Introduction to the Evimetry Filesystem Bridge and How to Access it

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
19 minutes
Difficulty
Intermediate
Video Transcription
00:00
>> Welcome to the seventh,
00:00
in our series of Cybrary courses here.
00:00
This is the Evimetry Filesystem Bridge.
00:00
The Evimetry Filesystem Bridge itself,
00:00
it provides high speed access to
00:00
your AFF4 images from your current tool set,
00:00
and it's installed along with the controller.
00:00
If you want to put the AFF4 Filesystem Bridge or
00:00
the Evimetry Filesystem Bridge on all your systems
00:00
that you're doing forensics
00:00
from using a variety of forensic tools,
00:00
you actually end up installing
00:00
a controller on each one of them.
00:00
Honestly, not really a problem, installs easy-peasy.
00:00
We did it before in one of
00:00
our courses here, there's not much to it.
00:00
It just pops right in there and
00:00
the Bridge becomes available and things like that.
00:00
Simple stuff, no license
00:00
required for doing that or anything else.
00:00
You just download the latest version and go to town.
00:00
By default, the Filesystem Bridge creates
00:00
a virtual rawfile.rawfile,
00:00
which is just a dd image available on by default,
00:00
it defaults to the W: drive,
00:00
which I've never ran into a problem with.
00:00
I suppose on some people's networks,
00:00
you might have a network share it's W: Drive.
00:00
You can sort that out, it's not a big deal.
00:00
It's got a configuration file for that.
00:00
It presents it as a raw file so that
00:00
essentially any forensics tool you
00:00
should have can deal with a raw dd image.
00:00
I can't think of a forensics tools out there
00:00
that doesn't deal with that most basic format.
00:00
Because it's being virtualized like that,
00:00
it's actually really fast.
00:00
It's funny.
00:00
If you go through and read that AFF4 paper
00:00
that Dr. Schatz put together,
00:00
you can see all his charts and graphs,
00:00
and statistics numbers on
00:00
just how much faster it is actually running it
00:00
virtualized through the Filesystem Bridge rather
00:00
than running a traditional E01
00:00
or E01 compressed file and things like this.
00:00
Some pretty good performance there.
00:00
But of course, like anything else,
00:00
the type of storage media that you have
00:00
your AFF4 files on
00:00
is also going to play into the performance.
00:00
I'm sure when we talk to Bradley,
00:00
he'll talk all about running it from these
00:00
ultra-fast drives and things like
00:00
that, and he's right.
00:00
It's just really fast when you do it like that.
00:00
But reality is I don't
00:00
necessarily always have great big stacks of
00:00
NVMe drives available to me or
00:00
flash arrays or things like this.
00:00
But you can get really good performance such as
00:00
regular commodity USB drives and things like
00:00
that too because it just works well.
00:00
A full walk-through of
00:00
the Evimetry Filesystem Bridge is available online
00:00
at evimetry.com under the Accessing your Image portion.
00:00
Actually, I think I might have
00:00
that available right here.
00:00
Because I said that, I don't.
00:00
That's awesome. You can
00:00
read through it yourself on the documentation there.
00:00
We're also going to do a live demonstration
00:00
here from a previously acquired image.
00:00
Actually, one of the images we acquired in
00:00
the last episode or the last course there,
00:00
and we're going to preview that AFF4 image using
00:00
AccessData's free FTK Imager tool,
00:00
which is available to you via
00:00
registration download at
00:00
>> accessdata.com/product-download
00:00
>> and you can just download.
00:00
I believe the latest version is
00:00
4.2.0 or something like this.
00:00
>> You can go ahead and load that.
00:00
>> Now, AccessData's FTK Imager does not
00:00
natively understand how to address AFF4 files,
00:00
but that's what we're going to use
00:00
the Filesystem Bridge for.
00:00
Why don't we go ahead and do that.
Up Next