This tutorial describes a simple linear acquisition workflow for acquiring disk from a live computer running the Evimety Live Agent. Acquisition occurrs across the network, storing memory to an AFF4 file on a repository on a Controller computer. This technique works for:
- Windows XP, Vista, 7, 8, 10, Server 2003, 2008, 2012, 2016 (32 and 64 bit support)
- MacOS Mountain Lion (10.8) through Sierra (10.12). For High Sierra (10.13) and above, access to physical disk is no longer available (watch this space).
- Linux x64 & x86
Use cases for employing the live agent include:
- Acquisition of mission critical servers that cannot reasonably be powered off for acquisition
- Acquisition of remote or virtual servers where the physical disk is physically inaccessible
- Acquisition of decrypted volumes from Full Disk Encrypted (FDE) volumes
This tutorial in particular focuses on the Windows live agent. You will need to adjust command line syntax to suit.
Create a repository for storing the image
All acquisition operations in Evimetry requre a destination Repository for storage. This could be a Dead Boot Agent, a Cloud Agent, or a Controller. In this instance we will acquire to a Controller.
1. In the Evimetry Controller, right click the Controller node in the Fabric Nodes view, and select Add Repository
2. Select a local folder to use as your Repository.
The repository is now visible in the Fabric Nodes pane of the Controller. You now have somewhere to save forensic images to.
Connect the live agent to the repository computer
3. Either copy the live agent executable to the suspect computer, along with the required security certificates, or attach a USB containing them. They can be downloaded from the Evimetry portal A simple option for testing is to pull the agent directly from the portal.
4. Determine the IP address of the Repository (in this case the Controller).
5. Connect the live agent to the Repository by running the following in an elevated command shell, substituting the IP address with the IP address of the Controller computer :
The live agent will become visible in the Fabric Nodes view of the Controller, from which its RAM and Disks can be operated on.
Enter acquisition details
6. Right click on the disk node of the connected live agent.
7. Enter in the evidence name, examiner, and description.
8. Press "Add" to add in the destination repository.
9. Choose the destination as the Repository created above and press OK.
10. Select "Full linear" as the mode and the desired hash algorithms and click OK to acquire.
The acquisition starts and is visible in the Active Operations pane.
This guide has only stepped through the basics of a live disk acquisition, focusing on Windows as a target. Variants of this workflow include:
- Usage of a colocated deadboot storage agent for scalability.
- Partial disk acquisition.
- Live analysis of the remote disk.
- Usage of multiple storage repositories for extra speed.