2.2 Evimetry Acquisition Modes Part 1

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *

Already have an account? Sign In »

36 minutes
Video Transcription
All right, this is introduction. Ever met tree the controller.
um, full in here is your traditional reading and preserving each and every block on your hard drive. Great method, full forensic image, bit stream image. Would you like to call it that? That's it. There's also an option for allocated on Lee. This is a partial physical image of the volume
metadata the file system metadata
and then uses the allocation bit map metadata to preserve on Lee. The allocated areas where this really comes into play is if I have a situation. Say, um uh, Discovery matter where I'm gonna collect a bunch of data and we know going into this,
you know, uh, recovery of deleted items or artifacts on these drives are just not gonna be an issue
We're simply trying to preserve, You know, the data that people have on their computers right now. Well, if everybody has one terabyte drives, it's unlikely those hard drives are full of data. Right? Um, it's actually more likely that most the drives unused or unallocated.
So by using an allocated on Lee, I can collect just
the parts of the hard drive that actually have data on them, which will end up being much, much smaller forensic images, much faster collection things like this.
It's not perfect for every case. It's just a flexible way of doing things. There's also an allocated room ranger in what allocated remainder does it preserves the allocated data first and then goes back and makes an image of the UN allocated areas Maur of, ah, sort of. You know,
I need to get quick access to the allocated data, and I also wanna have the remainder sort of stuff.
Um, they also have a non linear partial. We're gonna want to talk a little bit more about that, actually view that, but it preserves volume, metadata, file system, meditate again and then file content by category and priority. So basically, what I'm saying here is going to let us
make a forensic image that on Lee has thesis certain types of files in it
that were interested in so say maybe I have Ah
oh, an intellectual property case or something like that, where I need to preserve data, you know, somebody took these documents or something like that. So I want to preserve the data on this computer. But I'm really only interested in a very narrow scope of data. So maybe all my office documents and pdf files and just for good measure, let me grab the
the log files and registry off this computer
I can actually select. Do, uh, just the follow types that I want doing this nonlinear partial will show you that The interface for that and then, ah, elementary has a interesting live access feature. So I can live access a drive via shared virtual disc.
Mostly. That's an option for law enforcement when they're trying to preview drives and things like this
prior to acquisition, um, in a commercial setting, we don't typically use this a whole lot, although it does come into play every once in a while, and we will definitely be talking about doing it in the future course.
All right. Pop him back over to our controller.
All right. So, like I said, we would do a full linear here, which is our intent. But like I said, I want to show you that really cool, nonlinear, partial feature, um, would nor the rest of for a minute. So if I if I'm just collecting those file types when I hit next. I have choices here
as to what types of files I can collect. So
Windows access traces might be really useful from on a Mac. You know, Mac application trace that could collect just registry information. I could, like, just log files. I could select log files. And I'm interested all the Microsoft Office documents, you know, and maybe page file with that or something like that.
So I have options here. I can also
edit this particular set of setting. So there's ah, a yam Oh, file which is yet another mark up language in my in the source folder from I ever met Tree for this, I could go in there and edit. I could create, um,
my own specific customer acquisition settings and things like this where I go on this case, we
we want to make sure that everybody is doing the same way. So I distribute a single yeah mo file that had all my my, uh, my file types in there and go ahead and do that. Um, a lots of flexibility there. We will definitely do one of these in a future acquisition. In future course.
It's a interesting and unusual way to do acquisitions. But as I've said before, you never kind of know what kind of case you get yourselves into. Um, you know what? Your requirements are at the time, and elementary is very flex will let you make a lot of choices there.
All right, So
our choice today, however, is a full linear acquisition of this. My compression choices here. Ah, I have snappy lz four inflate all that sort of stuff I want to leave with snappy, which is a very fast compression algorithm, and we've talked about the advantages of that.
And then I have choices for my hashing algorithm by default that set the shot one.
I consented to MD five hash or 26 or Blake Thio or whatever it might be,
the way Elementary does it is what we call block map hashing. So it's not the normal, linear hasher thinking about. We're going. That's a second while it's actually acquiring. But right now I've got basically everything I need set up. So I got my case number. My evidence number of my examiner name a little bit of description here where my father is going to the type
of ah of acquisition I want to do. So it's a full linear
what? The entire drive, my compression algorithm, my compression choice and my hash algorithm.
I hit OK
and up here at the top of the screen, we start to see that the image is being collected and
I have a system that's being collected on
type of acquisition. Going status is that it's running. We can actually see a real time progress bar there. We've got current elapsed time of the acquisition, which hasn't been going for a long at this point.
Um, the amount of data processed at this point. So it's it's roughly got 600 Meg of my 7.5 gate drive, the speed at which is collecting Now. This is not fair to ever met tree, because this is, of course, a USB drive, uh, thumb drive, which is not exactly the fastest acquisition media. So it's
it's gonna be a rather slow acquisition,
and then the time remaining estimated time remaining in that acquisition. Um, sometimes this number come bounce dramatically, but based upon the amount of free space on the drive in this case, I have a really really thumb drive with riel was at least four gig of data on it. And things like this real files, that sort of thing.
you are
part of this because, you know, I don't believe in testing blank triumphs and things like that, even for show you should try and try and test your stuff with real data. Over here, we have the images tab just next to that, and we can see that my controller, which is on my desktop here,
is writing a file out. And it's when it was created and all that sort of stuff to some basic information about it.
Um, not not too much interesting there. As I click on these, you can see the same information in the lower window here,
Um, as well as
that's so while it's going along and doing, it's bitten. It says it should be about three and 1/2 minutes to finish this. We will pop back over here
Up Next