Creating a Non-Linear Partial Image

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *

Already have an account? Sign In »

48 minutes
Video Transcription
All right, Welcome to advanced ever Met Tree forensic acquisition. We'll talk about allocated nonlinear, partial and live images today.
All right, so, um, creating a nonlinear partial and we'll walk through this directly. But again, you need to make sure that when you do this, you click or check your capture Auto close, and you're making that nonlinear partial forensic image.
And one of my favorite things here and we do this all the time is if I have a case and, you know, I can say I only need to collect word docks and excel spreadsheets because, you know, it's whatever it's about contracts and finances, and that's all they want. Everybody's agreed that that's what they want.
I can actually create my own category, and we gonna those categories of pop up and you see here in the
in the, uh in the graphic that that that ever met has already got a bunch of of common sense of file types that you might want to grab. You know, maybe on Lee, the pictures are only the Microsoft office documents. Or, you know, I'm only interested in, you know, execute herbal files or something like that, depending on. You know what? You're
what you're doing. You It's like those. But we could also create our
own specific category for our case. The beauty of doing that is you ca n't trade that that Yamil file It's actually starting a file called Query Zamili. Amul stands for yet another mark up language. Very easy to read. You could trade that yam Oh, file around between
all your investigators doing collections and you could ensure that everybody was collecting exactly the same documents every time.
So So let's go take a look at that Fox. It's It's not very hard to deal with. So to different places that's gonna be on your on your controller system, either in the program files ever met Reconfiguration folder or it's gonna be in your profile app, data, local elementary configuration
and the good news. It's It's always called queries. Gammell. So
I've already found mine,
and I am in the
Program files Elementary Configuration folder and there's my QUERIES. Diana File. All right, The easiest way to edit this is in something nice and simple, like note pad plus plus. So I'm gonna open up my queries, Dottie Ammo
as you can see here I have this very simple yeah mo file with all my different types sorted out. So I give I give it a name. So this this one's called archives, and it collects zips and and tar Jeez, it files and seven zips. It's got a priority of six. So it's pretty analyst. And then the parameters here actually define all the different
compressed type files that it would go ahead and grab if you chose to
To use that. There's a bunch of other, you know, all the Microsoft Office documents in the the OpenOffice document. So on. So these are all the pre configured ones, eh? So I could go down here to the bottom of my file, and I could actually create my my own entry, which I have done here so I could name it
something like, I have files for case, huh?
Case a zero or one. And let's do this from scratch. So I'm gonna go ahead and delete what I already have in here.
Um, I'm gonna get rid of that, and we will come up here, and since we know we're gonna grab office document files, we're gonna just copy this existing bit here
will control. See action
on and I will paste it in right here at the bottom. And let's let's just do this again. So we'll say
Caesar files for Casey 00 ones where Neymar thing falls for
a 001
and I only want to collect two things. So I'm gonna say I'm only collecting
documents and spreadsheets. I want this to Papa right to the top of everybody's screen when they when they do their collections are gonna make it a priority one.
And then here's my parameters, the bottom. So I'm going to edit this to Onley collect the file types that I wanted, So I'm not interested in d o t files. I am interested in spreadsheets.
Um, I don't care about power point files. I don't care about pub files. I do care about doc files,
you know? So I might carry about Doc and Doc, axe and dot and examined and all that stuff and all the variations of my excel files Maybe excel, workbooks and things like that. Um,
but none of these awful power point files down here got to get rid of those. Nobody would want that.
And right down to the end, make sure you don't
get rid of your, ah, close parent there. And and, uh, and dollar signs. So So now we've made our own, you know, uh, nonlinear our own, my own criteria for collecting these file types, which is just documents and excel spreadsheets, you know, in in a variety of permutations.
Um, we've created our name for that collector,
and we've we've set a priority for it. I can go ahead and save that. This is what I like to do it. No pad plus, boss, it's like, Hey, did you know you gotta be the administrator mode to say that I didn't And it says, Yeah, that's that's the thing. Would you like to do that? Yes, I would. And it lets me go ahead and save it super handy.
