Dead boot USB preparation


The Evimetry system is designed to enable acquisition and analyis using a number of approaches: live agent, dead boot, and media duplicator. We use the term "dead boot" to refer to booting a suspect computer from powered down state into a Linux Live CD based environment, which runs the Evimetry Agent. These instructions cover preparing a boot USB device for use in either dead boot or media duplicator scenarios.

The boot USB device works well for USB bootable PC and Mac hardware, including recent model Macbook Air.

Windows

1. Download the Evimetry Dead Boot Agent CD ISO Image.

2. Create a bootable USB. Our tool of choice is Rufus. The following settings have been tested to boot both PC and Mac hardware.

  • Partition Scheme: MBR Partition Scheme for BIOS or UEFI Computers.
  • File System: FAT32

Dead boot CD preparation


Simply download the Evimetry Dead Boot Agent CD ISO Image and write it to a CD and boot as you would any other LiveCD forensic tool.

The boot CD works well in earlier PC and Mac hardware not supporting boot from USB.

Light Agent deployment


Evimetry enables remote acquisition and analysis of live evidence sources by way of a lightweight agent. Evidence streams from the suspect device across the network using a compressed and encrypted protocol to a Evimetry Repository Agent for storage. The agent can be simply run from an attached USB or optical disk. In cloud environments, where such facilities are not available, the agent can be readily deployed by downloading directly to the device in the following manner.

Windows

The windows lightweight agent supports Windows Vista and above and Windows Server 2008 and above, running either 32 or 64 bit.

1. Download the live agent and default TLS certificates by executing the following in powershell

$wc = new-object System.Net.WebClient
$wc.Credentials = Get-Credential
$wc.DownloadFile("https://dl.evimetry.com/lightagents/win-x86/evimetry.agent.exe", ".\evimetry.agent.exe")
$wc.DownloadFile("https://dl.evimetry.com/lightagents/win-x86/ca.cer", ".\ca.cer")
$wc.DownloadFile("https://dl.evimetry.com/lightagents/win-x86/lightAgent.cer", ".\device.cer")
$wc.DownloadFile("https://dl.evimetry.com/lightagents/win-x86/lightAgent.key", ".\device.key")

Enter the Evimetry download credentials you have been provided at the prompt.

2. In the same powershell session, run the agent and connect to the relevant evidence repository via its private IP address. In the following, the Evimetry Repository Agent is at IP address 10.176.160.211.

.\evimetry.agent.exe 10.176.160.211

NOTE: Pay careful attention to the ".\" syntax above.

Linux


1. Download the live agent and default TLS certificates by executing the following in a shell, substituting the download credentials. We provide separate builds for 32 bit and 64 bit environments.

For 32 bit linux targets, use the following:

wget --quiet --user=wirespeed --password=PASSWORD https://dl.evimetry.com/lightagents/linux-x86/evimetry.agent
wget --quiet --user=wirespeed --password=PASSWORD https://dl.evimetry.com/lightagents/linux-x86/ca.cer
wget --quiet --user=wirespeed --password=PASSWORD https://dl.evimetry.com/lightagents/linux-x86/lightAgent.cer
wget --quiet --user=wirespeed --password=PASSWORD https://dl.evimetry.com/lightagents/linux-x86/lightAgent.key
chmod +x evimetry.agent

For 64 bit linux targets, use the following:

wget --quiet --user=wirespeed --password=PASSWORD https://dl.evimetry.com/lightagents/linux-x64/evimetry.agent
wget --quiet --user=wirespeed --password=PASSWORD https://dl.evimetry.com/lightagents/linux-x64/ca.cer
wget --quiet --user=wirespeed --password=PASSWORD https://dl.evimetry.com/lightagents/linux-x64/lightAgent.cer
wget --quiet --user=wirespeed --password=PASSWORD https://dl.evimetry.com/lightagents/linux-x64/lightAgent.key
chmod +x evimetry.agent

2. In the same powershell session, run the agent and connect to the relevant evidence repository. In the following, the Evimetry Repository Agent is at IP address 10.176.160.211.

./evimetry.agent 10.176.160.211

Cloud Repository Agent Configuration


Acquisition and analysis of computers in the cloud benefits from the close placement of an evidence repository, typically a cloud server provisioned in the same data centre.

1. Provision a Ubuntu 10.04 server in the same data centre as your target system.

2. Ensure that the server has large enough storage for your acquired image, and high network throughput.

2. Login by SSH.

3. Deploy and start a Evimetry Repository Agent on the server using the following two commands (using the username and password you have been separately provided):

wget --quiet --user=wirespeed --password=PASSWORD https://dl.evimetry.com/agent/install_script_ubuntu.sh
bash install_script_ubuntu.sh

The bash install_script_ubuntu.sh script automatically patches the server with the latest Ubuntu security patches, and downloads and configures the Evimetry Agent as a repository.