Advanced Evimetry Forensic Acquisition: Allocated, Non-Linear Partial, and Live Images

Additionally, in this course we cover options for pulling or pushing the Evimistry live collection agent directly from the my.evimetry.com website to a running computer.  We walk through each of these scenarios step-by-step using all the Evimetry tools.

Prerequisites

• Before any forensic acquisition you must document the evidence
• See my Cybrary course: “Evidence Handling: Do it the Right Way”
• See my Cybrary course: “Basic Evimetry Deadboot Forensic Acquisition: Wired & Local”
• Get a full featured, evaluation copy of Evimetry (Link found in Syllabus)
• Internet connected computer
• An “evidence” computer or drive
• A USB thumbdrive for dead booting
• A network
• A DHCP source
• A storage drive (USB3 External)

Course Goals

By the end of this course, students should be able to:

• Create an Evimetry Allocated-Only Forensic Image
• Create an Evimetry Non-Linear Partial Forensic Image (File-Type Image)
• Create an Evimetry Live Forensic Image of a Windows Target System
• Examine the Downloadable Pull & Push Evimetry Live Agents

• Introduction
• Introduction
• Allocated-Only, Non-Linear Partial and Live Images
• Evimetry Allocated-Only
• Creating an Allocated-Only Image
• Evimetry Non-Linear Partial
• Creating a Non-Linear Partial Image
• Evimetry Live (Light) Agent
• Running the Evimetry Light Agent
• Pull or Push the Evimetry Light Agent
• Conclusion
• Course Summary