Evimetry provides a range of acquisition methods for acquiring physical disk images. These range from the traditional linear complete image, to next-generation image types, such as non-linear partial images. These acquisition methods are selectable via the Acquisition Settings dialog, as the Acquisition Mode.
Full linear mode creates a traditional forensic image by reading and preserving each block of the suspect device in linear order.
Allocated only mode creates a partial pysical image which contains primarily the allocated content of the suspect disk. This works by first preserving the volume metadata (such as MBR and GPT), and then filesystem metadata (for example NTFS MFT), and then using the allocation bitmap (or equivalent) metadata of the filesystem to identify allocated areas.
This mode of acquisition will not preserve filesytem unallocated regions or unallocated volume space.
Allocated and Remainder
Produces a complete physical image, however the order of preservation non-linear. First an Allocated only acquisition is undertaken, followed by the acquisition of all remaining unallocated blocks. The is acquisition style is primarily used in Evimetry Lab for ensuring that file content is acquired first so that processing tools have low latency and high bandwidth access.
Produces a non-linear partial image, which contains volume metadata, filesystem metadata, and any file content by category, and priority. File categories are selected via the Non-Linear Partial Settings dialng, which is next in the wizard.
The categories are defined as path-based regular expressions and can be easily extended by editing the queries.yml file found in the path "C:\Program Files\Evimetry\configuration" or "\$PROFILE\AppData\Local\evimetry\configuration\". An example of the definition of the "System Log Files" category is below:
name: System Log files description: "*.log, *.evt*, /var/log/*, etc." priority: 3 parameters: - ^.+\.(log|evt|evtx)$ - ^\\var\\log\\.*$ - ^\\private\\var\\log\\.*$ - ^.+\\system32\\wdi\\logfiles\\.+\.etl$ - ^.+\\system32\\logfiles\\wmi\\.+\.etl$ - ^.+\\system32\\logfiles\\wmi\\rtbackup\\.+\.etl$ - ^.+\\system32\\sleepstudy\\.+\.etl$ - ^.+\\inf\\setupapi.+\.log$
Creates an empty non-linear acquisition container, preserving only any blocks that are read from the suspect via a shared virtual disk.
Sharing: Live analysis
While acquisition is underway using any of the above acquisition modes (except linear), you can do live analysis on the in-progress image by sharing it as a virtual disk. Simply right click on the in-progress acquisition in the Active Operations pane of the Controller, and select "Share". This will cause an iSCSI target to be created that is backed by the in-progress image. On Windows, the virtual iSCSI disk will additionally be attached to the computer (Linux and MacOS users can manually configure an iSCSI initiator).
From there, point a forensic tool at the virtual drive. Any reads of evidence that has already been acquired will result in blocks being read from the partial image. Any reads related to blocks that have not yet been acquired will cause the blocks to be acquired from the suspect device, stored in the image, and then handed off to the forensic tool.
Capture auto close
By default, Evimetry assumes you might want to do some live analysis during acquisition, or widen the scope of acquisition onced your first task is done. In this way, an allocated-only acquisition might be widened to a complete acquisition, or a partial acquisition of all pictures might be widened out to all pictures and office documents.
For this to occurr, by default the acquisition session does not close automatically. If you want to finalise an acquisition session, use the "Stop" action of the acquisition by right clicking on it. If you want the acquisition to close automatically on completion of the configured task, use the "Capture Auto Close" checkbox when creating the acquisition.
While non-linear acquisition is underway, one may modify the goals of the acquisition. For example, one might start with a focussed acquisition of triage related to artefacts, then undertake live analysis, and then widen scope again to include all Office documents, or wider, all of allocated.
One may additionally choose to acquire any blocks of the suspect device that would not otherwise be acquired by the current goals.
This can be achieved by right clicking on the active acquisition and choosing Modify, then choosing "Acquire the Remainder of the device". See below image for an example of the options available.
This option is similar in concept but broader in scope to the “remainder” in “Allocated + Remainder” acquisition. For example if you acquire just the registries on an NTFS filesystem using a Nonlinear partial acquisition, you would have all the volume metadata, filesystem metadata, and the registries files. However, you would be missing the remainder of the allocated blocks and all of this unallocated blocks. “Acquire remainder” would in this instance acquire all of the remaining allocated blocks and unallocated blocks.
Full disk encryption
Evimetry does not currenlty support interpreting full disk encryption products such as Bitlocker and Filevault2. Partial or allocated mode acquisitions will fail to interpret the encrypted filesystem, and consequently will not acquire any content related to those filesystems.
In such cases we recommend undertaking a full acquisition of the suspect physical disk using Full Linear mode.