3.2 Managing the Acquisition Process from the Controller

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *

Already have an account? Sign In »

37 minutes
Video Transcription
All right. Welcome to basic elementary, dead boot forensic acquisition, and let's get right into this.
All right, so we're back on our ever metric controller, and now we're gonna go ahead and acquire that same target nook system, but we're going to manage that acquisition process across the network.
So the first thing we're gonna do is going to use the controller to reach out and connect to the dead boot agent on that nook us. We connect using the little
computer icon up here in the corner. Or you can go to file connect and all that sort of stuff. Um, And you see, we have an agent device that pops up on 1921681.1 a one on the default 998 to port used by ever Met tree. So that's our target. No computer
that we want to go ahead and use
was selected,
and we'll hit. Okay.
And of course you'll see it. Talk to it in the window down here. Now, if you were wondering, how's that connection done? And is it secured all that? The answer is yes. It uses its own tail us key to go ahead and secure that connection between the two again. We're not pulling data across that connection. We're simply, um,
communicating with that dead boot agent. And we're going to acquire that data locally to that very same USB drive. So, as you can see, we still have our our one terabyte. You know, USB drive over there. It's blessed because we have a little check mark there. So it's a blessed repositories device as we respect
eso. First thing we're gonna do that. Make that are repositories
for storage.
Now we have a repositories National Mount Point on that blessed drive. So we've got, you know, 929. Gig of of space there. Ah, the 14 gig drive here still are our system boot device. That's our our dead boot dongle that we made earlier.
And then, of course, the Dev SDA 223 gig assess D device inside that nook again. The crucial storage device. We get all the nice information about it here, how it's set up, all that kind of stuff. You gotta love about this tool,
but we're gonna go ahead and acquire that
Um, So we had a choir. And then it's very much from there. Exactly like what we walked through, Ah, last week, Um, acquiring any old forensic image from the the,
um, from the Windows controller. Now again, we're managing. We're not creating it. So can my case number a zeroes or one? My evidence number tag One in this case were, you know, on a name in there were going to say it's an intel nook,
and it was called
a D F 95 from the tag that was on it. We're gonna go ahead and add our container location. Which, of course, is gonna be that
that local USB drive plugged into that nook at this point,
Um, again, I'm all about keeping my naming conventions simple. So we're gonna call that
case number easier. One tag number one
and so on were going to say okay to that. So now we're gonna write that out locally to that repositories. So it's telling us that the agent device gonna write it on that that target computer out there to that mount repositories that we set up over here. That's our blessed device, right? And we're gonna write that tag number out.
We want a full linear image, right? We're gonna fool,
forbid image of that thing. We're gonna go ahead and use that snappy one compression. And what use assault when hash algorithm for verification doesn't hurt a darn thing.
So we go ahead and say OK, and immediately
in our window here are active operations window. We see that that process is running, that we're doing a full in here acquisition. Um, it's starting to pick up speed. It's been running for a little bit now. It's already upto 540 40 some meg worth of
of, ah, collection of the time. Ah, and it's ah, it's gonna finish in about seven minutes. So, um, same speed that it would before Because we're not really doing anything different than what we did before. We're just managing this across the network
now. They said if I had multiple dead boot agents out there on multiple computers, I could be collecting 3456 10 computers at a time on manage them all right here from this one Windows Consul,
the way we typically do it. Atlantic Data forensics is we'll do a two man team. Ah, One person is responsible for the documentation and the and, uh, and the double checking the images, things like that while someone else goes ahead and does this part here, the console.
Make sure that each and every tag is being collected to the right. Dr. Sets up the deadbeat agents and things like this.
And in a two man team, you can keep this pretty much rolling. The license we have plugged in here allows us to dio 10 computers at that time. Ah, and quite honestly, by the time you get the 10th computer, uh, booted up and ready to go and you've collected your
your evidence information about it, your your 1st 1 that you started a while back is already finished. And you're just rotating constantly
through a serious computer. So a two man team can can actually, you know, cover well over 100 computers and in a day without a whole lot of work and a whole lot of equipment, just by rotating hard drives and and dead boot agents around and somebody control him across the network,
we're gonna take a quick look at the screen on our dead boot Agent would really shouldn't see anything but there's a couple crucial pieces I'd like to point out to you when it's being managed from the controller like this.
All right, so this is the dead boots screen on that nook called a T f 95 that we're currently collecting from managing it all through our windows controller over there on and she could see we still have our our suspect device up at the top.
We have our destination, Blessed drive where it's all being written out to.
But we didn't have to fill in. Any of the content here is to you know what a tag number was and in our case number and things like this, because that was all done at the controller side. So the controller would take care of writing those long information out on one of the key pieces. It's a little hard to see her on the screen, but right down here in the,
uh, bottom right hand corner,
you have the elementary agent where the version that's running, you have it listening and it actually tells you the i p address. So in this case, 1921681.1 no one is listening Important. 9982
a cz. You're doing a bunch of acquisitions across the network at one time.
Ah, that that's the best way to keep up with which machine you're working with. So what we usually do is we goto machine to machine collect the pertinent information on it. We assign that machine a tag number and then is that
provides an I p in the controller window. We know.
All right, tag twos on, you know, machine one of two tag ones on machine 101 So on and so on from our rd HCP agent. Um,
if you it's also a good troubleshooting method. If you have some kind of connection problem or things like that, Um, you're looking down there and at that little corner window, you might notice that it's not reporting an I P. Address or something like this is that something might have gone wrong with the D. H cp portion or and it didn't pick up on I p address, and
you might want to reboot that started over again against that.
Not gonna be hurting anything. You're just rebooting the dead boot agent. You're not actually firing up the system or anything like that. So no changes being made to your target. Dr.
And Ah, that process will just keep finishing itself out.
Up Next