On the agent side, the pro is that the agent communicates with the investigator, not the target computer, so there is virtually no forensic interference with the target machine.
The con is that only machines with implanted agents can be analysed. If a computer without an agent needs to be analyzed, the agent must be installed.
LiveWire gets around both these issues by not implanting agents. Instead, it simply logs into the target and analyzes it while keeping meticulous logs of each activity for comparison with the target’s logs or forensic evidence if the computer needs to be imaged.
We found LiveWire very easy to use, secure and extremely well documented (there is a user’s guide and a 900-page manual, both with lots of detail). As a means of capturing volatile data on a remote machine, it is first rate. It does not, however, allow imaging remotely.
Its purpose is aligned more with collecting operating states and locating important investigatory data from the target. This allows critical systems to continue to operate during an investigation and reveals activity on the target as it is happening.
We anticipate using LiveWire to monitor computers being tested in the lab to determine their behaviour while they are being scanned and undergoing penetration testing. For that and for its utility, we award LiveWire Investigator our SC Magazine Lab Approved rating.
We find the cost of ownership at the low end of the price spectrum, especially since the license is for an unlimited number of target machines.
LiveWire Investigator v. 3.1.1C has been ranked Lab Approved by SC Magazine.
For: Easy to use, lots of live analysis functions and very well documented.
Against: The jury still is out on live forensics and in certain circumstances, this tool may be challenging to defend in court since it logs on to the target and does not use an agent.
Verdict: Extremely powerful tool for analyzing computers without taking them off-line. We award LiveWire our SC Magazine Lab Approved.