Video Transcription

00:00
All right. This is basic, ever metric dead boot forensic acquisition using a wireless network.
00:07
Now, we have noticed sometimes that,
00:10
um, the connection from
00:13
the target system to the controller can be a little bit slower over a wireless network. Uh, not exactly sure why that is.
00:23
Um
00:26
I'm sure there's
00:28
theories and ideas and all that. So So we have our controller here with our standard drive. Let's go ahead and
00:35
connect remotely and boom. There we are. There's our agent device on that I p address Exactly. Were expected to be
00:44
connect to it.
00:59
Okay,
01:00
well, we had a little connection time out there,
01:03
as I mentioned, sometimes a little bit funny across the wireless network. But as we see, our agent went ahead and popped up,
01:11
and
01:14
hopefully everything is there.
01:22
All right. Did a refresh on that, and I pick up all my drives there
01:26
so you can see I have my
01:27
target dr here, which is drive a to be the internal drive there. I have my blessed
01:36
repositories device there, which is,
01:40
of course, check marked in green so that it's the only one we can write too. And that's my one terabyte external.
01:47
I'm gonna go ahead and add that as repositories, just like we learned before.
01:53
So now we have, ah, repositories to write that data to.
01:56
Then we'll go ahead and select the drive that we want to acquire in this case, the internal drive.
02:04
And it's already pre filled in from me for me. But, ah, we have our case number eight zeros there. One our tag number, Full name of the Examiner. Like I said before, I hate to see people put in short titles and things like it is possible to have a Brad Duncan and O'Brien Dykstra in the same company.
02:23
And if you put B d in there, who actually did it?
02:27
I don't know. In this case, um, we're not going to be collecting a USB device. We're actually gonna be connected collecting the internal hard drive. Ah, so in this case, I'd say,
02:39
you know that, uh,
02:44
until nook,
02:47
which is marked his 80 f 95.
02:53
Um, I don't know. Let's just give it a little bit of information here again. As you know, not my policy is we don't do a real documentation here. This is just some some helpful, Um
03:07
helpful in information
03:08
for later. So, um Intel Nook 80 of 95 Dave S, T A S and M. To stay to drive. Now we
03:17
select our
03:20
are repositories where we're gonna store that image
03:23
again. Ah, Elementary tries to help us out by putting a little extra information in there. I feel like it's a little bit too much information, but that's all
03:35
personal tastes sort of thing. We're gonna do that same full linear acquisition, All that I could do Any one of the ones who wanted here.
03:42
I'm going to use the snappy compression, of course, because that makes it super fast. And we'll just let it go ahead and do that shot one block cashing.
03:50
Um, so it looks like we're pretty much set here, and we go ahead and kick off our acquisition.
03:57
And just like that, we are managing that acquisition
04:01
across the network
04:03
again. Like I said,
04:06
none of the actual acquisition process is is sending data across the network other than what we're seeing right here in the controller window, which is us monitoring the process so we can we can watch the process here. We could shut off the process we could do whatever we wanted to it. But it's not sending the data across the network.
04:27
The data is actually being dumped to that locally attached.
04:30
Ah Dev Esty be device there, which is our blessed repositories device. And that's why you're seeing incredibly good
04:40
file transfer rates. They're already it looks like over 31 gig a minute or 540 some meg per minute. So awesome. Transfer rates. Right.
04:51
Um, again, Why were you using half a metre and 1/2 before to begin with is we, like, faster transfer rates.
04:58
Um, so that's going on? Um, one of my investigators brought up this morning. Hey, was like, Oh, you know what you should do? You should show him what happens when you lose connection with the, uh, with the wireless network or something.
05:15
It's like, Okay, well, that's something I hate to do in a demo is like, No, you got to do it You gotta do, is it's not a real demo unless something breaks. You're right. So, um, one of the great parts about this is because we're only managing and monitoring the collection from here. If I disconnect from
05:34
the, uh, the wireless network. At this point, I could come back and connect to it and pick up this running process again. So just a test fate here.
05:47
I'm going to go ahead and disconnect
05:50
from the Atlantic DF wireless network,
05:57
and I should see. Yep, I've lost connection My window. My controller disappears from the main window. Oh, my goodness, Everything is wrong. It's terrible. It's bad.
06:10
But wait.
06:12
Maybe
06:13
if I connect back up,
06:19
connect back to that Atlantic DF network.
06:26
It'll show me some love.
06:30
I could go back over here, say connected agents and look at that. My agent pops back up in the window there,
06:38
Selected again.
06:40
Say OK
06:44
and my agent device fills in.
06:47
And look at that.
06:50
My
06:51
acquisition has continued right along is expected.
06:57
Um,
06:59
Speed hasn't changed. Still cranking along at 540 some meg per second
07:03
with only three and 1/2 3 minutes and 50 seconds left to go on that total acquisition. That 230 gig drive there. Um, even though we had a disruption of the network because it again it it really doesn't matter. Um,
07:19
you know, it's like I said, we're monitoring and managing across the wireless network, not actually pulling the data. I know that's getting redundant, but some people get confused by I get that all the time from folks. It's well, it's gonna choke the network to that now. And since not gonna choke the network to death. Weaken. We can easily do 30 40 connections across the network at a time
07:40
since they're all individuals,
07:43
you know, http, type connections. Ah, there's not going to be any disruption in in the network from that small amount of network traffic flowing across it
07:54
s o r Ah, our acquisition will go on just as promised, right across the wireless network there.
08:03
And let's pop back over to our slides. So we connected Ah, the elementary WiFi dongle on our pandas adapter to the target computer and started them up. That went nicely. We checked to make sure they were connected. The network,
08:16
um,
08:18
it automatically went ahead and ah, and fired up. Our USB adapter connected itself automatically to the Atlantic DF network because, of course, we put the SST and pre shared key in there. Um and then we connected the controller to it, and then we actually disconnected the controller from it and reconnected. Just tow
08:35
just to prove that it was resistant to that side of sort of interruption that actually works on a wired network. Also, um, getting can even work across the Internet like that because all the collections recurring on the remote system, uh, so it doesn't doesn't really have anything to do with your local controller system other than updating it.

Up Next

Basic Evimetry Deadboot Forensic Acquisition: Wireless Network

This course covers how to edit the configuration of an Evimetry Deadboot dongle so that we can automatically boot a target system to a WIFI network. The course also covers managing the forensic imaging process over a wireless network and what to do if you lose connection to a running Evimetry forensic acquisition from the Evimetry Controller.

Instructed By

Instructor Profile Image
Brian Dykstra
CEO and President of Atlantic Data Forensics
Instructor