This tutorial describes a simple linear acquisition workflow, using the Imager UI (a part of the Deadboot Agent) to acquire to direct-attached storage for maximum speed. This technique is useful in a range of instances:
- where it is difficult or impractical to remove internal storage from a computer (for example MacBook Air with non-standard storage interfaces)
- where removal and separate imaging of storage adds inefficiencies (for example RAID arrays)
- where internal read bandwidth of the suspect storage exceeds SATA and SAS IO speeds
Prepare Deadboot USB
The first task is to create a Deadboot USB, from which the suspect computer will be booted.
In this instance, use a USB3 hard drive of a reasonable size: 250GB or larger. This will allow storage of evidence directly to the deadboot disk.
1. Download the Evimetry Dead Boot Agent ISO Image and Evimetry Controller.
2. Install the Evimetry Controller.
3. Attach your intended Dead Boot USB media to the Controller computer, and refresh the Controller node in the Fabric Nodes pane.
Dead Boot Media must be empty. For safety, Evimetry will only create a Dead Boot USB on empty media. This means that you will need to delete any partitions from a non-empty drive first. Careful users may disable this default behaviour in the Preferences.
4. Right click on the intended Dead Boot USB media and choose "Create Deadboot".
5. Select the Evimetry Dead Boot Agent ISO you downloaded earler.
6. Acknowledge that you are overwriting the media.
7. On completion of writing, the media will be provisioned as a Dead Boot Agent, bootable by Legacy (BIOS) and UEFI Windows computers, and Intel Mac's.
Large USB Hard Drives will be provisioned as a Hybrid Dead Boot USB, with the second partition formatted with exFAT as a Blessed Evidence Storage Repository. This enables one to connect a single disk for dead boot & evidence storage, saving scarce USB ports on some computers.
Login to web service
For one off acquisitions Evimery supports binding a licence directly to a Deadboot, providing that the USB drive supports UASP. This is convenient for low-port count laptops such as Surface tablets, and enables one to avoid the need for a network connection for sharing of licences. This functionality is tied to the Evimetry Portal (MyEvimetry), and requires your Portal credentials.
1. Find the Evimetry web service account button using the button in the top right hand corner of the Controller.
2. Click and select "Login to MyEvimetry".
3. Enter your Evimetry Portal credentials.
Licence deadboot for dongle-less use
With the Controller authenticated against the MyEvimetry portal, you can now provision a dongle-less licence.
Dongle-less licencing only works for UASP USB disks. Most USB3 hard drives and SSD's produced post 2017 support UASP/UAS. A simple way to tell if your device supports UASP in Windows 10 is to eject the device. The "Safe To Remove Hardware" dialog indicates if it is a UAS device.
1. Right click on the Deadboot you have provisioned.
2. Select "Provision imager".
3. Select the licence type you wish to use.
5. Click throught the confirmation that your licence has been issued to the drive. The deadboot is now ready for use, with a licence that expires in 48 hours.
Boot the suspect computer with the dead boot agent
Use the BIOS/EFI boot method of the computer to boot from the USB drive.
1. Wait for the Imager UI to show onscreen. The picture is of our legacy console based imager UI, which is provided for older computers.
Select suspect storage and evidence storage device
The Deaboot USB is automatically identified by Evimery and omitted from the candidate suspect devices. The remainder of the Deadboot is automatically detected as an allowed evidence storage device.
1. Find the suspect evidence device you wish to acquire.
2. Select the device by toggling its radio button.
3. Select the destination device (or devices if you are licenced for multiple destinations).
4. Press acquire.
Add acquisition details
The Deaboot USB is automatically identified by Evimery and omitted from the candidate suspect devices. Only Blessed devices are eligible for using as an evidence destination.
1. Enter the examiner name or ID.
2. Enter the case name or ID.
3. Enter the case description.
4. Modify the image filename to suit.
5. Press OK.
On completion of acquisition, shut down the deadboot agent and you are ready for analaysis.
Proceed to analysis
This guide has stepped through the basics of a simple acquisition. To access the image, connect the deadboot drive to your analysis computer and use the filesystem bridge to access the image.Learn how to simply access an image