All right. Welcome to basic elementary, dead boot forensic acquisition. And let's get right into this.
Good. So we're just gonna start up our
nook here with our dead boot
dongle applied. It's gonna come up to the basic elementary screen, and it'll take, um this is really dependent upon the computer and the thumb drive speed and things like that. But it'll take a moment for this to walk itself through the
ah boot process to we get to the point where we can start actually making her friends of image.
All right, As you can see, the
boot dongle got itself power. The dead boot, uh, dog got itself past the basic boots screen there. Saw a little bit of when it's colonel loading stuff fly by. And now we're just in the
dead brew portion where it's actually picking up its network connection.
And we get ourselves to our basic, uh, graphical user interface. Ah, local dead boot agent screen on. And as you can see from the screen we have up at the top are target suspect device, which is a
233 223 ***. Excuse me. Ah, crucial drive. there inside that nook. And then we have our evidence destination devices at the bottom, which is our blessed drive that we already made our Dev Esteve see device, which is our passport drive there.
So what we need to do here is select
basically the drives that we're going to both uses the target drives that internal SD a drive, and then the
the evidence driver we're going to ride it out to and then we drop down here and we
go ahead and click on a choir and very much like what we did last week from the Windows controller. I have an opportunity to go ahead and put in my case, information my evidence information in my examiner information and filling that description field with whatever I like. Like I said before,
don't rely on that description field, right? We did all our proper documentation ahead of time.
We don't want to rely on a description field that doesn't have any specific feels feelings. We're gonna call this case a 001 just like we did last time. We're gonna call this tag one
of our evidence.
We're gonna put our full name in there again. this is This is one of those little things that we've landed data forensics are considered to be really important. We get ah, evidence in all the time. They said, without the proper documentation, without everything that you need, um, and often times no examiner name
in the field. And no matter what, what piece of software doing for acquisition? There's a space for this.
Um, you know, you should go ahead and put your name in there or we find Sometimes people put, uh, uh, you know, just their initials in or something like this is just, you know, take the moment, fill things out a little bit more completely. This case, I have a little nook here. So I haven't intel. No,
that is called a T F 95 for some reason that I don't know and,
uh, then we go down and I have my options for what I'd like to call the f f for image. In this case, they said, I I always like to name him for my actual case number and my evidence tag number, because I've got plenty of
of time to collect all that other information on. I want the case in tag number to be easily recognizable when I'm looking at a dis later on without, have a day, you know, Is this the crucial whatever things like that we've already collected that information. It's gonna get collected again in the logs
as we're breaking our elementary image.
So? So we don't really need to apply that to our name. It just makes it tough on people. Um, auto verifying completion. Never a reason not to verify our image. Right. And then we just pop over and say OK,
and as you can see, it will mount the
destination drive, which is already blessed, and it will immediately start the acquisition process.
We should crank itself up pretty quickly. A CZ you can see in have been saying all along elementary one of the fastest tools we've ever used in the in the history of our company for forensic acquisition, especially on things like this,
you know, em to drives or envy me drives or things like that
is, uh, this small state of better drives things like this. You get some really quick acquisition speeds, so, you know, here we're gonna collect 223 Gigot disc
in, you know, looks like a little over six minutes, which is is some pretty darn fast speed. We get about 540 meg per second acquisition right there. You really can't argue with that sort of speed. And if you're in this business, you know, where you
as we are in Atlantic data friends, is where we frequently have to go in and, you know, make forensic images of, you know, dozens or even, you know, 100 or more computers on dhe. It's, you know, important to a case or a situation. Speed is everything right? You know, speed makes all the difference. The world,
even if you have lots of time to do it. You know,
clients always appreciate if you could get in there, make those forensic images and get back out of their hair as quickly as possible.
We're not gonna go for the whole process here just because it's ah,
TV is to watch status bars. Right. Um, if you're doing the job, you know about watching status bars. But you get the basic idea, and at the end of this, it will go ahead and verify our image, give us a hash and all that sort of thing. So So all the standard processes that we we showed last week in the controller video will happen right here.
But again, this is doing this locally off the target box. We used our our dead boot
Donald to boot. The system with we attached are blessed USB drive to it too. Right out to. And of course, because we're doing it from the local system. So solid, self contained. I went ahead and plugged my heaven et battery license dongle directly into this box.
Um, great way to do it when you're doing one offs, things like that,
you can just pop this up real quickly and boom, you're done in a matter of 15 20 minutes, even on a large drive. You know, terabyte drive and things like that, you could be done as little as two hours. Um, that's about it. For this piece. We're gonna talk about how to manage this very same acquisition,
but do it from the Windows controller next
Handling BitLocker and FileVault 2: Evimetry and Mount Image Pro
In this course we will look at forensic collection of fully encrypted Windows and Mac ...
1 CEU/CPE Hours Available
Certificate of Completion Offered
Advanced Evimetry Forensic Acquisition: Allocated, Non-Linear Partial, and Live Images
This free course covers advanced forms of disk imaging that can be invaluable in cases ...
1 CEU/CPE Hours Available
Certificate of Completion Offered