AccessData. Triage. Quick Start Guide. Published: December 2011



Similar documents
Legal Notices. AccessData Corp.

Novell ZENworks 10 Configuration Management SP3

NetIQ Sentinel Quick Start Guide

CS SoftDent Practice Management Software Installation Guide for Client/Server Configurations

Server Installation Guide ZENworks Patch Management 6.4 SP2

Novell SUSE Linux Enterprise Virtual Machine Driver Pack

Virtual CodeMeter Activation Guide

Full Disk Encryption Agent Reference

Universal Management Service 2015

Installation Guide. Novell Storage Manager for Active Directory. Novell Storage Manager for Active Directory Installation Guide

RTX Runtime with Service Pack 2 WES7 DEPLOYMENT GUIDE

HyperFS PC Client Tools

Operating System Installation Guide

Acronis Backup & Recovery 11.5 Quick Start Guide

For Active Directory Installation Guide

Secure Agent Quick Start for Windows

Asset Inventory Reference

NTP Software File Auditor for Windows Edition

Portions of this product were created using LEADTOOLS LEAD Technologies, Inc. ALL RIGHTS RESERVED.

Acronis Backup & Recovery 11

Dell Statistica Statistica Enterprise Installation Instructions

AccessData Legal and Contact Information

User Installation Guide for SAS 9.1 Foundation for 64-bit Microsoft Windows

SafeGuard Enterprise Web Helpdesk. Product version: 6 Document date: February 2012

ActiveImage Protector 3.5 for Hyper-V with SHR. User Guide - Back up Hyper-V Server 2012 R2 host and

Out-of-Band Management Reference

Veritas Cluster Server Database Agent for Microsoft SQL Configuration Guide

Novell Identity Manager Resource Kit

VRC 7900/8900 Avalanche Enabler User s Manual

NTI Backup Now EZ v2 User s Guide

Windows BitLocker Drive Encryption Step-by-Step Guide

StarWind iscsi SAN: Configuring HA File Server for SMB NAS February 2012

SafeGuard Enterprise Web Helpdesk

Disaster Recovery. Websense Web Security Web Security Gateway. v7.6

CS SoftDent Practice Management Software Installation Guide for Client/Server Configurations

Technical Notes. EMC NetWorker Performing Backup and Recovery of SharePoint Server by using NetWorker Module for Microsoft SQL VDI Solution

ATT8367-Novell GroupWise 2014 and the Directory Labs

Symantec Backup Exec System Recovery Exchange Retrieve Option User's Guide

Novell Open Workgroup Suite Small Business Edition Helpdesk

SafeGuard Enterprise Web Helpdesk. Product version: 6.1

Configuring File Servers and Active Directory with Domain Services for Windows-Lab

FileMover 1.2. Copyright Notice. Trademarks. Patents

Portions of this product were created using LEADTOOLS LEAD Technologies, Inc. ALL RIGHTS RESERVED.

EMC ViPR Controller Add-in for Microsoft System Center Virtual Machine Manager

StarWind iscsi SAN Software: Using StarWind with MS Cluster on Windows Server 2008

e-dpp May 2013 Quick Installation Guide Microsoft Windows 2003 Server, XP, Vista, 7 Access Database

NEWTECH INFOSYSTEMS, INC. NTI Backup Now EZ. NTI Backup Now EZ User's Guide

SOLARWINDS ORION. Patch Manager Evaluation Guide for ConfigMgr 2012

Jobs Guide Identity Manager February 10, 2012

Deploying EMC Documentum WDK Applications with IBM WebSEAL as a Reverse Proxy

LPR for Windows 95 TCP/IP Printing User s Guide

StarWind iscsi SAN Configuring HA File Server for SMB NAS

DIGIPASS CertiID. Getting Started 3.1.0

Interact for Microsoft Office

Novell Access Manager

VMware/Hyper-V Backup Plug-in User Guide

Archive One Policy V4.2 Quick Start Guide October 2005

Citrix Systems, Inc.

2.6.1 Creating an Acronis account Subscription to Acronis Cloud Creating bootable rescue media... 12

Installation and Configuration Guide

STATISTICA VERSION 9 STATISTICA ENTERPRISE INSTALLATION INSTRUCTIONS FOR USE WITH TERMINAL SERVER

Bosch ReadykeyPRO Unlimited Installation Guide, product version 6.5. This guide is item number DOC , revision 2.029, May 2012.

