Hello, and welcome back to course seven module three of the computer forensics path. In this module, we're going to discuss live imaging and forensic boot media. Live imaging, why would we need to live image? Well, we could be dealing with an encrypted drive, or an encrypted volume or just some encrypted files may be open in RAM currently that we want to create a logical image of. We would also want to collect RAM, but collecting RAM and live imaging are not the same thing. Another reason why we may need to live image is that the system can't be shut down. When we are doing live imaging, we are getting a logical image of a logical volume or a logical drive. You're not getting that full disk image from sector zero all the way to the end of the disk. We're going to use our imaging software from an external drive. We're not going to run our imaging software from the suspect's computer. You would use something like FDK light on a thumb drive. And there are other imaging softwares that we can use. We're going to send that image that we've created to an external sterilized target media, which we are then going to take with us from the scene. We want to make sure that our target media is large enough to contain all the data that we want to put on it. And again, the reasons we would do this is if the hard drive is not removable, we had some type of encryption. And the Surface Pro and MacBook would be examples of computers where the hard drives are not removable. The chicks decided to the board and I think we're going to see more and more of this. So live imaging, I think it's going to become something of a standard practice. Dead box forensics, this is if you find the computer off or when you perform a normal shutdown after you've collected ramp. You would remove the hard drive, attach the hard drive to your write blocker, and you would have tested and validated your write blocker prior to going on your search warrant. Then you're going to attach your write blocker to your forensic computer, and then you're going to copy your evidence, two sterile target media. And when I say sterile target media, I mean media that is wiped and confirmed to be wiped. Not something that you ran a format on. And just because you buy a brand-new disk out of the box does not mean it is completely clean. You need to wipe the media with something like kill disk, and then check and verify that it is indeed completely white with some type of algorithm not visually looking at it because you could miss something. Forensic proof media, this is a little different then dead box forensics and a little different than the other method of live imaging I just described what we would use FBK imagery from a thumb drive. Forensic boot media is when we're actually the computer is either off or has gone through a normal shutdown. We are going to reboot this computer into a forensic environment, and that is usually some type of modified Lennox Operating System. With the exception of windows forensic environment. Win FE is not a Lennox distribution, but we can see the other software is listed on the screen paladin, cane, helix, and penguinSleuth are all some type of modified Lennox distribution. When you were doing booting from forensic group media, you want to make sure you do some research on the computer that you're going to be booting up. You need to find out which key will get you into the bios, so you can change the boot order because if you don't do that and you just boot up normally. And the boot order says boot from the hard drive first and your external media secondary. You're going to boot into the operating system and you're going to be making changes to that evidence. And this is what we call stepping on the evidence, we've all done it, but we really try not to. Now you want to make sure you do this correctly, so you don't step on the evidence and if you do, do this correctly. This is a forensically sound method of creating a full disk image or a logical image you can do either here. Again, the computer must be shut down and reboot it. So this is not collecting ramp because if you shut down and reboot it, you've lost your ramp. You must change the boot order of the system. Again, you're going to want to to find out what he will get you into the bios, so you can change the boot order to boot from external media done correctly. This makes no changes in the original evidence, it is forensically sound, and we'll give you the ability to create a forensic image. Now come up with Windows 8, we got that far down the road, something called UEFI come into play along with secure boot unified extended from where interfaces what UEFI stands for. But this secure boot and UEFI prevent the operating system from booting to external media. Because secure boot means it can only boot from assigned operating system. So all the sign operating systems can boot, so when you try to boot from your forensic boot media, it's going to say no. Now there is a work around here, you must go into the bios. So again you have to know where the bios key is, and you're going to have to do some research. You need to go in there and change the settings to allow the computer to boot from removable media. So we have to disable secure boot and enable legacy group. To do this again, we have to get access to the unified extended firmware interface to change these settings, and we would do that through the bios. This is an example of a screenshot of paladin. So this is what it will look like when we successfully boot into that forensic media in this case paladin. You can see the slide on the left-hand side, it has imager find, it also shows us an allocated and disk manager will show you all the drives attached to the computer. So you can choose which drive you want to image as your source, and you can see it but the top here it's a source, and we can see the dead in the file path. And that's going to tell us, we're looking at some type of Lennox, and then you're selecting image type. And then you would select a destination where is the image going to, and then you would label the image created name. So we have our source, you have to know where the sources, you have to know where your destination is going to be. Now your source file should be something on these suspects computer or something attached to the suspect's computer. Your destination drive is going to be some form of removable media attached to your forensic machine. Just make sure you're aware of that and you're not imaging your own C drive, and you're not copying the image to the suspect's computer. There's also a fine feature which we did see, you could use the fines feature to search for certain keywords. If you had keywords that you know in your case, in this case it's bad. The key word was bad stuff, and this shows you the device that you're searching. You just put a little check mark in the box, and then you select fine. This brings us to the end of course seven. In course eight we're going to discuss the fat file system.
