Introduction to Evimetry: the Controller

The course introduces Evimetry “blessed” data storage drives and the difference between block-hash and traditional linear hashing for forensic images. It’s time to step up your forensic acquisition game with Evimetry. Come Run With Us.

Prerequisites

• Have an internet-connected computer
• An “evidence drive”
• A storage drive (USB3 External)
• A hardware write-block if you are planning on doing real evidence collection
• Before any forensic acquisition you must document the evidence
• See my Cybrary course: “Evidence Handling: Do it the Right Way”
• You can get a full featured evaluation copy of Evimetry at https://my.evimetry.com/enquiry/eval
• Understand Advanced Acquisition & Live Analysis with the AFF4: https://my.evimetry.com/assets/docs/Advanced%20A&A%20AFF4-PUBLIC.pdf

Course Goals

By the end of this course, students should be able to:

• Understand the basic layout of the Evimetry Windows Controller
• Differentiate Evidence drives vs. “Blessed” drives
• Understand how to perform a full linear, forensic acquisition with Evimetry
• Recognize the different options for performing allocated only, allocated and remainder, non-linear partial or live disk access

• Module 1: Introduction
• 1.1 Introduction
• 1.2 The Evimetry Stack and Controller Walkthrough
• Module 2: Forensic Acquisition with Evimetry
• 2.1 Creating a "Blessed" Storage Drive
• 2.2 Evimetry Acquisition Modes Part 1
• 2.3 Evimetry Acquisition Modes Part 2: Block Hash vs. Linear Hash
• Module 3: Conclusion
• 3.1 Course Summary