Video Transcription

All right. Welcome to advanced. Ever Met Tree forensic acquisition. We'll talk about allocated nonlinear, partial and live images today.
So that is our are two types. There are nonlinear partial.
Next thing we're gonna look at began because, uh,
ever met trees good at giving you lots and lots of options. Here is we're gonna talk about the ever met tree, live or light agent. It could be a little bit confusing sometime. And I did do an interview with Dr Schatz later on it and asked about why the live light of angry.
He kind of used the terms interchangeably.
Um, I don't know that I got a great answer, but I did ask him. You can see that in one of the later episodes. Um, So anyway, there's a couple of ways to do these things. Live collections we can,
you know, doing directly from the computer. So I can use a live agent directly on the computer. I can push alive agent to the computer, or I can pull down a live in, uh, agent from the
the elementary content distribution network and running on a remote computer and use that to collect my data.
Um so so live agent collection is useful when you have, ah, target system that you can access. But for whatever reason, you can't get the dead boot agent to work on it. Or it doesn't make sense to run the dead boot agent on it or, you know, you know,
whatever the thing might be, commonly we will run this in situations where, like, hey,
we'll let you collect the data. But this is a critical server. We just can't We can't be shutting this off and collecting that data. You're gonna have to do this live, you know, frequently. That's, you know, uh, web servers that are critical applications service that a critical, you know,
things like that we're shutting him down. Just isn't
isn't really in the game plan.
Um, and then listen. Sometimes, you know, machina fights and dead boot agent for one reason. Another won't work. We also find it's super useful to do live collection. If you have some really off beat, full disk encryption or something that might be on a target system, you know, so
so the user can log in, but you don't have a good way to decrypt that disk. If you took a full disk image.
Um, you have the user log in, run the the live or light agent on it and collect all the data off the system. You know, it's it's unencrypted state also also great when nobody actually has the distant Crip Shin Ki, which is on all too frequent
situation there. So,
you know, lots of different ways that could be useful. Um,
you know, one of one of the differences here is in this method of collection, the target data is actually being acquired across the networks of the live agent is actually transferring
the data from the target system across the network to the controller.
That means you have to be cognizant about
you know how much data my pushing across the network is. This something that's going to, you know, s O so greatly to degrade the network band with you. Nobody else is gonna be able to use things like that. You see it? Take all those things into account when you're pushing. Ah, great deal data across the network like that.
All right,
So ah, the easy way to do this from a ah from a manually handling the live agent is you download the current Windows 64 bit light agent from the elementary download site. You copy that zip file directly to a to the target system,
or you can extract it and run it from a USB thumb drive.
I prefer to run it from the thumb drive. That's just me. You know, that way and go from system system. I didn't leave, you know, tools sitting behind on the on the target computer, things like that on that target system, you're going to start an administrator. Privileged power show command prompt.
You're gonna navigate to your USB thumb drive.
Um, you know, typically ask her, you know,
cd to the tea drive or something like add or, you know, just de colon and And get yourself in that train
on. And then you simply run the elementary light agent, and you point it back to your control or simply by I p address. So, for example, you do dot slash ever met tree agent Don t x c from the command prompt and then just the controller I p address. Don't worry. We're gonna do this just here in just a second. So
you're gonna get Thio,
go along with me on this.
All right, Give me just a second to shut down my other equipment and bring up this live agent.

Up Next

Advanced Evimetry Forensic Acquisition: Allocated, Non-Linear Partial, and Live Images

This free course covers advanced forms of disk imaging that can be invaluable in cases where acquiring large amounts of unused disk space is not ideal, and where only certain file types are needed when you need to collect data from a live system.

Instructed By

Instructor Profile Image
Brian Dykstra
CEO and President of Atlantic Data Forensics