WetStone Technologies: A division of Allen Corporation

Unfortunately, our new website relies on browser features that are not available in older versions of Internet Explorer. As Microsoft has officially stopped supporting these browsers, we have chosen to do the same. Instead, we recommend that you upgrade Internet Explorer if you are running Windows 7, 8, or 10, or that you download a newer browser, like Mozilla Firefox or Google Chrome.

We at WetStone Technologies thank you for your interest and your patience.

WetStone Technologies: A division of Allen Corporation
WetStone Technologies: A division of Allen Corporation

US-LATT™


File transfer between laptops collecting evidence

  • Perform live acquisition
  • On-scene Triage live evidence on scene
  • Comprehensive reporting
  • Rapid capture of digital evidence
  • Easy to use

US-LATT performs live acquisition and triage of Microsoft® Windows systems. This tool provides investigators and incident response personnel with the ability to triage live evidence and perform fast and efficient investigations in the field. US-LATT’s configuration utility allows the user to select what data is collected on-scene, identify and image encrypted volumes and additional external drives. US-LATT allows the user to perform on-scene, and lab analysis, and all acquired data is formatted in an XML style sheet for web browsing-based examination.


WHAT IS THE VALUE OF COLLECTING LIVE DATA


Advancements in Cyber Crime, and modern computing platforms have increased the need to acquire evidence from the complete system. In addition to the analysis and recovery of evidence that is traditionally gained by investigating a system post-mortem, it is vital that volatile data be collected prior to shutting down the system. When “pulling the plug” on a system, and only performing analysis and recovery of evidence from a post-mortem system, the investigator may destroy potential evidence in the process. Some of the data that is collected using US-LATT on a “live” running system include:

PHYSICAL MEMORY:

Provides the opportunity to examine and carve potential passwords, recent messages, partial documents, malicious processes, web history, financial data, phone numbers, and contact information.

RUNNING PROCESSES:

Supplies the investigator or auditor with a record of what processes were running on the target system at the time of acquisition. This information can provide important clues as to the most recent activity of the suspect or victim.

RUNNING SERVICES:

Furnishes insight into the system services that were running or stopped. For example: Was antivirus active? Was the firewall running? Was a VPN in operation?

SCREEN SHOTS:

Gives a snapshot of the most recent user activity, images, video, messages, documents, and open web pages or chat sessions.

ACTIVE NETWORK SESSIONS:

Affords insight into the connections to outside or inside services. These could be NAS devices, Cloud Infrastructures, accomplices, or compromised services.

OPERATIONAL DRIVERS:

Supplies detailed information about what peripherals have been connected to the system. For example: cameras, GPS devices, USB devices, flash memory cards etc. that may be valuable to the investigation or audit.

SYSTEM INFORMATION:

Supplies the investigator or auditor with a record of what processes were running on the target system at the time of acquisition. This information can provide important clues as to the most recent activity of the suspect or victim.

MOUNTED ENCRYPTED VOLUMES:

Access to information that may be vital to the investigation, yet is only available while the file systems are mounted and unlocked.

USER EVENTS (LOGIN, SHUTDOWN):

Provides information regarding when systems were used, and when users were logged in and logged out. Gives investigators evidence that may be used in questioning users.

SECURITY EVENTS:

Provides information about possible security violations, unsuccessful login attempts, and changes to important security settings that could affect operations.

REGISTRY ENTRIES:

Delivers a wealth of information about Windows systems, security settings, application settings and, even, user activities.

RECENT IMAGES, MULTIMEDIA, AND DOCUMENTS:

Offers a glimpse at the most recent images, multimedia and documents that were viewed and modified by the user.

ACTIVELY & RECENTLY INSERTED DEVICES:

Provides quick access to information about inserted USB and other memory devices.

WEB HISTORY:

Gives investigators access to e-mail records and recent communications.

CHAT ACTIVITY:

Allows access to recent chat communications.

FILES & DOCUMENTS:

Certain files by type or content may provide immediate evidence to investigators or auditors. These files may have vital data related to the investigation or contain company proprietary data.

DRIVE IMAGES:

In some cases, the direct imaging of a logical volume may be essential either to preserve evidence or acquire evidence that may be lost during shutdown or only available in a live setting.

DIRECTORY STRUCTURE:

Taking a snapshot of a directory structure may provide information about the user’s activities and operational intent.

INSTALLED APPLICATIONS:

Reviewing the installed applications may provide a glimpse into the motivation, behavior, and level of sophistication of the user.


DELIVERABLE


  • 32GB encrypted USB device equipped with 256-bit AES Encryption
  • Customer Support Portal account
  • 1-Year Maintenance

SUPPORTED OPERATING SYSTEMS


  • Microsoft Windows® VISTA, 7, 8, 8.1, 10 (32- and 64-bit)