No pad plus plus free. And your friend.
All right, so we go ahead and close out of that
so it goes back to doing that.
Jump back over here.
Toe our collector. All right. So
can I still have my remote agent connected across the network? It when I too want to say 1.101 And this time I have my Sandis cruiser. And this is my target, Dr. But we're only gonna collect docks and spreadsheets off it. So
and I still have that same blessed repositories Drive connected, someone say, acquire
my Sandis Cruiser. Case number is a 001 In this case, we're going to say,
Call it tag, too, because my second collection, I want to say sand disc cruiser,
um, word
docks and
excels spreadsheets.
She's small spreadsheets. Um, all right, so SanDisk just one k is good enough. Sandis cruiser Were docks and Excel spreadsheets again. Like I said, don't use This is your primary source of collection information. It's just a handy little field. Uh, don't Don't make that the only way you collect data.
Um, all right. And we're going to go ahead and
put our container location in there again. A chop off that extra bit about serial number because I've already got that collected,
and we're gonna call that case number, razors or one tag to that all Sounds great.
We're gonna come down here. What type of collection are we going to do? We're going to do that nonlinear partial
member got to do. Capture auto close there. We can leave everything the way it is. We always want to verify. Our image is almost never a reason not to do that. Um, having said that occasionally there is a reason, but not too often, Um, and we can leave our hash algorithm the same way it always is.
So we identified our case number. We changed our tag number with Examiner. We got a little bit of a description here.
We know where we're right in the data out to, um we've selected our motive acquisition, the nonlinear partial. And we hit next, and we're presented with that nice little box that we showed before in the in the sides. And right at the top is files for case,
a 001 Just the way we selected,
you know, when it's dark and excel spreadsheets,
you know, things. Things change depending on what you're doing. Sometimes, even when we're collecting a small amount of very refined data like this, you know, just these two file types will also do something like, Well, you know, they might need to know just a little bit more about this, so we might select,
You know, something like registry hives or something like that. So
So somebody comes back and says So what about, you know, was was that from a spread from a USB drive or something like that? I could look into the eyes of figure out with them, But when was the last time that was booted? So sometimes we'll we'll collect a tiny bit more. But, you know, that's
you gotta gotta make good choices about that.
Um, and then I like to, you know, collect this sa quickest little boxer of the bottom on. It gives me a notification down here in the console window about the files that it finds as it collects them. Now, soon as I click on that, because because Dr Schatz is a good guy, he lets me know that. Like, look, hey,
I'm putting all this stuff out of the screen so you can take a look at it.
It could slow down your your acquisition, but we're doing a really small collection. You know that I'm not really concerned about that. Something say Yep. I acknowledge that seems like a good idea. And I go ahead and hit OK,
and I should start getting a collection right away. Wow. Wow. Was that fast? So it, uh, it collected my files and verified it. I don't even know if I got to see what he collected. It went by so fast. If I go back up here, did it, didn't actually tell me what it found.
Uh, here it is. There's a whole bunch of spreadsheets and documents and doc exes and and things that it was collecting as it went by that match the criteria. So I get to see you know, what the what the i d. Was the name of the file file size and that it matched based on our search criteria there.
And then, of course, it,
you know, finish the collection, hashed it out super fast, things like that. And look at this. I acquired 6.6 meg of files specific to my criteria, out of a seven and 1/2 gig desk or a cake. You know, thumb drive now, you know, eight gig thumb drive.
Sure. I could have collected the whole drive. Would have been a big burden to do that, right? Really small this.
But if that was, you know, a terabyte disc, and there was only, you know, six gig of our six make of spreadsheets and documents on there. We would have saved a ton of time over collecting that entire dis which might have taken, you know, closer to,
you know, hour, hour and 1/2 maybe two hours to collect an entire
one terabyte disk. So I have all my files without with that I wanted without a fuss of collecting the rest of Dr If that's a scenario where you just don't need that other data again, it's all about having, you know, flexible options, right?
Up Next