Acquisition Method
Below list out a list of procedures to create computer images
Encryption Detection (EDD.exe)
A good practice is to check for encryption before performing acquisition to avoid running into trouble
One good tool to peform such task is EDD.exe by magnet forensic
Just run the EDD.exe and it will tell you which volume is encrypted.

Memory Acquisition (FTK Imager Lite)
File > Capture Memory

FTK Imager on Linux
copy the file to /usr/local/bin so that the binary is executable from anywhere
mount the disk where the image files is going to be stored
run the following command
FastBloc SE
Make sure no devices are attached (or only your storage device is attached)
Tools > FastBloc SE > Write Blocked
Attach the target device to the system
In EnCase, either create a new case or open an existing one
Add Evidence > Add Local Device
On the page that follows, accept the defaults and click Next. On the screen that follows, you will see a dot or Yes in the Write Blocked column, and the icon for the device will have a green box around it, both indicating a successful write block.
Select the write-blocked target device (blue check) > Finish > double click the evidence > Acquire



After finished acquiring > Physically remove the device > Stop the write-blocking software in EnCase (Tools > FastBloc SE > Clear All)
Tableau Write Blocker
Connect the target disk to the write blocker
In EnCase, either create a new case or open an existing one
Add Evidence > Add Local Device
Select the device that is write-blocked
In the Evidence tab, right click the item we would like to acquire, Select Process Evidence -> Acquire





Tableau Duplicator
LinEn (Linux)
Attached the target drive to the Linux imaging platform
Attached storage drive (FAT32) to the Linux imaging platform
Boot your Linux machine to console and log in as root
Check what file systems are mounted
Check what devices are available
Mount your storage drive and check that the storage drive is mounted
Create the folder on your storage volume to hold the EnCase evidence file
Go to the directory of LinEn and run LinEn
press
A
/ use Tab key to go to Acquire and press EnterSelect your drive and press Enter
Choose the path for your evidence file and prefix it with the path to the mount path e.g.
/case/casename/evidence
to/mnt/winfat/cases/casename/evidence/XXX001
Guymager (Caine OS)
Insert the CAINE OS USB into the target machine. Boot from BIOS (F2). Select the USB as the boot drive
After startup, connect storage harddisk to the target machine
Mount storage harddisk Create mount point
Mount Drive in RW mode
Open guymager and select Calculate MD5 and Verify image after acquisition (takes twice as long)
Click OK to start the acquisition

Convert a hibernation file to a memory dump
A hibernation file is stored in C:\hiberfile.sys if you have hibernation enabled. It contains parts of the memory at the time of hibernation, depending on the version of Windows. Run this to covert it to a raw image for further processing with Volatility.
Remote Acquisition
F-Response
Tactical
Consultant + Covert
Last updated
Was this helpful?