Wireless Network Adapter Installation

Software Distribution Reference

File Auditor for NAS, Net App Edition

Cluster Guide. Version: 9.0 Released: March Companion Guides:

SELF SERVICE RESET PASSWORD MANAGEMENT CREATING CUSTOM REPORTS GUIDE

EXPRESSCLUSTER X for Windows Quick Start Guide for Microsoft SQL Server Version 1

Server Installation ZENworks Mobile Management 2.7.x August 2013

LPR for Windows 95/98/Me/2000/XP TCP/IP Printing User s Guide. Rev. 03 (November, 2001)

Feith Dashboard iq Server Version 8.1 Install Guide

Vess A2000 Series. NVR Storage Appliance. Windows Recovery Instructions. Version PROMISE Technology, Inc. All Rights Reserved.

Dell Recovery Manager for Active Directory 8.6. Quick Start Guide

Installation Instruction STATISTICA Enterprise Small Business

ZENworks Adaptive Agent Reference

HYPERION SYSTEM 9 N-TIER INSTALLATION GUIDE MASTER DATA MANAGEMENT RELEASE 9.2

BioWin Network Installation

Also you need the C-MOR ISO file. This file you will find following this link:

5.6.3 Lab: Registry Backup and Recovery in Windows XP

Updates Click to check for a newer version of the CD Press next and confirm the disc burner selection before pressing finish.

WhatsUp Gold v16.2 Installation and Configuration Guide

StarWind iscsi SAN & NAS: Configuring HA File Server on Windows Server 2012 for SMB NAS January 2013

STATISTICA VERSION 10 STATISTICA ENTERPRISE SERVER INSTALLATION INSTRUCTIONS

Novell PlateSpin Recon

Novell PlateSpin Portability Suite

Backup Exec 15. Quick Installation Guide

Crystal Reports Installation Guide

VERITAS Backup Exec TM 10.0 for Windows Servers

Administering Windows-based HP Thin Clients with System Center 2012 R2 Configuration Manager SP1

MAC/OSX - How to Encrypt Data using TrueCrypt. v

VERITAS Backup Exec 9.1 for Windows Servers Quick Installation Guide

STATISTICA VERSION 12 STATISTICA ENTERPRISE SMALL BUSINESS INSTALLATION INSTRUCTIONS

Microsoft IIS Integration Guide

HP ProtectTools Embedded Security Guide

ZENworks 11 Support Pack 4 Full Disk Encryption Agent Reference. May 2016

Novell Identity Manager

Feith Rules Engine Version 8.1 Install Guide

Administration Quick Start

Image Backup and Recovery Procedures

Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice.

Transcription:

AccessData Triage Quick Start Guide Published: December 2011 1

Legal Information 2011 AccessData Group, LLC All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the publisher. AccessData Group, LLC makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, AccessData Group, LLC reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. Further, AccessData Group, LLC makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, AccessData Group, LLC reserves the right to make changes to any and all parts of AccessData software, at any time, without any obligation to notify any person or entity of such changes. You may not export or re-export this product in violation of any applicable laws or regulations including, without limitation, U.S. export regulations or the laws of the country in which you reside. AccessData Group, LLC. 384 South 400 West Suite 200 Lindon, Utah 84042 U.S.A. www.accessdata.com AccessData Trademarks and Copyright Information AccessData is a registered trademark of AccessData Group, LLC. Distributed Network Attack is a registered trademark of AccessData Group, LLC. DNA is a registered trademark of AccessData Group, LLC. Forensic Toolkit is a registered trademark of AccessData Group, LLC. FTK is a registered trademark of AccessData Group, LLC. Password Recovery Toolkit is a registered trademark of AccessData Group, LLC. PRTK is a registered trademark of AccessData Group, LLC. Registry Viewer is a registered trademark of AccessData Group, LLC. A trademark symbol (,, etc.) denotes an AccessData Group, LLC. trademark. With few exceptions, and unless otherwise notated, all third-party product names are spelled and capitalized the same way the owner spells and capitalizes its product name. Third-party trademarks and copyrights are the property of the trademark and copyright holders. AccessData claims no responsibility for the function or performance of third-party products. Third party acknowledgements: FreeBSD Copyright 1992-2011. The FreeBSD Project. AFF and AFFLIB Copyright 2005, 2006, 2007, 2008 Simson L. Garfinkel and Basis Technology Corp. All rights reserved. Copyright 2005-2009 Ayende Rahien Legal Information 2

