Handling BitLocker and FileVault 2: Evimetry and Mount Image Pro
Offered By: Cybrary
Course Description
Overview
During the course we will collect a FileVault 2 encrypted MacBook Air in minutes without breaking a sweat using Evimetry. Once we have a series of fully encrypted forensic images will use GetData Mount Image Pro to decrypt our forensic images and make the data available for further forensic analysis.
Prerequisites
- Before any forensic acquisition you must document the evidence
- See my Cybrary course: “Evidence Handling: Do it the Right Way”
- See my Cybrary course: “Basic Evimetry Deadboot Forensic Acquisition: Wired & Local”
- A full-featured, evaluation copy of Evimetry
- An evaluation copy of Mount Image Pro
- Internet connected computer
- An encrypted Mac computer
- A USB thumbdrive for dead booting
- A storage drive (USB3 External)
Course Goals
By the end of this course, students should be able to:
- How to identify a BitLocker’d or FileVault’d disk by signature
- Acquire a FileVault’d Mac with Evimetry
- Use Mount Image Pro to decrypt Windows and Mac encrypted volumes
Syllabus
- Introduction
- Introduction
- Getting the Bitlocker Recovery Key
- Handling BitLocker and FileVault 2: Evimetry and Mount Image Pro
- Evimetry for a Filevault'd Mac
- Decrypting an Image Using Mount Image Pro
- Mount Image Pro Decryption Summary
- Conclusion
- Course Summary
Taught by
Brian Dykstra
Related Courses
Internet of Things: Sensing and Actuation From DevicesUniversity of California, San Diego via Coursera 用Python玩转数据 Data Processing Using Python
Nanjing University via Coursera Enabling Technologies for Data Science and Analytics: The Internet of Things
Columbia University via edX Data Journalism Fundamentals
Google via Independent Data Science Essentials
Microsoft via edX