Try Buy

This tutorial describes a simple linear acquisition workflow, using the Imager UI (a part of the Deadboot Agent). We acquire to direct attached storage for maximum speed. This technique is useful in a range of instances:

  • where it is difficult or impractical to remove internal storage from a computer (for example MacBook Air with non-standard storage interfaces)
  • where removal and separate imaging of storage adds inefficiencies (for example RAID arrays)
  • where internal read bandwidth of the suspect storage exceeds SATA and SAS IO speeds

Prepare Deadboot USB

The first task is to create a Deadboot USB, from which the suspect computer will be booted.

Learn how to burn a Deadboot USB

Prepare the evidence storage media

Preserving the integrity of evidence is fundamental to forensic practice. A significant challenge in forensic live CD workflows is reliably distinguishing suspect storage media from evidence storage media, and reliably managing software write blocking of those devices. Evimetry provides a range of options for fitting with your workflow. The default approach is to only allow unlocking (disabling write blocking) for storage devices that have been "blessed".

1. Attach the evidence storage device to the Controller computer.

2. Partition and format the evidence storage device to contain a single exFAT partition using the OS partitioning tools.

3. Refresh the controller node by right clicking and selecting refresh

4. Select the evidence storage drive, right click, and select "Bless"


exFAT Only: Blessable evidence storage media must be formatted with exFAT

For performance & interopability reasons, Evimetry will only bless a drive containing a single exFAT partition.


Boot the suspect computer with the dead boot agent

Use the BIOS/EFI boot method of the computer to boot from the USB drive.

1. Connect the suspect computer to the same network as the Controller.

2. Wait for the Imager UI to show onscreen.

3. Attach a Blessed drive to the suspect computer.


Select suspect storage and evidence storage device

The Deaboot USB is automatically identified by Evimery and omitted from the candidate suspect devices. Only Blessed devices are eligible for using as an evidence destination.

1. Find the suspect evidence device you wish to acquire.

2. Select the device by toggling its radio button.

3. Select the destination device (or devices if you are licenced for multiple destinations).

4. Press acquire.

Add acquisition details

The Deaboot USB is automatically identified by Evimery and omitted from the candidate suspect devices. Only Blessed devices are eligible for using as an evidence destination.

1. Enter the examiner name or ID.

2. Enter the case name or ID.

3. Enter the case description.

4. Modify the image filename to suit.

5. Press OK.



Done

This guide has only stepped through the basics of a simple acquisition. It hasn't discussed a range of other features of Evimetry such as:

  • Analysis while you acquire
  • Partial acquisition
  • Live agent evidence sources
  • Multi-destination evidence storage
  • Remote device preview

At this point the evidence storage device containing the acquired image might be mounted as a virtual drive for analysis, transferred across the network to another Evimetry agent, or quickly converted into a standard evidence format such as raw or EWF.