"Advanced Evimetry Forensic Acquisition: Dongle-less, Cloud, and Persistent Cloud" Course Review

With the prevalence of virtualization and cloud computing making major bounds in recent years, the old ways of forensic data acquisition are fading into oblivion. Not only are the storage device capacities increasing by orders of magnitude, but they are also often inaccessible within a data center halfway around the world. Simply removing the drive to connect a write-blocker, or booting with a forensic copy program and doing a bit-for-bit transfer has been made impractical, if not impossible, in many circumstances. Additionally, the increasing sophistication of malicious actors allows them to move laterally through a network for months or years on end, touching dozens of systems in the process before being detected. Current incident response procedures require improved evidence acquisition methods that scale in the numbers of systems, their geolocation, and the sheer magnitude of the data they contain.

The commonly deployed forensic disk imaging programs, such as dd or FTK® Imager, are still useful when one or two local systems require evidence acquisition. These programs are also practical when the time required to image is not a major concern. However, they are not well suited to instances where evidence must be obtained from a large quantity of geographically dispersed or cloud-based systems. In those cases, more robust and purpose-built acquisition products must be used.

With these requirements in mind, Cybrary’s series of courses covering the Evimetry forensic acquisition software, developed by Schatz Forensics, demonstrate the advanced capabilities needed to handle large scale cloud or live data acquisitions. The course, titled Advanced Evimetry Forensic Acquisition: Dongle-less, Cloud and Persistent Cloud, is one of the courses showcasing several advanced special features. This course builds upon the concepts presented in Introduction to Evimetry: The Controller and Basic Evimetry Deadboot Forensic Acquisition: Wired and Local, which are recommended prerequisites. The student is encouraged to follow along using a 30-day trial version of Evimetry, their own Windows PC, and associated storage accessories.

The first section of this course demonstrates how to create a disk drive which combines the functions of a forensic operating system boot drive, termed a "deadboot" dongle, a destination drive to hold the acquired data, AKA a "blessed" repository, and the Evimetry license dongle. Typically, there are three separate devices, two "dongles" and a repository drive, that must be attached to the suspect system. Combining these into a single drive allows for a more efficient workflow, as well as the ability to send a single device to a remote location, for use by less skilled personnel.

To achieve the "dongle-less" capability, the drive used must be a USB SCSI Attached Protocol (UASP) capable USB Drive, as opposed to the standard USB flash/disk drives which are used for creating “deadboot” dongles and repository drives. Special, somewhat expensive ($100 to $250 USD), UASP capable SSD drives are mentioned and used in the video. However, for simple instructional use in this course, the student can obtain an inexpensive UASP capable drive enclosure and supply either a low-cost SSD or hard disk for a total of about $50 USD. Clearly, this would not be recommended for production use but is sufficient within a learning environment.

The second section focuses on cloud-based acquisitions showing how to create a special Evimetry "Cloud Agent". This is an Ubuntu Linux-based system, which contains the repository. This system also acts as a proxy for commands from the Evimetry "controller" program. The controller is the primary Windows-based software managing the acquisition processes in both physical or cloud scenarios. For this cloud-based scenario, the system being acquired must be in a "live" or running state, which precludes using a "deadboot" forensic procedure. Instead, depending on the operating system, a series of PowerShell or MacOS/Linux script commands are executed on the suspect system to download and initiate control of the acquisition process, and communicate with the cloud repository machine.

For the student to replicate the procedures demonstrated, an account with either Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform is required. Unfortunately, the AWS free tier virtual machines do not have enough RAM nor storage available to run the Cloud Agent system. However, both Microsoft Azure and Google Cloud Compute offer dollar credits ($200 and $300, respectively) to try their services. None of these "trial" configurations will allow a Microsoft Windows compute instance. Therefore, some modifications to the demonstration process will be required to use a Linux rather than a Windows system as the suspect machine unless you upgrade to a paid account. If you are unfamiliar with these cloud services, or configuring their virtual machines and networks, see Cloud Architecture Foundations course as a starting point.

Finally, a brief mention is made of a "Persistent Cloud" version of Evimetry that can be permanently installed within an enterprise cloud environment, ready for immediate incident response or legal acquisition purposes. Clearly, this product is a robust and flexible forensic acquisition system that is worthy of further investigation through both the series of Evimetry-specific courses and as an adjunct to the tools and methods presented in the Incident Response and Advanced Forensics course. With all of the knowledge found in these courses, now is an excellent time to begin learning. Sign up for Cybrary’s Advanced Evimetry Forensic Acquisition: Dongle-less, Cloud, and Persistent Cloud course today!

Clearly, this product is a robust and flexible forensic acquisition system that is worthy of further investigation through both the series of Evimetry specific courses and as an adjunct to the tools and methods presented in the Incident Response and Advanced Forensics course.