All right, this is introduction. Ever met Tree the controller.
Hi, I'm Brian Dykstra. I am the CEO of Atlantic Data Forensics. I'm a co founder of Mandiant, was also a first contractor. Cybercrime structured the FBI academy have a military intelligence background of much of certifications there. Things like that.
And, Ah, if you will have any questions about this or any of the other courses I've done, please contact me at cyberia atlantic DF dot com.
Um all right, let's do this.
All right. Atlantic data forensics were found in 2007. We're headquartered in Elkridge, Maryland. We do computer forensics for civil and criminal litigation. We have a full scale E t e discovery practice for our law firm clients
on, and we do a lot of 24 7 incident response services, internal corporate nature, our investigations.
Ah, we also for our corporate clients. We do instant response, training and exercises, and we have offices in Denver and Detroit.
All right, prerequisites for this course
not. Not too much. Ah, but before you do any kind of forensic acquisition like what we're gonna do here today, you got to remember you must document your evidence before you ever get to touching computers or hard drives or anything else, document the evidence. If you collect it and don't have any documentation, it's just cool data,
all right, for more information on that, see my cyber recourse evidence handling, doing it the right way. And you can get more information on evaluation copy of ever Metro. If you want to follow along the slides here, do it yourself at home
at the URL below their my of a metric dot com and they'll send you out an evil license, which I believe is good for 30 days full featured, all the tools and stuff are available.
And then, of course, you should probably also take a look at Bradley Schatz's. If a four document there also what you explain some of the
deep dark Mr is details of a F F four.
All right. Course machos Gonna like to have here one Internet connected computers a good idea. You're gonna want that evil copy of ever met tree. You're gonna need an evidence drive, so that could be any old drive. In this case, I'm using just a ah SanDisk thumb drive here to make things quick. and easy.
Um, you're gonna have a storage drive. I like USB three
external commodity drives. No big deal there. I'm using a little Western digital here today.
Um, and then, Ah, hardware, Right. Black Bloc. If you're planning on doing this for real evidence collection, not gonna get into right blocking today. But let me say that if you're ever collecting evidence, you know, using a Windows computer like we're doing here today as a controller, um, you don't want to have a hardware right block on this. You
can't trust that Windows isn't gonna touch the drive. It most definitely is.
Eso gonna want to make sure that that doesn't happen by putting a
a right block in there. We'll probably talk mawr in future courses about right blocks. If you're just burning to know, you know what Bryant like for right? Blocks are personal preferences. The we'd be texts. Er you write blocks. They have a whole variety of those. You can check those out online.
All right, target audience for this. Obviously, computer forensics professionals, incident responders, and, of course, information technology professionals who might get pressed into doing this on their own
learning objectives. We're gonna talk about the basic layout of the elementary Windows controller. There's also a controller for Mac and controller for Lennix. But we're gonna focus on the Windows controller here. Someone we use most often in our day to day.
We're gonna talk about evidence, drives first, bless drives for collection when we're actually gonna perform a full linear forensic acquisition using ever met tree right here from the controller. And then we're gonna talk about options for performing allocated only allocated remainder
nonlinear, partial and live disk access acquisitions
which will go into some of those in future courses and do them live. And, you know, everybody get an idea of how it works.