Creating an Allocated-Only Image

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *

Already have an account? Sign In »

48 minutes
Video Transcription
All right. Welcome to advanced Ever Met Tree forensic acquisition. We'll talk about allocated nonlinear, partial and live images today. All right, so let's just shop over the ever met tree controller here, and we're gonna go ahead and make one of those allocated only images. So
I got my every metric controller open. No big deal. It's on the network here, and I'm going to connect
my already dead booted computer over there, which is 1.101
So what connected that?
Give it a second,
and it will pop up on the network here
and will refresh all that and wham Obama,
All my discs over there. Open up. All right. Um, looks like I did it to myself again. I've got multiple small, uh, small boot discs are boot dangles over there. So one is my actual boot on the patriot one. The other one's my target. This, but
all right, as you can see, So I have the source disc that's in the remote computer there. That's not what we're interested in today. We're gonna focus on this
this small Sandis cruiser here. Andi, Of course, I have a large blessed repositories device that I'm going to go ahead and drop my content to somebody. Go ahead and add. That is my data repositories.
Course you remember from from the other
course is that the little green check mark indicates that that is the only drive that I'm allowed to write to write. That's my blessed repositories, Dr.
So the Sanders Cruiser is the one that we're gonna want to do are allocated on Lee Collection on now. Honestly, this is not a very big diss, right? 7.5 gigs. So, you know a cake, you know, USB thumb drive. But, you know, I don't want to collect all that.
Um, maybe you'd be more fun. Let's let's let's correct this one.
Right. So we've got a whole whole great big 233 gig disc here on, and I only need to dio the allocated space on that right. It's gonna be much less than everything else. So if I say let's acquire that
and I've got all my information in here is in my case, my tag number and my examiner name, and then I'm going to say I'm going to collect this
Let's see. What is it It's, uh
it's an envy. Emmy. Dr
All right, again. You know, all this information you see over here, plus serial numbers and all that sort of stuff about the disc you're gonna end up in my log. So I really don't like to put too much in the in the description that becomes a bad habit sort of thing. You should really be doing your collection documentation ahead of time.
I like to shorten up my
my, uh, final names here for my evidence.
So I'm gonna call it just case number tag number. And then, of course, we'll do the f f for extension on that. So it's going right out to that repositories that we have here the STD Dr which were mounted, or if it for image. Now, normally, we're doing a full linear acquisition. Rights were copying
every bit on the disk from end to end,
but here we're talking about nonlinear. So only the air excuse me allocated only we're talking about on lee the allocated space on the desk. So if it's, you know, a gigantic disk in there and only 30 or 40 king of it's actually used by files,
that's all. We're gonna end up connecting collecting,
and we'll leave the hash and stuff alone the way it is. And remember what I said. Make sure that that verify image on completion is checked as well as the capture. Auto close. You don't check. Capture auto close when it when it reaches the end, it will just sit there and wait to see if you want to do something else, which we don't.
All right, So I go ahead and say, OK, I've got a 223 gig, you know, disc there. As you can see it, it pops right up, starts acquiring it. Now we're not acquiring to my controller hears we talked about before. We're actually acquiring to that blessed hard drive
over there on the local computer. So all that's occurring
remotely on that target system. Our system's dead booted, and it's ah, it's dropping that the information out. But we shouldn't end up with a 223 gig image. We should end up with a very small forensic image. It's only a fraction of the size of the total disc
because it's only gonna be the files that are actually
you know on there.
Um, I've been thinking about this. I would have figured out how much time this was gonna take in advance before going,
going live with it. But, you know, we'll just do it live, huh? Looks like my question was just answered. Uh, so off of that whole 223 gig disc. Um,
we only had an actual 22.6 gig of allocated space there. So that's all we went ahead and grabs. That's where you know the file system in any user created files and things like that are, um he went ahead and did the verification past. We've got our our block cash down here.
Um, I got a really good
trend rate of collection on that, as well as a great rate of verification. And we're done. So we would expect to have a, you know, a fairly small image over there of, you know, of just the allocated space. So
saved ourselves a ton of time over collecting the entire
223 gate disc, most of which was gonna be empty.
Not really what we're looking for.
All right. So it's popped back into our allocated only like I said, make sure capture auto closes done there so that it automatically finishes and heads off to the verification process.
Up Next