Video Transcription

00:00
All right. Welcome to advanced. Ever Met Tree forensic acquisition. We'll talk about allocated nonlinear, partial and live images today.
00:09
I did a little bit of reconfiguration here. We dropped her Are dead boot system off. Um, move. Thea the blessed repositories disk back over to our computer. We're gonna go ahead and set that up His repositories again.
00:26
So
00:32
fresh. That
00:36
ad depository
00:44
already there. Okay, so now it's the depository drive. Yep. Uh, where d is gonna go to you might be asking yourself. Well, Brian, how do I How do I know whereto
00:56
where to send the data to? Well, the good news is, if you just click on the controller system here, you pop down here. Uh, elementary. I'll tell you what your I P address is. So the
01:07
fromthe live agent, we're gonna go ahead and kick off that live agent and send the data to 1921681.100.
01:17
All right, So, again, going back to our thing, I'm going to go to that that live agent that's over there, running off a thumb drive, and I'm gonna I'm gonna simply say dot slash of metro Agent one night, you know, 21681.100. And if everything goes right, we should see that system than pop up
01:37
in our controller window. So let's make that happen.
01:41
All right? So I simply started that up on the other computer will pop back over a control, or only that
01:48
the light agent pops up and lets me know that it's connected from 1921681.1 12.
01:56
And I can see that I actually have several civil drives attached there. Uh, that one's
02:05
the sand disks USB thumb drive that he used. Thio start up alive, agent. And then I have a physical disc there. That's Ah, you know, uh, roughly 500 gig in size. Ah, and V M E Samsung drive all that sort of stuff. And I've got physical memory there and things like that.
02:22
So we've just, you know, connected from a live running system.
02:27
Ah, via the live agent to our controller system. So now we can go ahead and pick the disc. In this case, we'd be acquiring the boot disk for that system. That large 500 Kate. Dr.
02:39
Hey, come over here. will call this collection. Four are tagged for. Um, we know that it's a
02:49
Samsung
02:51
and V e m e.
02:53
Um, you know, from a system
02:58
called BT
03:00
Underscore.
03:02
So all right. So again you would have done you're full documentation, that system before we'd ever collected.
03:10
All right, I can come down here and say
03:15
liketo add
03:16
that disk,
03:19
make a name, the forensic image there,
03:22
which were always gonna name it the same thing. Case number, dash tag number. So I'm gonna call this forensic image case number easier. One tag four senses the fourth collection we've done here. Ondas. You noticed the repositories automatically. My controller,
03:38
you know, 1.100 on that d drive, which is the,
03:43
you know, blessed this that we've pushed over there
03:46
We're going to do Ah, full linear collection. Obviously would like that to verify when it's done,
03:53
and there's not much more to it than that. Boom. We kick it off and we start doing a full collection of
04:02
the physical Dr Zero off of that live and running windows laptop over there to, um, are repositories over here on the controller system. Now, obviously, you're, you know, probably not going to get the same collection speeds because
04:19
you're coming across the network things like this. But in a scenario where,
04:24
you know, that might be the only or best way for you to collect data, Um, you know, this is this is a lifesaver here, you know, situations. Like I said, where that that system just can't be shut down. For one reason. Another, you could combine this live agent collection along with some of the other things we've done the allocated only right. If I only need
04:44
the files were actually on the system, I could do a live agent collection that way.
04:47
Um, I could do a file type collection as we just got done doing previously, and only on li collect those files of particular interest off of that live running system. All of which would make you know, collecting across the network a a lot more, um,
05:04
a quicker process rather than going for, you know, let's let's drag the whole 500 gig disk image across the network like I'm doing right now. And I don't really want to wait for that and especially my little
05:17
test. Ah, test switch here that everything is connected to that. Not exactly the fastest, uh, you know, collection. But again, in a pinch. You know, you do what? What needs to get done To make sure that you get the data collected.
05:32
Um, and it's going along nicely If we pop over to our images tab,
05:38
we could see all the images we've collected so far today. Apparently, I skipped.
05:42
I decided not to do tag three. I don't know why, but he would get us to see the images we've done. What we collected from, You know what, What type of collection we did and things like that. So all moving along nicely and, uh, just, you know, more ways to collect the data
06:01
that we might need. Now, I don't really need to collect the entire disc off this thing. So I'm going to go ahead
06:08
and abort that collection.
06:12
Yes, because none of us want to sit here for hours while that goes along on itself.
06:18
All right,
06:20
back to our presentation.
06:24
All right, so that's that's connecting, collecting, using the live or or light agent

Up Next

Advanced Evimetry Forensic Acquisition: Allocated, Non-Linear Partial, and Live Images

This free course covers advanced forms of disk imaging that can be invaluable in cases where acquiring large amounts of unused disk space is not ideal, and where only certain file types are needed when you need to collect data from a live system.

Instructed By

Instructor Profile Image
Brian Dykstra
CEO and President of Atlantic Data Forensics
Instructor