Video Transcription

00:00
welcome to Advanced Elementary Forensic acquisition. Today, we're gonna do Dong Galis Cloud and persistent cloud acquisitions. So hold onto your pants
00:10
so of to collect from were actually going to use the elementary live agent. Now, I have a whole course on the live agents and how you use them and how you get him on the systems and stuff like that. So if you're, you know, haven't haven't seen that, definitely go check that course out on the various uses a live agent.
00:29
But basically, what we're gonna do is we're gonna go right back to that.
00:33
My have a metric page. We're gonna select live, and we're gonna say Pull alive, agent.
00:38
We're going to select the cloud agent operating system they were using in this case, we're gonna pull the Windows X 64 because we're gonna collect a Windows server 2019 system.
00:49
Um, and then from from an RTP session to that windows server, we're gonna open up a power show administrator console, and we're going to paste the live agent Power shell script right in there, and it's gonna pull all the necessary live agent files to see. Expect pull live agent right um,
01:07
call the live agent files necessary for us,
01:10
and then we'll execute those of the console. And ah, that will go ahead and, ah, start up that process. And then we're gonna do exactly like we would for any other live agent usage. We're just gonna say dot slash elementary agent Dottie XY, and we're gonna point it. But this time we're gonna point it at that. I p
01:29
of
01:30
the lie are the cloud agent system because that's actually where repositories going to go on. And then we will proceed with a normal every metric collection. I know you're gonna want to come back and review these later because I just said a whole bunch of stuff like Brian, I'm not following you anymore. I understand completely.
01:47
Um, so So let's just actually do it live, and and, uh, you'll get a get a chance to see how how easy it really is. So we start off over here in our
01:57
are
01:59
my have met tree
02:00
pore over. We just left off. And this time we're gonna say, pull alive agent instead of deploy a cloud agent.
02:07
Then we re Billy said we've been through this before. Been to the push the pull methods. Um, we're going to select the Windows X 64 because we are, of course,
02:19
collecting a ah,
02:21
64 bit Windows server. And then we're just gonna probably just do it. Control a here.
02:27
A ups grabbed the whole page. That was ugly.
02:30
Um, how crab Everything that's in that window there.
02:37
And then I am already peed over here
02:40
into that. Ah, eight of us. Windows Server Instant. You can see it over here. It's got all its information. Is I pee in his public i p and silliness like that that they're good about having. It's only got a gig of memory to micro instance, not not too big. And then I'm just gonna
02:59
paste this all into my power shell
03:01
admin window here
03:04
and hit Enter,
03:07
and it's gonna go ahead and pull all the necessary files down to run the live agent, which is just super handy, right, and have to copy stuff around and just boop There it is. And as you can see, it pulled. The sir pulled the agent. Ah, all the keys, pmm and everything that I need to make
03:27
make this happen.
03:28
I kind of running off the screen there. There we go. We can see everything that's there.
03:32
All right, So all I need to do at this point is dot
03:38
uh, maybe maybe what I need to do is clear the screen.
03:43
Yes, there we go.
03:45
So I only do at this point is dot slash?
03:50
Have a meh tree agent. Now, remember, So we have to point it at our elementary cloud agent system. So if you, uh, remember previously
04:00
that was it a slightly different location than expected. So we were actually looking for Is that public I p address there again, Um, we're gonna copy that to the clipboard just to make it easy.
04:13
Jumped back over here
04:15
and paste that in.
04:17
All right,
04:18
So we're telling the live agent when you're when you write your data out, you're gonna want to ride it over to that machine
04:26
and we're gonna hit enter, and we're going to see it get itself set up
04:30
for that, and things are gonna look good.
04:33
Now we're gonna drop back over to our ever metric controller. Look at that.
04:40
So there's our our live agent system
04:43
and down below that we actually have our light agent system
04:47
and the physical drive there and everything else. Now, normally, I'd have to create a blessed drive for the data to go to and that sort of thing. In this case, the cloud agent takes care of that whole part. So it's just ready to go on that repository folder there.
05:03
So I'm gonna select my physical drive zero here. And you see, I have 30 gigs of storage and 30 gigs of of ah, disk. So obviously, I don't want to do a one for one, uh, sort of copy there. Right. I'm gonna want to do something smaller, so I'm gonna say, acquire this
