Course Summary

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
19 minutes
Difficulty
Intermediate
Video Transcription
00:00
>> Welcome to the 7th in
00:00
our series of Cyber 8 courses here,
00:00
this is the Evimetry Filesystem Bridge.
00:00
That was really quick,
00:00
but really important, because without that,
00:00
that bit on the filesystem bridge,
00:00
you weren't going to be able to open up
00:00
your AFF4 file, so it seems like it's a good idea.
00:00
Also, before we go,
00:00
what I just did there,
00:00
opening up my forensic image with FTK imager,
00:00
can't say enough nice things about
00:00
the people to access data for
00:00
having provided all of us that tool for free for years.
00:00
That's something you should be doing at
00:00
the end of every forensic image you make.
00:00
You're out there, you're imaging
00:00
a bunch of drives, things like this.
00:00
You got a verification hash and it matches and
00:00
all that stuff and you record it on your documentation.
00:00
But do you know that your
00:00
forensic image is actually good,
00:00
can you actually see a file system
00:00
on there and things like that?
00:00
Well, you can't if you don't check it.
00:00
One of the procedures that we like to do at
00:00
Atlantic Data Forensics with all our images
00:00
is once we've recorded that hash,
00:00
someone goes ahead and mounts and
00:00
opens up every one of those forensic images,
00:00
usually using FTK imager,
00:00
just to make sure we've got a
00:00
>> good file system collection
00:00
>> there where they open
00:00
up in black bag or whatever it might be.
00:00
Just to make sure you got a
00:00
complete and working collection
00:00
because there's nothing worse than,
00:00
there's one opportunity to collect
00:00
a forensic image off a computer,
00:00
there's a very small window of time,
00:00
everything looked good.
00:00
As soon as you finish, you just packed it up and go
00:00
and then you discover the next day or two days later,
00:00
oh yeah, it verified out,
00:00
but it verified out a garbage image.
00:00
That's not good for
00:00
anybody, you're going to have to go back and
00:00
talk to the clients about that, things like that.
00:00
Something to add into your processes at the end,
00:00
I'm closing on my documentation,
00:00
make sure you open up your forensic image
00:00
and actually validate
00:00
there's a real file system there,
00:00
I see real files,
00:00
everything looks the way I would expect
00:00
a forensic image of that type of disk to look;
00:00
saves a lot of tears and gnashing of
00:00
teeth and people screaming at each other later on.
00:00
To summarize today's video,
00:00
we learned how about
00:00
the Evimetry Filesystem Bridge and how it gets used,
00:00
we use the Evimetry Filesystem bridge
00:00
to go ahead and access one of
00:00
our previously acquired AFF4
00:00
>> forensic images and then we
00:00
>> took a quick look at some of
00:00
the forensic programs out there
00:00
>> commonly in use that are
00:00
>> already natively incorporating AFF4
00:00
and is one of their supported forensic image formats.
00:00
As always, get your forensic stuff
00:00
together, come on and learn with us.