This tutorial describes an advanced linear acquisition workflow for acquiring a physical disk or volume from a live computer running the Evimety Live Agent. Unlike the simple acquisition methodology described in the tutorial titled "Local network live disk acquisition", this workflow employs a Deadboot agent and storage colocated on the same remote network as the suspect computing device. This enables acquisition to proceed at LAN speeds and reliability, avoiding slower WAN bottlenecks and dropouts.
This technique works for:
- Windows XP, Vista, 7, 8, 10, Server 2003, 2008, 2012, 2016 (32 and 64 bit support)
- MacOS Mountain Lion (10.8) through Sierra (10.12). For High Sierra (10.13) and above, access to physical disk is no longer available (watch this space).
- Linux x64 & x86
Use cases for employing the live agent include:
- Acquisition of live endpoints in a branch office.
- Acquisition of mission critical IAAS cloud servers that cannot reasonably be powered off for acquisition.
- Acquisition of remote or virtual servers where the physical disk is physically inaccessible.
This tutorial in particular focuses on the Windows live agent. Adjust command line syntax to suit.
Provision a deadboot repository agent
This workflow requires a deadboot agent with a blessed storage drive physically located at the branch office. This could be achieved by, for example:
- Provision and boot a deadboot agent and blessed drive remotely via remote desktop, using remote hands to boot a spare laptop or workstation, then reporting the IP address of the deadboot agent.
- Provisioning the same locally in conjunction with a small computing device (such as an Intel NUC), and shipping the device to the branch office, where remote hands plug it in and switch it on.
- Using a virtualisation platform at the remote site to provision a blessed drive, and boot into the Deadboot ISO directly as a virtual server.
1. Boot the remote Deadboot Repository Agent and identify the IP address.
The deadboot agent automatically starts with the Evimetry Imager UI visible. The UI displays the IP address automatically. In this example, you can see that the Intel NUC has an internal NVMe drive, and has a blessed 500GB Samsung T5 SSD attached for evidence storage.
Connect to the remote deadboot by IP address.
2. In your local Controller, go to File | Connect to agent.
3. Manually enter the IP address of the remote Deadboot Repository agent. In this example it is 10.0.51.242
The agent is now visible in the Fabric nodes pane of the controller. Note the locks indicating write blocking, and the green tick, which indicates that the drive is blessed for use as a repository.
Enable evidence storage on a blessed drive
4. Right click on the blessed drive, and select "Add repository".
Write blocking is now removed from the blessed drive, and the drive mounted as a storage repository.
Connect the live agent to the deadboot storage repository computer
5. Either copy the live agent executable to the suspect computer, along with the required security certificates, or attach a USB containing them. They can be downloaded from the Evimetry portal. A simple option for testing is to pull the agent directly from the portal.
6. On the suspect computer, connect the live agent to the storage repository by running the following in an elevated command shell, substituting the IP address with the IP address of the Controller computer :
The live agent starts up, installs the volatile memory acquisition driver, shares disks, and connects using TLS 1.2 to the storage repository.
Back on the Controller computer, the live agent will become visible in the Fabric Nodes view of the Controller, from which its RAM and Disks can be operated on.
7. Right click on the disk node of the connected live agent.
Enter acquisition details
8. Enter in the evidence name, examiner, and description.
9. Press "Add" to add in the destination repository.
10. Choose the destination as the Repository created above and press OK.
11. Select "Full linear" as the mode and the desired hash algorithms and click OK to acquire.
The acquisition starts and is visible in the Active Operations pane.
This guide has only stepped through the basics of a advanced remote live disk to deadboot storage agent acquisition, focusing on Windows as a target. Variants of this workflow include:
- Configuration of the deadboot with a static IP address
- Configuration of the deadboot for reverse connection back to from the remote network
- Partial disk acquisition
- Substitution of a cloud agent for a deadboot agent
- Live analysis of the remote disk