Using the Evimetry Filesystem Bridge Applet and FTK Imager

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
19 minutes
Difficulty
Intermediate
Video Transcription
00:00
>> Welcome to the seventh in
00:00
our series of Cybrary courses here,
00:00
this is the Evimetry file system bridge.
00:00
When my file system bridge is installed by default,
00:00
it goes right into the same startup as
00:00
my Evimetry controller and you
00:00
see right below that Evimetry file system bridge applet.
00:00
I'm not going to restart it because
00:00
I've already got mine running.
00:00
It'll minimize itself. That's nice.
00:00
Minimize itself to the tray down here.
00:00
Evimetry repository file system bridge.
00:00
If I right-click it,
00:00
I have a variety of options.
00:00
I can configure it, do network mounts, all that stuff,
00:00
but I'm just going to do the view mount option
00:00
right there at the top.
00:00
Right off the bat, there's nothing there.
00:00
No image is mounted.
00:00
No past mounted from.
00:00
It's not set to persist or anything.
00:00
I'm going to go with the really easy
00:00
I'd like to add something.
00:00
I'm going to add the whole disk that as you can see,
00:00
is an Evimetry blast drive there that I
00:00
have my images on.
00:00
I'm going to say, "Hey, go ahead and mount
00:00
that whole disk up
00:00
for my D drive and make that available for me."
00:00
I hit Okay,
00:00
I get some messages down here in the corner that
00:00
it's repository D is being mounted.
00:00
Please wait a second as it figures
00:00
out how many AFF4 images are on that?
00:00
It's going to go ahead and index all of
00:00
those and make them available to me.
00:00
We'll just let it walk through its thing there.
00:00
That one's taken care of.
00:00
The next one, tag 2 and tag 3.
00:00
Wow, now the repository is available.
00:00
Isn't that cool?
00:00
Now I'm going to go over here
00:00
and I'm going to pull down my access data FTK imager,
00:00
which I already have installed.
00:00
It of course, runs as administrator because we're going
00:00
to access disk images.
00:00
I have 4.2.0.13.
00:00
I got list image. I'm going to add
00:00
an image file here and hit Next,
00:00
and then I'm just going to select,
00:00
now remember I told you by default it's going to
00:00
create a Evimetry repository W drive there,
00:00
an there's my D drive presented.
00:00
Here you can see the three previously collected images
00:00
actually from the previous course.
00:00
We're going to select the first folder here.
00:00
If I pull this over just a little bit,
00:00
we can see that
00:00
my easier one tag 1 is
00:00
actually an F4 file being
00:00
presented as a dot raw or DD file.
00:00
I'm going to select that,
00:00
say yeah, that's the one I want to open,
00:00
and go ahead and let
00:00
FTK imager go ahead and do its thing here.
00:00
Like I said, normally it would not be able to read
00:00
an AFF4 file because that's not one of
00:00
the evidence file formats that it understands,
00:00
but the bridge presenting it as
00:00
a DD image lets us bypass that.
00:00
Of course, we can see our Kingston drive
00:00
there and all the files that were on
00:00
it and so on and so on and so on.
00:00
We got a whole bunch of different data here,
00:00
and they said all of my AFF4 image whereas
00:00
FTK imager natively only
00:00
understands from an image file standpoint how to open.
00:00
If we look at our file types here,
00:00
it understands a lot of things.
00:00
Understands the old AFF4 format,
00:00
it understands E01 images.
00:00
It opened up your zip archives and things like that.
00:00
But what you will not find on
00:00
there is you're not going to find an AFF4 image.
00:00
We're actually opening as a raw file
00:00
through our bridge applet,
00:00
not too hard really, simple up,
00:00
running all your data's there, life is good.
00:00
You didn't have to use any tools that you
00:00
weren't already normally using every day.
00:00
If you've got specialty tools
00:00
that, ''This is my one little tool that I wrote,
00:00
but it only understands how to talk
00:00
to this type of image.''
00:00
Well, great. They'll be fine.
00:00
Let's see, going back
00:00
over here to the file system bridge.
00:00
That's really all there is the file system bridge.
00:00
You just present that file system bridge.
00:00
You access your raw images there and you go to town,
00:00
you do all your forensics processing things like that.
00:00
Everything just works normal.
00:00
Now, as I've discussed before, way back,
00:00
I think it was course two or something when
00:00
we're talking about the AFF4 format.
00:00
A lot of tools nowadays are actually starting to
00:00
incorporate AFF4 because it's
00:00
the fast new hotness and frankly,
00:00
this is the way you should be
00:00
collecting data from now on.
00:00
We regularly collect 500 gig and
00:00
hour using Evimetry into the AFF4 format,
00:00
and you just can't get that
00:00
>> collection from other tools.
00:00
>> If you using faster storage you can collect it
00:00
some ridiculously fast speeds using the AFF4 format.
00:00
Evimetry obviously supports Evimetry
00:00
and it's imaging tools and things like that.
00:00
X-way forensics, it's wildly popular out there.
00:00
We make great use of it.
00:00
It now natively supports AFF4 Sleuthkit.
00:00
They added, I want to say, a year ago,
00:00
Sleuthkit, Rekall Forensics because some
00:00
of the folks from Google were
00:00
>> in on the AFF4 format too.
00:00
>> They supported Vound software out of Australia.
00:00
Great software with their Intella and W4 products.
00:00
They natively support AFF4 products.
00:00
BlackBag, the folks behind
00:00
all the great Mac forensics tools,
00:00
Macquisition and Blacklight.
00:00
They now natively support
00:00
AFF4 format which is really nice.
00:00
There's more forensics tools out there
00:00
all the time converting over.
00:00
I heard some rumblings about
00:00
>> and don't quote me on this,
00:00
>> heard rumblings that Axiom from Magnet forensics,
00:00
very popular software product too,
00:00
they were working on incorporating AFF4.
00:00
The industry is starting to really embrace that
00:00
and it was time. Let's face it.
00:00
The [inaudible] format is years old and just
00:00
wasn't keeping up with
00:00
our requirements for data right now.
Up Next