Video Transcription

00:00
All right. Welcome to advanced Ever Met tree forensic acquisition. We'll talk about allocated nonlinear, partial and live images today.
00:09
Next, we're going to talk about pulling or pushing that ever mentally light agent directly to your system. In order to do that, I'm gonna have to log myself into the elementary site. So, uh, switch over networks here if you'll give me just a second.
00:30
All right? So, back to our recording Here. Um, So I've pulled up my my elementary Ah, log in sight here by myself and,
00:42
uh, again,
00:46
all right. So long myself in. Of course, Doctor says because he's a security conscious dude offers. Ah, I think he's requiring it now, but two factor authentication supporting all your standard abs in this case
01:02
using the,
01:03
uh, Google authenticator app for that. So I'll go ahead, throw in my one time password there,
01:11
and I can log myself into the site to course, except the end user license agreement. All right,
01:19
um, and, you know, and here I can download all my my current versions of controllers dead boot agents, you know, and various live agents. Things like this, um, that I might need for Ah variety of systems, but also right up here at the top.
01:38
I have an option to deploy a cloud. Agent pull alive agent or push live agent.
01:42
Now we'll get to cloud agents in one of the future courses. I promise I wouldn't let you,
01:49
but you're not know how to do it on a cloud agent. Everybody's got tons of eight of us Nasher out there so important to do that. But we're gonna We're gonna focus on the pull and push aspect here.
02:00
So if I go to the pool portion, I can actually
02:04
pull a live agent from the ever Met tree content distribution network directly to my system by by simply, uh, copying the script information below. So to say, I had a X 86 based
02:23
Windows system.
02:24
I could copy this this information out here and running in administrator power show, and it would go ahead and download the light agent directly to my system.
02:36
And then I could go ahead and do what we just did. Acquiring across the network by Das es Ephraim, entry agent and pointing it to my repositories agent or controller. You know that I p address in our case it was 1921681.100 you know. And here he's giving a 10 dot example. So wherever you were,
02:55
your controller might be at
02:58
works the same way. If I'm doing a 64 bit, which is a more likely situation, um,
03:04
Windows operating system, I'd like to think you're not out there still running 32 bit systems, but, you know, things happen on end. And, of course, you never know what you can end up collecting. So 64 bit agent for that, Um, if I had a Mac, I can still do this os x 64 bit systems always supported
03:23
process is a little bit different.
03:25
I'm actually gonna open up a ah command show,
03:30
root privilege command show. And I'm gonna end up copying this this whole set of w get statements and it's gonna gonna pull that agent down for me. It's gonna unzip it and go ahead and give it the right permissions. And then I'm going to run it with the Sioux do,
03:46
Uh, which, of course, you know, elevates my permission, sir. Well, actually, yes. There, Sue doing instead of Ryan Rude Shell That's fine too.
03:52
Eso suitor User suit doing it t elevated to Ah, a root privilege situation ever metric agent. And then, of course, pointing it to the i p address for collection on the same in the process Works almost identical for, um
04:10
a, uh a X 86 or
04:13
64 bit linen situation.
04:15
You're gonna just have that w get statement. Pull Pull the client down to your local to your local system is gonna pull that light agent, and you're going to run it right there from the system pointing it I p wise back to repositories. Uh, so that's that's, you know, pulling it directly from, you know, content distribution network out there. Never met tree
04:35
on. Bringing into your system
04:38
can be a extremly handy way to do this. You know, you don't have thio chase Donnels around and things like this. It's also useful if you got big racks of servers, they need to collect data off a variety of these. And it's not easy to get to the back room and and be plugging in, you know,
04:55
drives and things like this. You know what it might be?
04:58
We're talking about flexibility here. So is the lots of easy ways to do this. Could be a lot easier than dealing with a Oh, a handful of O'Donnell's and thumb drives and things like that. There's there's enough toughness in our lives already. All right, My other option is pushing the live agent out. Um,
05:16
so this is on Lee on, uh,
05:18
windows networks on domain joint work stations or servers. So you got to be on some sort of
05:27
of Ah, you know, a de domain out there. Um,
05:31
and what I can do is, uh, actually, we come to come to the, uh, to the push deployment site here,
05:41
and I can give it the i p address of the machine I want to collect. So 192.1681 dot 101 was our previous machine. And then I have to have some, you know? Ah, storage hosts that I'm gonna write this data out, too. And so in this case, you know the machines,
05:59
the machines. Ah, name is hydrogen. So it's gonna dump that on that
06:03
destination system. It could be, you know, your file server or, you know, let's just call it that file server.
06:11
You know, sir, for something like this, or mapped, you know, Dr Location, whatever it might be. And when I hit, submit if you notice there's a willpower shell script down here below. But when I hit submit.
06:23
It's actually going to
06:26
change
06:28
this power shell script so that now my destination, how's that? I'm pushing this out, too. Is our our suspect host name up here? And it changed the destination agent over to file server, and it's gonna have a destination folder of the C drive on there. Obviously, I could, you know, edit that out and, uh,
06:46
and do that, too. But I can copy this whole little
06:51
script out here and run it from a power show Command prompt on my network. And it'll go ahead, download the agent and push it right out to that to that target system. Um, and write all the data back to that destination folder that we've specified
07:11
on on that file server.
07:13
So just, you know, maximum flexibility here. If you got a Windows network, this could be a really convenient way to do that is to, you know, push everything across the network to that location on. Just kick that off remotely across the network again. Maximum flexibility. You never know what you're gonna run into out there.
07:31
Um, and you just wanna have lots and lots of options in your bag of tricks.
07:39
All right,
07:42
let's say back to our presentation.
07:47
All right, so that was our, uh, pushing or pulling a live agents.

Up Next

Advanced Evimetry Forensic Acquisition: Allocated, Non-Linear Partial, and Live Images

This free course covers advanced forms of disk imaging that can be invaluable in cases where acquiring large amounts of unused disk space is not ideal, and where only certain file types are needed when you need to collect data from a live system.

Instructed By

Instructor Profile Image
Brian Dykstra
CEO and President of Atlantic Data Forensics
Instructor