This tutorial describes a simple linear acquisition workflow for acquiring volatile memory from a live computer running the Evimety Live Agent. Acquisition occurrs across the network, storing memory to an AFF4 file on the relevant repository. This technique works for:
- Windows XP, Vista, 7, 8, 10, Server 2003, 2008, 2012, 2016 (32 and 64 bit support) except Windows 10 with Virtual Secure Mode (VSM) enabled
- MacOS 10.8+
- Linux x64 where the /proc/kcore file is in place (eg. Ubuntu, Redhat)
This tutorial in particular focuses on the linux live agent. You will need to adjust command line syntax to suit.
Create a repository for storing the image
All acquisition operations in Evimetry requre a destination Repository for storage. This could be a Dead Boot Agent, a Cloud Agent, or a Controller. In this instance we will acquire to a Controller.
1. In the Evimetry Controller, right click the Controller node in the Fabric Nodes view, and select Add Repository
2. Select a local folder to use as your Repository.
Connect the live agent to the repository computer
3. Either copy the live agent executable to the suspect computer, along with the required security certificates, or attach a USB with them.
4. Determine the IP address of the Repository (in this case the Controller).
5. Connect the live agent to the Repository:
The live agent will become visible in the Fabric Nodes view of the Controller, from which its RAM and Disks can be operated on.
Enter acquisition details
6. Right click on the "PhysicalMemory" node of the connected live agent.
7. Enter in the evidence name, examiner, and description.
8. Choose the destination as the Repository created above.
9. Accept the defaults and click OK to acquire.
This guide has only stepped through the basics of a simple volatile memory acquisition, focusing on Linux as a target. This walkthrough will be updated in time to include analysis.