So one of the last things that we want to talk about
is getting the windows
are the bit locker encryption keys.
And that's going to be important because if you're not able to get a logical image
of your hard drive system
a physical image if the system is encrypted with Debt Locker, you're not going to be able to essentially do anything with that hard drive image unless you have the keys to unlock it.
So there's a couple of components to that statement.
First is a logical image, and the other is a physical image.
So if we wanted to collect a logical image of the system, we can go into our
portable F T K imager program that we have. You could also use in case image or if you wanted to. I'm just pretty familiar with the F K K imager.
we can essentially run F T K imager
It'll take a minute for it flowed,
All right, so now that this is loaded and running,
what we would want to do to capture that logical and engines we would go to file
and they would, we would want to create a disk image. And it is going to be an image of our physical drive that we have attached to the system.
our physical Dr Zero,
we would click finish, we would go through the same process that we initially went through with collecting
the, uh, the data from the removal drive. However, we would be collecting the data as it set on the system right now unencrypted.
And that would give us the ability to go in and look at that data.
should we not get the locker encryption keys
kind of this long, circuitous route.
If you know that you can't get the bit locker encryption keys are our have a system up and running and you're not sure of what type of encryption that it has. Our may be connected to something else. Um,
like maybe if you have true Kripke running or if you're connected to some type of
remote fire file sharing service, you may want to go ahead and get that logical image. Otherwise, you could go ahead and get the physical image of the system which would be with the system turned off and then you could go and use Ah, bootable from
Lennox Thumb Drive such a CZ
Callie Lennox to go ahead and
image the system the drive of that system while it's at rest. Or you could essentially remove the hard drive from that system and then image the hard drive outside of the system to get that physical image.
either option that you choose it just needs to suit. The purpose is that that you're looking for for your investigation. If it's perfectly acceptable for you to use a logical indigent, that's all you could get. Then, by all means, go ahead and use that type
of image. But if you're if you're looking to do them or forensics side of the house and you have thio, maybe testify in court in reference to some of the forensics processes that you do, you obviously want to use the best evidence possible on its most
unalterable state. Which would be that
image of the death box
we've done a lot of things in this video, so let's just kind of take a moment to consolidate what it is that we have accomplished
essentially going through that preparation phase. And what we've done is we've taken our removable media
and we have wiped and sanitize that media. Any data was on it.
So we used the in case,
imager to go in and wipe that data.
And then we essentially had to go back in and re form our Dr.
Once we were able to format that device, it was then ready to use on our victim's system.
We could insert that device into the victim machine, and then we could then go about collecting that volatile memory.
And then we could go about collecting
images from that system. What we also talked about was we began to image
a thumb drive that was potentially found at the scene of your incident.
So we did a couple types of imaging. We also took the hash files of the memory that we were able to image, and we consolidated all of those processes that we did
onto our forensic thumb drive.
image of our sand disk titanium. Dr.
And we have our volatile memory image