LiveWire Investigator v3.1.1C
Strengths: Easy to use, lots of live analysis functions and very well documented
Weaknesses: The jury is still out on live forensics and, in certain circumstances, this tool may be challenging to defend in court since it does not use an agent
Verdict: Very powerful tool for analysing computers without taking them offline
Live forensics is an emerging field and, although there are a lot of good reasons to use it, there are still caveats. Two other products in this group test perform live forensics, both of which use agents on the target machines to minimise interaction with the computer itself. LiveWire performs an extensive suite of forensic tests on remote running systems, but does not implant an agent on the target.
There are arguments on both sides. On the agent side, the advantage is that the agent communicates with the investigator, not the target computer, so there is virtually no forensic interference with the target machine. The disadvantage is that only machines with implanted agents can be analysed.
LiveWire gets around both these issues by not implanting agents. Instead, it simply logs into the target and analyses it while keeping meticulous logs of each activity for comparison with the target's logs or forensic evidence. Again, however, the emphasis is less on court presentation and more on discovery, compliance and incident management. With LiveWire, operational needs come first and forensic purity is secondary. In many cases this is congruent with corporate goals during an incident.
We found LiveWire very easy to use. It is extremely well documented, with a user's guide and a 900-page manual rich on detail. As a means of capturing volatile data on a remote machine, this is a first-rate product. It does not, however, allow imaging remotely. Its purpose is aligned more with collecting operating states and locating important investigatory data from the target. This enables critical systems to continue to operate during an investigation and reveals activity on the target as it is happening.
We anticipate using LiveWire to monitor PCs under test in the lab to determine their behaviour while they are being scanned and undergoing penetration testing. For that and for its utility, we award LiveWire Investigator our Approved for SC Labs rating. Priced at £4,665 including first-year support, we find the cost of ownership at the low end of the price spectrum, especially since the licence is for an unlimited number of target machines.