Handling BitLocker and FileVault 2: Evimetry and Mount Image Pro
Offered By: Cybrary
Course Description
Overview
During the course we will collect a FileVault 2 encrypted MacBook Air in minutes without breaking a sweat using Evimetry. Once we have a series of fully encrypted forensic images will use GetData Mount Image Pro to decrypt our forensic images and make the data available for further forensic analysis.
Prerequisites
- Before any forensic acquisition you must document the evidence
- See my Cybrary course: “Evidence Handling: Do it the Right Way”
- See my Cybrary course: “Basic Evimetry Deadboot Forensic Acquisition: Wired & Local”
- A full-featured, evaluation copy of Evimetry
- An evaluation copy of Mount Image Pro
- Internet connected computer
- An encrypted Mac computer
- A USB thumbdrive for dead booting
- A storage drive (USB3 External)
Course Goals
By the end of this course, students should be able to:
- How to identify a BitLocker’d or FileVault’d disk by signature
- Acquire a FileVault’d Mac with Evimetry
- Use Mount Image Pro to decrypt Windows and Mac encrypted volumes
Syllabus
- Introduction
- Introduction
- Getting the Bitlocker Recovery Key
- Handling BitLocker and FileVault 2: Evimetry and Mount Image Pro
- Evimetry for a Filevault'd Mac
- Decrypting an Image Using Mount Image Pro
- Mount Image Pro Decryption Summary
- Conclusion
- Course Summary
Taught by
Brian Dykstra
Related Courses
Foundations of Computer Science for TeachersThe University of Texas at Austin via edX Computer Forensics
Rochester Institute of Technology via edX FinTech Security and Regulation (RegTech)
The Hong Kong University of Science and Technology via Coursera Cyber Security
CEC via Swayam Fundamentos de Ciberseguridad: un enfoque práctico
Inter-American Development Bank via edX