AD Triage Quick Start Guide AD Triage is designed to collect and review data/artifacts from a live or powered down target system and facilitate the transfer of that data to an administrator system. An AD1 logical image of the systems artifacts can then be written to the destination of your choice. From there, the data can be decrypted and imported into the administrator s interface for further review and reporting or can be consumed by FTK for more advanced analysis. This guide is designed to walk you through a basic workflow of the Triage system. This is not a comprehensive guide, but an abbreviated guide for common tasks. See the AccessData Triage User Guide for a complete description of AD Triage features. Installing AD Triage Before you install AD Triage, you must have the following items: A CodeMeter dongle that is licensed for AD Triage and plugged into the Admin machine CodeMeter Runtime 4.2 installed on your system Microsoft.NET 3.5 SP1 To install AD Triage Admin 1. Insert installation disk into the CD/DVD drive. 2. In the autorun, click Install Triage Admin. 3. Follow the installation wizard, allowing default folders and options. Licensing a USB Device To collect data from a target system, you must create a Triage USB device with a Triage profile on it. Before you can apply a profile to a device for collection, you must first license the device. You can use one license per device and one profile per device. To license a USB device 1. Select Start > Programs > AccessData > Triage > Triage Admin. AD Triage Quick Start Guide Installing AD Triage 3

FIGURE A-1 Triage Admin Console Admin Tab 2. Attach the USB device (minimum 400mb). 3. Select the Admin tab and then click Manage Licenses. FIGURE A-2 Manage Licenses Dialog 4. Select the USB device from the Unlicensed Devices pane and click License Device. AD Triage Quick Start Guide Licensing a USB Device 4

FIGURE A-3 Format Triage Device Dialog 5. Label and Format the USB device. Note: Formatting the device will erase all data currently on the device. The device appears in the Licensed Devices pane of the Manage License dialog. 6. Close the Manage Licenses dialog. Creating a Standard Triage USB Device 1. In the Admin console, click the Devices tab. 2. Click the Standard Triage Device button. AD Triage Quick Start Guide Creating a Standard Triage USB Device 5

FIGURE A-4 Default Collector Wizard 3. Enter a Case Name, select the USB device, and click Finish. 4. Your USB device is now ready for use, click OK. Creating a Custom USB Device To create a custom Triage USB Device, you must first create a custom profile with the filters and actions that you want the collector to perform. Then, you must apply that profile to the USB device. Creating a Custom Profile To create a custom profile 1. Open the AD Triage Admin main window and select the Configure tab. AD Triage Quick Start Guide Creating a Custom USB Device 6

FIGURE A-5 AD Triage Admin Main Window Configure Tab 2. Click Manage Profiles. 3. In the Profiles dialog, click New Profile. 4. In the Custom Profile Wizard, click Next. 5. In the Profile Name screen, enter a Name and Description for the profile and then click Next. FIGURE A-6 Custom Profile Wizard Standard Actions Screen 6. In the Standard Actions screen, check the actions from the default list that you want the profile to perform during collection and then click Next. Note: Actions that can be performed only on a live system are listed as (LIVE). All other actions can be performed on either a live system or a shutdown system. Example: If you wanted to search for memory and network items on a live system, you would check (LIVE) Memory Dump under the System check box, then (LIVE) Network Adapters and (LIVE) Network Connections under the Network check box. Note: All standard actions are selected by default. AD Triage Quick Start Guide Creating a Custom USB Device 7

FIGURE A-7 Custom Profile Wizard Custom File Filters Screen 7. In the Custom File Filters screen, click Create Your Own Filter to create your own custom filter. 8. In the Custom Filter Wizard, click Next. 9. In the Filter Name screen, enter a Name and Description for the filter and then click Next. FIGURE A-8 Custom Filter Wizard Select Criteria Screen 10. In the Select Criteria screen, check the types of groups you want included in your custom filter and then click Next. AD Triage Quick Start Guide Creating a Custom USB Device 8

FIGURE A-9 Custom Filter Wizard Groups Screen 11. Depending on the groups that you checked, the next screen allows you to add the specific criteria for each group to the custom filter. The following screens may appear: Keyword Hash Regular Expression File Size Note: When applying a File Size filter, the filter will search for the Size on Disk file capacity rather than the Size capacity when collecting data. Increase the size of your file search accordingly to accommodate this. Date Time Extensions Path Illicit Images Note: Multiple conditions added under a single group name are considered as an OR condition. Each separate group name added is considered as an AND condition. Example 1: If you wanted to create a filter that searches for.doc files created in the last week, you would perform the following actions: 11a. In the Select Criteria screen, check Date Time and Extensions and then click Next. 11b. In the File Date screen, select File created within a week, click Add Existing Filter, and click Next. 11c. In the File Extension screen, select File is a user created file, click Add Existing Filter, and click Next. Example 2: If you wanted to create a filter that searches for image files on the user s home directory, you would perform the following actions: 11a. In the Select Criteria screen, check Extensions and Path and then click Next. 11b. In the File Extension screen, select File is a picture, click Add Existing Filter, and click Next. AD Triage Quick Start Guide Creating a Custom USB Device 9

