EVALUATION
ISeek employs a patented Forensic automaton, the only one of its kind in eDiscovery, Incident Response or Digital Forensics. It works independent of human management or system restrictions. It performs investigation tasks primarily on LIVE Windows systems as standalone devices, networked workstations or in the cloud without installation. ISeek can process IN the cloud at full disk speed, without installation and without rebooting the machine. This is approach is critical when dealing with servers, whether they are in the cloud or part of an in-house system and means that no data has to be transferred out of the cloud for processing.
ISeek is based on parallel computing with unlimited scaling. If processing 1,000 endpoints, ISeek utilizes 1,000 machines and their memory to do the bulk of the work, rather than having them simply push back large volumes of data to a central point for the work to be done there using a fraction of the combined resources available to ISeek. Because of this, ISeek can scale to any number of devices anywhere on earth without reliance on other mechanisms, machines, or user interaction. ISeekDiscovery (the deployed automaton) runs without the need for interaction and typically runs in ‘hidden’ mode. It is invisible to the end user with nothing to see, monitor, or touch.
Part of ISeek’s speed comes from the fact that it processes both operating system and user data straight from the disk to retrieve the required information, this is much faster than any other approach. With data encrypted at all times, ISeek exceeds global GDPR requirements and NIST recommendations for the protection of PII or ESI. When it comes to producing instantly reviewable ESI (using the ISeekExplorer review utility), nothing else exists in eDiscovery that requires less labor or is as cheap to run.
Another significant speed advantage of ISeek is that it doesn’t have to build an index before it can locate the required data. It should also be noted that if indexing is used to find data, it will often fail to achieve the same level of results compared to ISeek due to limitations inherent in this method (Reference Paper).
Inferior Alternative Methods
Traditional collection tools fall into just two groups, the first group is the indexing-distribution-review systems such as NUIX and Relativity where all raw data must first be injected in the tool, and then indexed to locate the required data. They require expensive hardware, people, and significant user training because a user is always interfacing with the tool and the data.
The second group consists of forensic tools, usually with 20 or more years of experience in analyzing filesystems and file deconstruction. Examples include Encase, FTK, XWays, Axiom, Blackbag, ILookix and Autopsy (GPL). In all these tools, user interactions are necessary throughout the lifecycle of the data. It is impossible to use those tools without significant training and experience. Some human, somewhere, has to be ‘driving’ the tool to obtain the results. With these tools there is no real scope for parallelism as their distributed agents are just extensions of the central processing point which quickly overload networks with their traffic requiring processing to be limited to a few endpoints at a time.
The built-in design weaknesses of alternative approaches to ISeek include:
1)The requirement of installation, that may also include dependencies and disk drivers.
2) A heavy involvement of a human to initiate and perform manual control.
3) Inability to process live data under SecureBoot or Bitlocker or when files have been locked by the filesystem.
4) Inability to achieve GDPR standards at all levels of use in any repository location.
5) The need for dongles, license keys or server connections to carry out collection transactions, licensing, or billing.
6) The requirement to attach a computer system to a network in order to initiate and manage the work and participate in the production.
7) Review applications charging for static data whether or not it is in use.
8) The create of large amounts of dangerous and matter-irrelevant pools of data that then becomes newly susceptible to unauthorized access.
9) The inability to recognize live mounted encrypted volumes or disks which require post boot credential mounting.
​
Interested? Want to compare tools?