.
LiveWire Investigator v. 3.1.1C has been ranked Lab Approved by SC Magazine.