2.1 Creating a "Blessed" Storage Drive

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *

Already have an account? Sign In »

36 minutes
Video Transcription
All right, this is introduction. Ever met Tree the controller.
Part of the process of creating image is what we call making a blessed storage drive. So So by default, and let me go back over to my slides here, um, all storage media is right blocked by ever met tree. Now, having said that,
it's still important that I put a physical hardware right block on my acquisition media. When I'm doing this from, ah, Windows system, Windows is most definitely going to reach out and touch that Dr
trying to index it. Things like this. I don't want that to occur, So I'm gonna go ahead and make sure I've got that right. Blocked up, but by default ever metric is going to not allow me to accidentally right data to my any of the drives until I have a specific pointed out.
It's a great method. Helps you prevent mistakes. Nothing worse than
an overriding a target dry or the evidence, Dr Things like that that just be a complete disaster. Um,
the storage drive they're gonna write to has to be e x fat formatted. That's that Microsoft formatting option. The file system option there
x fat has a couple of advantage is one of those is. It's usable on all windows and OSX systems natively they build in, understand those drives. They show up right away when you
when you plug him in. Andi, it's not a problem on glia. Lennox has a X fat fuse module for that file system that you can easily incorporated, and you can view it on a, uh, Olynyk system also. So basically, you've got one file system for your storage drive that
all three of your primary operating systems can see.
There's been a lot of talk recently. Microsoft made some announcements. Lennox folks make some announcements, but basically, uh, e X fat support is going to be incorporated into the linens, Colonel. So very soon, we'll have a situation where an E X fat formatted
hard drive is just automatically visible on all three major operating systems,
which is good news for all of us.
All right, jumping back over to our controller here. So this is my storage drive here. My my one terabyte USB drive.
Um, and I'm going to go ahead and bless this as repositories.
on it's gonna ask me, Are you sure you want that to be a repositories? I'm gonna say yes.
And if everything works right? Yep. So it's now been marked as a repositories disk. So that's allow me to copy or to write my forensic image to that location. And if you notice over here
the repositories dis now has a little green check mark to it, just as a visual indicator of of you know, here's here's the drive that you're actually writing to. And of course, you noticed that the other ones do not have that they will not be options for acquiring,
Um, one of the other pieces here that I love about every tree is
all my drives. It enumerates device information about them in this little panel down here. So, you know, I can see that it's the ex format x fat formatted. I can see the size of the drive size partition. You know how it's partitioned, If that's important to get information like Dr Serial Number
and model of the drive manufacturer. All this sort of stuff
really handy. Um,
especially on something like I'm working off Microsoft surface here. You know, you can't exactly tear one of these open easily. It turns out I have a specific model to Sheba. Hard drive in inside of this thing. So, um and of course, it tells me all of the format information and things like this about it.
So here's my target. Drive her my evidence. Dr. Here a CZ. You can see just a Sandis Cruiser USB device. Nothing very fancy about that serial number there, which is nice toe have on that. It's, you know, fat 32 formatted. So on. Pretty, pretty, typical looking, um, USB thumb drive.
So we're gonna do is right. Click that
and we're going to say acquire, as in, I would like to acquire a forensic image.
And it reminds me, Brian, just because you blessed to drive you didn't actually create a storage depository for it.
Ah, have a metro. You're so right.
I have to actually add a location, um,
on my blessed drive as repositories.
So I do that by just right clicking it. You see, I now have a drop down option on my my blessed drive for a, uh, for a storage depository and come back over here to physical drive to and say a choir, and we move right on to our acquisitions, setting his box.
All right, so, um, if you've seen my my course on evidence collection all that you know that, um I'm not a huge fan of of collecting your case information in your tool. That being said,
I totally believe you should fill this out every time. I just don't want this to be my only method of collecting evidence about my case. So we're gonna do here is just briefly documented up. We're going to create a case number A 001 I have no idea why.
Oh, and then we're going to create an evidence item. So let's call this tag one.
So it's case number A 001
It's evidence tag, uh, tag one. And we'll put my full name in there.
And then here's Here's where sort of collection at the tool level goes off the rails.
If I haven't evidence collection document like we talked about in the other course, I have specific boxes that I feel in a specific way. Every time has has specific answers, you know, type, model, drive all this sort of stuff in a tool they tend to not have all that space for you to put this information in.
So when you get a description here, it kind of becomes this free form.
What do I put in there? Should I put the date in there? Should I put you know, the sand dis drives up with serial number in there? What's you know, What's the thing that I should be putting in here on bits Not as organized. And that's that's what you'll end up with a whole bunch of disk,
different options there as to what an examiner will put in in this field
and that that, of course, leads to chaos. And that's why I don't like it. So we'll just do something. Ah, very simple. Sanders USB device device. No devices. Um, eight gigabytes Could have been anything there again. We would have already documented all the particulars about this device on our
on our collection evidence collection sheet.
All right, now we're gonna add a container location. That's where I'm going to write this forensic image out two by default. It's going to go to my already ah, signed depository and is going to give me a default name. So it takes my case name
my evidence item I D, which is tagged one.
And then it notes that it's also a physical drive and drops the serial number in there for that physical dr dot f f four. All right,
I don't disagree with this is an option. I just find that all to be rather wordy. And since I know I'm going to have good evidence collection documentation, I tend to shorten this up and make it a lot more user friendly. So I'm going to do something simple, like
Case A zeroes here. One tag one dot f f four. Obviously, you can leave it his default. You can use your own numbering or naming scheme. All of those things are just fine. This is just my personal preference on how we do this.
All right, so that's my container location and the name of my container file for my forensic image.
Um, next option there is verify image upon completion. We always wanna verify hash, verify our images. So there's really no reason to not do that that I can come up with off the top of my head.
Our next options Here are
the mode at which we want to do the collection. Now, in this case, we're gonna do a full linear connection collection of this USB drive. However, we have options for doing a bunch of different types of collections, and we're gonna talk about that briefly.
Up Next