All right. Welcome to advanced. Ever Met Tree forensic acquisition. We'll talk about allocated nonlinear, partial and live images today.
And I'm Brian Dykstra. I'm the CEO of Atlantic Data Forensics. I was a co founder of Mandy, and way back in the day before that was a contract cybercrime instructor at the FBI Academy. Quantico backgrounds and military intelligence work. Things like that have a bunch of certifications and so forth.
If you have questions about this course or any of the other courses that I have narrated here, feel free to reach out to me. Ah, email me at cyber ery at Atlantic D f dot com and I will no kidding actually respond to you.
Um, let's see. So Atlantic data Forensics. We were founded in 2007. We're currently headquartered in Elkridge, Maryland, Just out from the BW I airport there. Ah, we do computer forensics for civil and criminal litigation. We also do e discovery for a large law firm cases
we do nonstop. Set a 24 7 incident response data breach Service's
do a lot of internal corporate nature, our investigations and of course, we train incident, response, training and exercises working with companies to improve their instant response capabilities. We also have offices out in Denver and Detroit, if you feel like visiting us.
All right, Prerequisites for this course. Pretty limited. A CZ, I always say would ever we talked about doing forensic acquisitions data. Document your evidence. First, you're gonna get one shot. To do that, you're gonna want to do it right. You can never go back and re create that paperwork accurately. And in many cases, you're gonna get literally one shot.
Computer's gonna be there, and there's gonna be gone and everything. See it again.
So, you know, do yourself a favor, do your documentation first, then worry about getting, you know, technical. And how am I gonna require the stock meant, um if you're not sure what you should be doing as faras as evidence collection goes and documenting it, see my course on evidence handling doing it the right way. If you're not familiar with some of them or, ah,
basic parts of ever Met tree got the basic elementary dead brute
forensic acquisition on wired and local networks. You were worth taking a look at on and encourage you to play along at home. You know when you're watching these videos, you go to the elementary site Goto my elementary dot com. Click on the evil button there, and you can download yourself a 30 day, fully functional
evil copy of elementary.
Get yourself familiar with you The tool. Do your own versions of what I'm doing here. Best that you could figure files, all that sort of stuff on your own, which is, you know, a great way to learn on if you have more questions about how you know
the A F F four forensic file format works and things like that encourage you to, and you really should. If you're gonna be a forensics expert or, you know, consulting
on friends for people, you should know how your how your date is being stored, how it's being hashed, how it's being acquired, things like that.
I encourage you to go look at the advanced F F four public pdf that Dr Bradley shots got there on his website. It's a great presentation goes all the way through the history of the protocol and you know things that make it better than, say, the expert witness. For matter doing raw D D images and things like that.
So you know? Definitely. Ah, you should read. Typed document.
All right. Course material for today. Pretty basic stuff. We need an Internet connected computer because we're gonna be doing a little bit of online sort of stuff. We need an evaluation copy of every metric. Like I said, it's gonna play along at home, and you should Ah, we needed evidence. Computer or drive out there.
We need a USB thumb dive for our dead boot. Aged. Um,
we're gonna need an extra us be thumb drive for a live booting because we're going to live boot today. You need to be on a network. You need to have some sort of D h cp source. It could be wired. A wireless network doesn't really matter,
and then you need a storage drive. I'm just using a standard USB three internal external. Excuse me, Just be three internal
USB, three external western digital hard drive. Nothing fancy required to do this. You do with the leftover stuff you have laying around.
All right, Target audience. As always, computer forensics professionals, incident responders you're gonna find if you're doing it's a response to do a lot of these forensics task to on Ben. You know, information technology professionals that, for one reason or another, get roped into trying. Thio do some of this forensic stuff.
Uh, great. Frito greatly. If you learn to
are learning objectives will be loves learning objectives. Right. Um,
we learned how to make an elementary allocated on Lee forensic image. It's not as complicated as it sounds. We learn how to make an elementary, nonlinear, partial forensic image. I like to call that a file type image. I know Dr Schatz has good reasons for Why doesn't like that, but
that's what I call it. Anyway, um, we talked about how to make a elementary, live forensic image of a Windows target computer, and then we're gonna take a look at the downloadable pull and push elementary alive agent. So we recovered quite a bit of material in this course on, but it's all a little bit more advanced.
All right, so going back to our elementary stack here, we're definitely at the top of the chart, going to be using the elementary controller today. Throughout this process, we are going to be using the dead boot agents a bit. Um, For for some of what we're doing. We're also gonna be over on the far right hand side of that chart today
Talking about the live agent
on how to use that. Um, not not gonna do any cloud in this, this particular one. We will get to that soon. That I promise you
Onda course down at the bottom. Where to drop. Both are dead or alive. Agent stuff into F F four image containers. So that's how it's all gonna roll out.