Creating a Deadboot Drive for a Dongle-less Forensic Acquisition

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *

Already have an account? Sign In »

39 minutes
Video Transcription
welcome to Advanced Elementary Forensic acquisition. Today, we're gonna do Dong Galis Cloud and persistent cloud acquisitions. So hold onto your pants. So it's just jump right in today. We're gonna be When we look at our elementary stack here, we're definitely gonna be using the elementary controller up there at the top.
Ah, we're actually going to use the dead boot agent for the Dong Galis. But then we're gonna move ourselves straight over to the cloud agent and the light agent for doing the the cloud collection. And, of course, everything is going to go into and if a four image container file for forensics
All right, so Dongle is ever met tree acquisitions? Um,
you know, why would you want to do a Douglas acquisition? It's gonna be useful when you get, ah, suspect Atari computer that isn't connected to a network in any way, for whatever reason. Or maybe I'm running a whole series of equities acquisitions over here on one part of the network. And I have,
you know, 11 server or something over there that I need to collect too.
Um, I don't have to interrupt things by moving down, goes around to do that. I can actually do a Dong Galis acquisition. Ah, and keep everything moving along. Um, what it actually does is we put the ever metric dead boot agent and a temporary elementary software licence right onto the storage drive.
Ah, that your collecting too, so that everything is all in 11 source we have
your your story is Dr becomes your your dead boot agent. And on licence, all in one
where this gets a little bit different. Is it requires with the call a USB attached scuzzy or USB attached? Scuzzy protocol. You'll see him referred to different ways U s or U S P ah, storage drive. So right now, the standard, uh, Western digital, uh,
drives that I that I love using so much don't actually support that protocol,
but, uh, Samsung supports it with these. These nice little portable SSD drives both e t five or t seven SST. Story tries both of those support U S p
pretty darn fast pictures over there in the side panel, the blue one on the top is the T five and the silver one. The bottom is a T seven. They're very small, very sturdy. in a solid state, right? So, you know, you can take a pounding and keep coming back, and they're physically very, very small, too. I mean, I could probably
you know,
these things are just barely credit card size in reality. So So you can you can carry a whole bunch of these with you, and then they don't wait. Hardly anything. Ah, the t five. Ah, little bit older. One transfers it at 500 more. 40 megabits per second megabytes per second. Scuse me?
So that's gonna be about the same as your standard. You know, spinning disc.
You know, Western Digital or C gate, you know, Ah, external USB drive that you're running right now. The T seven, on the other hand, transfers at ah 1050 megabits per second or megabytes per second. Man did it again.
So you should see some significant speed advantages off that I know Doc Schatz in is ah,
in his discussion of the effort form format talks to ah, he's got a bunch of speed comparisons in there and some of those rough t seven drives, and it is blinding fast, you know, like everything else faster means more expensive right cars or hard drives. Doesn't matter. If you want to go faster, it's gonna cost you more. So, t five,
I think we got t five for just a little bit over 130 $140
for a one terabyte t five. Whereas that same one terabyte in a T seven was closer to 300 some odd dollars. So, um, gonna cost you a bit mawr than maybe you want to pay. Or maybe clients willing to pay for that, that sort of storage. But
you could always collect with something like that and then transferred off to something else.
You know, for long term storage just too fast, collection on T sevens and things like this.
Anyway, you have to work that on your own.
All right, so the process is pretty straightforward. Um, we're gonna connect R U S P storage drive to the elementary controller
in the upper right hand window of the of a metre controller. We're gonna log in to the my of a metric page.
Um, we're gonna right click on our USP drive and say, create a dead boot and follow the standard dead boot creation process. that we've been doing all along at this point.
Um, And then next, we're going to click on that same drive after we created the dead boot and were to say, provision imager. What that's gonna do is going to place a 48 hour software licence forever battery on the drive, and then we're gonna go ahead and just acquire that our target system,
the way we would from any old other dead boot.
Except we don't take the dongle with us. We don't have to run it from the control or anything else. We just run everything from the one target drive.
So now that I said all that, why don't we go ahead and do it? Let me pop over to my every metric control or
all right, so
the physical drive one here is my USP, Dr um and you can see it right here.
Did it pull the name of the try? Yeah, There it is.
Samsung portable SSD t five. So we've got that s so far I haven't done anything with it is just a standard next. Ah,
fat formatted drive. Nothing special.
So, like I said, we're gonna go up here to the right uppermost corner log into my ever met tree is gonna pop up a nice little window,
all right? And once you got yourself logged in there, you notice there's current entitlements, all entitlements, and you can log yourself out. We don't actually need to do anything with that. Ah, well, just have it there were logged in. Um, you can see down here at the bottom
user Briand Istria logged into my of metro dot com Um, all that sort of stuff. So let's let's do the first step, which is we're going to
create a dead boot
dr. Here,
and we're going to go ahead and
put our
dead boot agent image on its
all right,
and it's gonna formatted at the same time. Of course, we're like, Yep, that seems like a great idea.
And it went into that in lightning fast time
because it builds up a little bit of a delay as it finishes out. It's it's interesting to me.
Sure, there's some significantly good reason for it. I just don't know what it is,
all right. And it finished. Took a whopping 21 seconds. So we've got a dead boot drive now you can see it's ah, set itself up is a blessed local repository, all that sort of stuff. And then we're gonna say provision image or here
and we only really have one choice is like license all that. It's going to go ahead and apply that license to our drive.
And I get a message back that the license for imager was granted for my device. Samsung portable, blah, blah, blah and Boom.
All right, so that's all there really is to get in that disc set up. Um, it's now good for a 48 hour window. So we're gonna take that toe. Are other system over here, and we're going to
collect very rapidly a system without a without a Dunckel.
Up Next