Using the Evimetry Filesystem Bridge Applet and FTK Imager

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with

Already have an account? Sign In »

19 minutes
Video Transcription
right. Welcome to the seventh in our series of ah cyber courses here. This is the ever Met Refile System Bridge.
All right, so Ah, when my file system bridge is installed by default, it goes right into the same
Ah, start up as my every metric controller. You see, right below that every Petrie follow system bridge. Apple it. I'm not gonna restart it because I've already got mine running. It'll minimize itself.
That's nice. Minimize it. So minimize itself to the tray down here. Um, you know, have a metro depository file system bridge.
And if I right click it, I have a variety of options. I can configure it. Do network mounts all that's what's up. But I'm just gonna do the view mount option right there at the top.
And, ah, you know, right off the bat, there's nothing there says, No, no, no images mounted. No, no past mountain, from sunset to persist or anything. I'm going to go with the really easy. I'd like to add something,
and I'm gonna add the whole disk
that Ah, you can see it's an every metric bless drive there that I have my ah, my effort for images on. So I'm gonna say, Hey, go ahead and mount that whole disk up from I d drive and make that available for me.
I hit, OK, I get some messages down here in the corner that it's depository D is being mounted. Please. Wait a second is it? Figures out you know how many F F four images are on that. It's going to go ahead and index all of those and make them available to me,
and we'll just let it walk through its its thing there. That one's taken care of
And the next one tag to and tag three and
wow, Now the repositories available. Isn't that cool?
All right,
so I'm gonna go over here and I'm gonna pull down my access data. F T K imagery, which already have installed it Course, runs his administrator because we're gonna access disk disk image is s I have foreplay.
Look at me. 4.2 point 013 So I got the last image.
I'm going to add an image file here
and hit next, and then I'm just going to select, remember I told you by default, it's going to create a ever met repositories. W drive there.
Um, and there's my d Dr presented.
And here you can see the three previously collected images, actually, from the previous course.
Um and so we're going to select the first folder here.
And if I pull this over just a little bit,
we can see that
my, uh, easier one tagged one is actually in a four file being presented as a dot raw or D D files. Almost like that.
Say Yep. That's the one I want to open
and go ahead and let f t K imagery go ahead into its thing here. Like I said, normally it would not be able to read
and f f four file because that's not one of the file formats. The evidence file formats that it understands,
but the bridge presenting it as a D d image. Let's let's bypass that. And of course, we can see our Kingston drive there and all the files that were on it and and so on
and so on and so on. Right. So we got a whole bunch of different data here, Um, and they said all off my f f for image, whereas you know, f t k imager natively on Lee understands from an image file standpoint,
how to open. And if we look at our file types here,
you know, it understands. Ah, lot of things understands the old f f four formatted understands easier one images. You know, it'll open up your zip archives and things like that, but what you will not find on there is you're not gonna find any effort for image. Um, so we're actually opening is a raw file through our bridge apple it
not too hard, really right. Simple up running. You know, all your data is there. Life is good and you didn't have to use any tools that you weren't already normally using every day. So if you've got specialty tools that you know, this is my one little tool that I wrote, but it only understands how to talkto
to this type of image. Well, great. You know,
you'll be fine.
Ah, let's see. Going back over here to the follow sister bridge. So that's really all There is the follow system. Bridget, just present that file system bridge. You Ah, you access your your raw images there and you go to town. You do all your friends processing things like that. Everything just works normal. Normal.
Now, as I've discussed before, um, way back, I think it was course to or something. Then we're talking about the effect for format.
Um, a lot of tools nowadays are are actually starting to incorporate a F f for because it's the fast new hotness. And frankly, this is the way you should be collecting data from now on. I mean, we regularly, uh, collect 500 gegen our using using elementary into the F F for format.
Andi just can't get that sort of collection from
mother tools. And and if you use even faster storage, you can you can collect it some ridiculously fast speeds using the effort format eso ever met Tree obviously supports ever Metreon. That's imaging tools, things like that. Ex ways Friends is widely popular out there. We make great use of it. Um, it now natively supports. Ah,
if a four sleuth kit, they added that, uh, I want to say, a year ago,
Ah, Sleuth kit recall forensics because folks from Google were in on the F F four format to they supported ah found software out of out of Australia. Great software with their intel A and W four products. They natively support if it four products.
Um, black bag, uh, the the folks behind all the great
Mac forensics tools. I'm acquisition of Black Light. They now natively support if f four format, which is really nice. And there's there's Maur forensics tools out there all the time. Converting over, um, I are some rumbling is about. And don't quote me on this, but
are some rumblings that
axiom from from magnet forensics very popular software product to they were working on incorporating Ava for In So, you know, the the industry started to really embrace that, and it was time. I mean, face it. The the expert witness format is
is is years old and just wasn't keeping up with, you know, our requirements for data right now.
Up Next