This tutorial describes a simple linear acquisition workflow, using the Dead Boot Agent and direct attached storage. This technique is useful in a range of instances:
- where it is difficult or impractical to remove internal storage from a computer (for example MacBook Air with non-standard storage interfaces)
- where removal and separate imaging of storage adds inefficienies (for example RAID arrays)
- where internal read bandwidth of the suspect storage exceeds SATA and SAS IO speeds
Download and Install the Controller
Evimetry is fundamentally network based, with all operations being controlled over the network by the Evimetry Controller Application.
1. Download and install the Evimetry Controller Application.
Prepare the evidence media
Preserving the integrity of evidence is fundamental to forensic practice. A significant challenge in forensic live CD workflows is reliably distinguishing suspect storage media from evidence storage media, and reliably managing software write blocking of those devices. Evimetry provides a range of options for fitting with your workflow. The default approach is to only allow unlocking (disabling write blocking) for storage devices that have been "blessed".
2. Attach the evidence storage device to the Controller computer.
3. Partition and format the evidence storage device to contain a single exFAT partition using the OS partitioning tools.
4. Refresh the controller node by right clicking and selecting refresh
5. Select the evidence storage drive, right click, and select "Bless"
Prepare the dead boot agent
6. Download the Evimetry Dead Boot Agent ISO Image.
7. Create a bootable ISO or USB. Our tool of choice for bootable USB's is Rufus. The following settings have been tested to boot both PC and Mac hardware.
- Partition Scheme: MBR Partition Scheme for BIOS or UEFI Computers.
- File System: FAT32
Boot the suspect computer with the dead boot agent
Use the BIOS/EFI boot method of the computer to boot from the USB drive.
8. Connect the suspect computer to the same network as the Controller.
9. Boot the suspect computer using the Dead Boot USB key as the boot device.
Connect to the dead boot agent
Evimetry agents and controllers automatically discover each other when connected to the same LAN segment.
10. Connect to the dead boot agent using "File | Connect to agent" on the Controller.
Prepare a destination for evidence storage
Preservation requires that we have a location to store evidence. Evimetry agents will store evidence either to locally attached storage or to Evimetry evidence reporitories accessible via the network. In this scenario we are using direct attached storage.
11. Attach the blessed evidence storage disk to the suspect computer via USB.
12. Refresh the evidence storage computer node in the Controller.
13. Find the evidence storage device under the suspect computer node. As the evidence storage device is blessed, it will appear with a green tick overlaid. Unlock the drive by right clicking and selecting "Unlock". All other storage devices are prevented from being unlocked.
14. Add a storage location (repository) to the now unlocked evidence storage device. Right click and click "Add repository".
Acquire the suspect device
We are now able to acquire an image to the unlocked repository.
15. Find the suspect evidence device you wish to acquire.
16. Right click and select "Acquire".
17. Add case details.
18. Choose the destination storage repository and container file name by slecting "Add".
19. Choose "Full Linear" as the acquisition mode.
20. Click "OK" to acquire.
This guide has only stepped through the basics of a simple acquisition. It hasn't discussed a range of other features of Evimetry such as:
- Analysis while you acquire
- Partial acquisition
- Live agent evidence sources
- Multi-destination evidence storage
- Remote device preview
At this point the evidence storage device containing the acquired image might be mounted as a virtual drive for analysis, transferred across the network to another Evimetry agent, or quickly converted into a standard evidence format such as raw or EWF.