05:20
target system.
05:23
Look, it's like I was prepared for this case number easier. Zehr one tag one again. Examiner name and ended. A little description. Every aws winters 29 server. Um
05:33
and I'm gonna add a container location,
05:36
and it's automatically going to load that ever metric cloud agent slash repository sites. All I really need to do Is that it? My
05:47
name here
05:50
to a user, Awan Dash tagged one
05:56
because I like simple names
06:00
and of course, it's gonna remind me, you know, Look, you don't have enough space to do a whole whole non full linear acquisition this point. But I know that.
06:09
All right, So the next thing I'm gonna want to do is when they want to come down here, Animal wants, like some other form of acquisition. In this case, I'm going to say, Well, just give me the files that are Actually, they're all the all the allocated disk. Um,
06:21
so that will be fine. Now again, if you watch my my thing on allocated and file Ah, allocated nonlinear, partial live access on all that the course on that. You know that whenever you use allocated Onley or nonlinear, partial or allocated remainder,
06:41
you need to make sure that you click on that capture auto close at the end
06:45
so that it actually finishes, writes the image to the disk and then goes ahead and automatically verifies it. So I've got everything set up. I've got my case number. I'm not it going to the repository. Um and I've selected the distant want to co collect from and I say OK
07:03
and dress like that.
07:06
We started collecting
07:09
from the 2019 server ah, Windows server running in AWS to our Ah, repository Lennox A bun to server. Ah, and we're getting, you know, kind of fair transfer speed, you know, and not gonna completely complain about that 60
07:28
60 meg per second or so across Ah, network there in an AWS environment. Ah, sort of works for me.
07:35
So if I popped back over to my Lennix instance here, I should be able to clear the screen for you here. So, you know, fighting that
07:44
should be able to slash CD
07:48
repository
07:50
folder.
07:53
There's my A 001 case folder, Something seedy into that.
07:58
Oops.
08:03
And you can see that I'm actually already collecting, um,
08:07
in a f f four file there. And, uh, there's a day if it forelock fall there, which was undoubtedly the log I actually lost for the actual lock for I was writing it out asses doing that collection process. Um, we could do something
08:24
super cool, like
08:26
watch it,
08:28
you watch it grow.
08:31
Um, s only that 2.9 Gig,
08:37
three gig. Who So much fun. 3.1 gig.
08:41
It's amazing.
08:43
It will take just a few minutes for it to go ahead and collect all of this data.
08:48
And at the end of this, what we would typically do would be transfer this image probably here via secure FTP or some other secure file transfer method off of the, uh,
09:03
the the the Cloud agent storage system.
09:07
Or may we'd collect, you know, three or four other ah, instances to that and copy em all off and go ahead and perform our instant response triage or forensic triage or whatever we might be doing at this point. Um, you know, rather than maybe collecting the whole disk and things like this, Um,
09:26
so just a nice, quick way to do this
09:28
and we'll just let it run itself out. I, uh,
09:31
standard Windows installed there. Not much going on. I wouldn't expect we have more than 10 12 gig of total deaths, so probably finish up pretty quickly.
09:43
And if we pop back over a controller,
09:46
everything going along just as we'd expect.
09:50
And it's already processed about 10 gig of disk for that. So things are going along pretty well there.
10:03
There we go.
10:05
Already verifying
10:07
because we remembered to check the box important to check the box when you're doing those, uh,
10:15
partial acquisitions there. So
10:18
currently verifying verifying at a very fast rate, as you expect.
10:24
And just like that, our acquisition finished itself up. Verified. Ah, we only ended up getting about 12.6 Giga disks or not. Not a horrible, uh,
10:33
transfer by any means on did. It actually only took about 3.5 minutes there, Teoh, do the full collection. So, you know, reasonably quick sort of collection, which would get us A You know, the data we needed for something
10:50
triage, like

Up Next

Advanced Evimetry Forensic Acquisition: Dongle-less, Cloud and Persistent Cloud

In this free course we will explore how to use the temporarily licensed, Evimetry Dongle-less and Cloud Agent to do complex acquisitions of off network equipment and AWS, Azure or other cloud instances.

Instructed By

Instructor Profile Image
Brian Dykstra
CEO and President of Atlantic Data Forensics
Instructor