Course Content

Module 1: Introduction

5m
Introduction
8m
Getting the Bitlocker Recovery Key

Module 2: Handling BitLocker and FileVault 2: Evimetry and Mount Image Pro

7m
2.1Evimetry for a Filevault'd Mac
12m
2.2Decrypting an Image Using Mount Image Pro
1m
2.3Mount Image Pro Decryption Summary

Module 3: Conclusion

1 minute
3.1Course Summary

Course Description

During the course we will collect a FileVault 2 encrypted MacBook Air in minutes without breaking a sweat using Evimetry. Once we have a series of fully encrypted forensic images will use GetData Mount Image Pro to decrypt our forensic images and make the data available for further forensic analysis.

Prerequisites

  • Before any forensic acquisition you must document the evidence
  • See my Cybrary course: “Evidence Handling: Do it the Right Way”
  • See my Cybrary course: “Basic Evimetry Deadboot Forensic Acquisition: Wired & Local”
  • A full-featured, evaluation copy of Evimetry
  • An evaluation copy of Mount Image Pro
  • Internet connected computer
  • An encrypted Mac computer
  • A USB thumbdrive for dead booting
  • A storage drive (USB3 External)

Course Goals

By the end of this course, students should be able to:

  • How to identify a BitLocker’d or FileVault’d disk by signature
  • Acquire a FileVault’d Mac with Evimetry
  • Use Mount Image Pro to decrypt Windows and Mac encrypted volumes

Instructed By

Instructor Profile Image
Brian Dykstra
CEO and President of Atlantic Data Forensics
Instructor

Delivered By

Atlantic Data Forensics

Industry leader in digital evidence collection and forensics.

Provided By

Cybrary

Certificate of Completion

Certificate Of Completion

Complete this entire course to earn a Handling BitLocker and FileVault 2: Evimetry and Mount Image Pro Certificate of Completion