eDetector has developed the endpoint data forensics evidence collection system for R&D teams in order to track traces of malicious behavior in the memory. It has been praised multiple times by clients while performing forensics and evidence collection tasks. It has also won the Innovation Research Award from Taiwan's Ministry of Economic Affairs. When malicious or fileless attacks are executed, they will inevitably leave traces in the memory. eDetector uses its memory detection technology to detect malicious behaviour of in-memory programs, even when without a virus signature. In addition, each user can select different processing and alarm mechanisms targeted for different risk levels. This way, the user can quickly take emergency response measures in case of an attack, aiding in preventing further incident expansions.
- The main management platform supports Windows 7 (inclusive) and above operating systems. It and can be installed on both 32-bit and 64-bit platforms. The user interface is provided in Chinese (and English).
- Client Agent deployment supports Windows XP, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows Server 2016 (and other versions of the operating system). It supports both 32-bit and 64-bit platform implementations.
- After deploying the Agent on the client computer, using system administrator authority, we can perform memory analysis, information evidence collection and other host settings, all on the main management platform.
- Displays a tree table view of the client's executing program, including a tree expansion mode displaying a list of its loaded modules and libraries (DLLs). It also allows for producing a Dump for the executing program.
- Offers functionality to collect information about boot-up services, self-starting programs, and scheduling tasks.
- Offers functionality to detect the execution program's digital signature as well as displaying the digital signature information of digitally- signed or not-signed files.
- Provides file search functionality through a user host-file list view.
- Provides a graphical calendar display with TimeLine for easy monitoring of local files' status changes, all sorted by date.
- Using the search function, can collect up to 24 client information items.
- Every client terminal's tasks and time can easily be managed using the top-level schedule interface.
- It can detect and analyze the currently-running programs and their loaded modules, and customize analysis conditions. Information about detected abnormal programs as well as previous day's host detection result report can be send out by email.
- In order to find out the executing program behind the problem, association diagrams can be displayed in order to help users find the root cause of the malware.
- The running malicious program can be terminated leading to the dormant hacker to suspend current activities.
- Based on current program's connection activity, relevant IP connection location indicators can be displayed on a world map.