11c. In the File Path screen, select File resides in users home directory, click Add Existing Filter, and click Next. 12. Add your criteria for each group and click Next until you reach the Review Custom File Filter Constraints screen. 13. Click Finish. 14. Click OK. You are returned to the Custom File Filters screen. 15. Check the custom filters that you want to add to the profile and then click Next. FIGURE A-10 Custom Profile Wizard Review Selections Screen 16. In the Review Selections screen, review the actions you have selected to ensure that you want them applied to the profile. If you want to remove any of the actions, highlight the item and click the Remove button. 17. Click Finish and click Yes to the message that appears. Applying a Custom Profile to a USB Device After you have created your custom profile, you need to apply the profile to your USB device in order for the device to perform your specified actions during collection. To create a custom USB device 1. In the Admin console, click on the Devices tab. 2. Click on the Custom Triage Devices button. 3. In the Custom Collector Wizard Welcome screen, click Next. AD Triage Quick Start Guide Creating a Custom USB Device 10

FIGURE A-11 Custom Collector Wizard Select Profile Screen 4. In the Select Profile screen, select the profile that you want to use during collection and click Next. FIGURE A-12 Custom Collector Wizard Select Triage Device Screen 5. In the Select Triage Device screen, enter a Case Name and Agent Name for the device. 6. Select the USB device that you want to make into a Triage device. Note: If you do not see the device that you are looking for, ensure that the device is attached to the computer. Then, ensure that the device is licensed. AD Triage Quick Start Guide Creating a Custom USB Device 11

7. Check to Auto-start collection if you want Triage to automatically collect data on the target system upon start up. 8. Check Auto-export if you want Triage to automatically export collected data to the USB device. 9. Check Include File Slack Space to include slack-space on files during collection. 10. Check Include Deleted Files to include deleted files during collection. 11. Click Next. FIGURE A-13 Custom Collector Wizard Finished Screen 12. Click Finish. Collecting Data from a Target System You can collect data from a shutdown target system or a live system. This section describes both methods. To collect data from a shutdown system 1. Power on the target system and use the keyboard hotkey to boot into the BIOS configuration utility (typically F2 or DEL on most systems). 2. Configure the boot priority of the devices in the BIOS so that it will check for boot devices in this order: CD/DVD Removable (aka USB) Hard Disk Drive (HDD) and other boot devices in any order after that 3. Exit the BIOS configuration utility and save your changes. The system should restart at this point. The AD Triage Agent interface opens. AD Triage Quick Start Guide Collecting Data from a Target System 12

FIGURE A-14 Agent Interface Window 4. If you did not select to Auto-Collect or Auto-Export when you created your Triage USB device, click the play button to collect data. When collection is complete, the play button becomes a check mark. 5. Click the Evidence tab, ensure the evidence that you want to export is checked in the Pending Evidence pane, and click Export. Collected data is exported to the USB device. Data that was successfully exported appears in the Successfully Exported pane. When all the evidence has been exported, the Evidence tab appears in green. 6. Click Exit and shut down the system. 7. Remove the USB device. To collect data from a live system 1. Insert the Triage USB device into target system. 2. In the Window s prompt, select to run AD Triage. 3. If you did not select to Auto-Collect or Auto-Export when you created your Triage USB device, click the play button to collect data. When collection is complete, the play button becomes a check mark. AD Triage Quick Start Guide Collecting Data from a Target System 13

4. Click the Evidence tab, ensure the evidence that you want to export is checked in the Pending Evidence pane, and click Export Now! Collected data is exported to the USB device. Data that was successfully exported appears in the Successfully Exported pane. When all the evidence has been exported, the Evidence tab appears in green. 5. Click Exit. 6. Remove the USB device. Saving, Reviewing, and Exporting Collected Data After you have collected data from a target system, you must bring that data into the Admin console in order to review or export it. To save, review, and export collected data 1. Attach the USB device to the Admin system. 2. Launch the Triage Admin window, select the Devices tab, and click Manage Triage devices. FIGURE A-15 Manage Triage Devices 3. Select the case from the Profile on Triage Device pane and click Save Collection. The collection is saved in the AD Triage files. 4. Close the dialog. 5. Select the Admin tab and click Manage Saved Collections. AD Triage Quick Start Guide Saving, Reviewing, and Exporting Collected Data 14

FIGURE A-16 Manage Collections Dialog 6. Select the collection from the Collection pane; use the History Filtering options to find the collection if needed. 7. Click Review Collection to review the collection data and generate reports. AD Triage Quick Start Guide Saving, Reviewing, and Exporting Collected Data 15

FIGURE A-17 Recover Evidence 8. Close the Recover Evidence dialog when you have finished reviewing the data and generating reports. 9. In the Manage Collections dialog, select the collection again and click Export Collection. 10. Browse to the location where you want to export the data and click OK. 11. Click Yes and then OK. AD Triage Quick Start Guide Saving, Reviewing, and Exporting Collected Data 16

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information