Basic Evimetry Deadboot Forensic Acquisition: Wired and Local

In this course we will do the more common practice of creating a forensic image on the local computer but managing the entire process across a CAT6 network from the Evimentry Windows Controller. We’ll also revisit writing our forensic images to “blessed” storage media.

Prerequisites

• Before any forensic acquisition you must document the evidence
• See my Cybrary course: “Evidence Handling: Do it the Right Way”
• See my Cybrary course: “Introduction to the Evimetry Controller”
• Internet connected computer
• An evaluation copy of Evimetry
• An “evidence” computer or drive
• A CAT5 or CAT6 wired network
• A DHCP source
• A storage drive (USB3 External)

Course Goals

By the end of this course, students should be able to:

• Create an Evimetry Deadboot USB dongle
• Deadboot a target computer for Evimetry Acquisition
• Use the Evimetry License Dongle to perform a local acquisition from the Deadboot dongle
• Utilize the Evimetry Deadboot USB dongle and Evimetry Controller to manage a forensic acquisition across a wired network

• Module 1: Introduction
• 1.1 Introduction
• Module 2: Preparing for the Acquisition
• 2.1 Create an Evimetry Deadboot USB
• 2.2 Creating a Blessed Storage Drive
• 2.3 Two Methods of Deadboot Acquisition
• 2.4 Evimetry Deadboot Forensic Acquisition Tools
• Module 3: Using Evimetry Deadboot for Forensic Acquisition
• 3.1 Evimetry Deadboot Operation: Getting Started
• 3.2 Managing the Acquisition Process from the Controller
• 3.3 Acquisition Summary
• Module 4: Course Summary
• 4.1 Course Summary