Handling BitLocker and FileVault 2: Evimetry and Mount Image Pro

Cybrary
Course

In this course we will look at forensic collection of fully encrypted Windows and Mac computers with Evimetry.

Time
35 minutes
Difficulty
Advanced
CEU/CPE
1
4.7
Share
NEED TO TRAIN YOUR TEAM? LEARN MORE
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Course Content
Course Description

During the course we will collect a FileVault 2 encrypted MacBook Air in minutes without breaking a sweat using Evimetry. Once we have a series of fully encrypted forensic images will use GetData Mount Image Pro to decrypt our forensic images and make the data available for further forensic analysis.

Prerequisites

  • Before any forensic acquisition you must document the evidence
  • See my Cybrary course: “Evidence Handling: Do it the Right Way”
  • See my Cybrary course: “Basic Evimetry Deadboot Forensic Acquisition: Wired & Local”
  • A full-featured, evaluation copy of Evimetry
  • An evaluation copy of Mount Image Pro
  • Internet connected computer
  • An encrypted Mac computer
  • A USB thumbdrive for dead booting
  • A storage drive (USB3 External)

Course Goals

By the end of this course, students should be able to:

  • How to identify a BitLocker’d or FileVault’d disk by signature
  • Acquire a FileVault’d Mac with Evimetry
  • Use Mount Image Pro to decrypt Windows and Mac encrypted volumes
Instructed By
Brian Dykstra
Brian Dykstra
CEO and President of Atlantic Data Forensics
Instructor
Provider
Atlantic Data Forensics

Industry leader in digital evidence collection and forensics.

Provider
Cybrary
Certificate of Completion
Certificate Of Completion

Complete this entire course to earn a Handling BitLocker and FileVault 2: Evimetry and Mount Image Pro Certificate of Completion