Introduction

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
or

Already have an account? Sign In »

Time
35 minutes
Difficulty
Advanced
CEU/CPE
1
Video Transcription
00:00
All right. Welcome to handling bit. Locker and fire. All file vault to encrypted drives with elementary and mount image Pro. That's gonna be a lot of fun.
00:09
All right. I'm Brian Dykes from the CEO of Atlantic Data Forensics. Part of that was a co founder and Mandiant for that big monster.
00:16
Part of that content was a contract cybercrime instructor at the FBI academy in Quantico. Military intelligence background, whole bunch of certifications. Things like that.
00:27
Uh, and if you have any questions about this course of any of my other courses, you can reach out to me at Sai Buri at Atlantic D f dot com and I will actually email you back.
00:40
All right, so Atlantic Data Forensics. We were founded in 2007. We just celebrated our 14th birthday. Which kind of cool? We're headquartered in Elkridge, Maryland. We do computer forensics for civil and criminal litigation. We do e discovery for big law firm cases.
00:56
We do 24 7 incident response for clients all over the U. S. And some
01:02
some in Europe. In Asia,
01:03
we also do a lot of internal corporate HR investigations, employment, work, things like that. Ah, and instant response, training and exercises for our clients out there. We have offices in Denver and Detroit besides here in Maryland.
01:19
All right, let's get right into this. So prerequisites for this course, and pretty much all the other courses on forensic acquisition is you have to document the evidence, and I have heard me say this over and over and over. But it's super important. You gotta document the evidence first and then start doing the breakdown in the technical acquisition, things like that.
01:38
If questions about how to do that best see my
01:42
cyber recourse, evidence handling, doing it the right way, I explain all that break down the fields and you know what you should be capturing and all that sort of stuff.
01:49
Um,
01:51
and then also because we're going to be doing some dead boot acquisition here with ever mattress should probably take a look at my basic, ever metric dead brute forensic acquisition. Wired and local were actually to be doing a actually doing a combo today. A wired to local. That's kind of weird. Um
02:06
on Do you need a full evil copy of ever Metro? If you want to play along in the Home Edition. You get that from my elementary dot com, and there's an enquiry. Evil
02:15
there and there. Go ahead and give you a fully featured 30 day license, which is kind of cool. I like it when they don't cut out features.
02:21
If you have any questions about how the A f f for format, the advanced follow format four there were a forensic file format for that we're using here works. There's also document. They're called FF for public, where Dr Shatz explains in
02:35
aggressive detail all the all the ins and outs of that, it's actually worth worth reading. It's good to understand the format that you're putting your forensic images into
02:46
next up course materials that you're going to need for this until net connected computer Always handy. Gonna need that evil copy of ever Met Really said, If you just playing along on your own, you wanna start and stop this. Ah, you're gonna need an evil copy of Mount Image Pro. Ah, that's available from get data dot com,
03:06
you're gonna need these 7.1 or better addition of that in order to do what we're doing. The slightly older editions they available 65 or something like that.
03:15
I don't support FF four. So you don't want that?
03:17
Um, I'm you were gonna go ahead and ah, image a fully encrypted Mac computer today. So, you know, if your plan along fully, you don't wanna want a foul ball to encrypted, Mac. Ah, then I USB thumb drive for dead booting elementary. And, of course, you need a stories drive to drop all that
03:37
that content out to
03:38
so kind of a laundry list of things today. If you're doing all this stuff with me
03:44
Target audience, always. Computer forensics professionals love you. There, my people. Ah, incident responders. He end up doing a lot of the same thing is lots of love for you to, and I t guys, I feel bad for you, but I know you'll get pulled into having to do some of this at the same time. So here's Here's all the tricks and tools to keep yourself on the on the right side of doing it.
04:03
All right, are learning objectives. First, we're talking about how to identify a bit. Locher file vaulted. I know that's how you spell that, but I like to use it with a possibly de, um, file vaulted despite signature. Then we're actually going to go ahead, acquire a file vaulted Mac with every metric gonna see That's fast. Easy. Simple. No, no fancy tools required.
04:23
And then we're gonna learn how to use Mount Image Pro to decrypt
04:27
Windows and Mac encrypted volumes from our forensics images After the facts, which is just a huge benefit. You run into stuff all the time. So in the elementary stack today of things were going to use, we're definitely gonna use that every metric controller up there at the top.
04:44
We're going to use the dead boot agent on your far left hand side there.
04:49
Um, and then we're just gonna dump that into a standard FF four image container. There the bottom. So, Toby, be fully encrypted, but we're gonna make it useful to us.
Up Next
Handling BitLocker and FileVault 2: Evimetry and Mount Image Pro

In this course we will look at forensic collection of fully encrypted Windows and Mac computers with Evimetry.

Instructed By