3.3.6. Add a Disk Image

You can import a Windows disk into the system, which is is useful if a full disk image has already been performed of the system.

Note

Linux disk images are not supported. Linux is supported via UAC only.

Supported disk image formats:

  • Raw Single (*.img, *.dd, *.raw, *.bin)

  • Raw Split (*.001, *.aa)

  • EnCase (*.e01)

  • Virtual Machine Disk (*.vmdk)

  • Virtual Hard Disk (*.vhd, *.vhdx)

Watch the Cyber Triage Basics Course Disk Image video on this technique.

To import data from a disk image:

  1. Choose the Disk Image button from the Add New Host area.

../../_images/import_add_disk.png

  1. Enter a display name for the host (it can be a host name or more descriptive).

  2. Browse to your image file.

  3. If BitLocker is detected, you will be prompted to enter in the password or recovery key. Cyber Triage will automatically attempt to decrypt BitLocker using the clear key.

../../_images/import_add_disk_bl.png

  1. Press Continue to then configure what data types to collect (see Data Collection Types) and malware settings (see Ingest-Time Settings).

After collection has started, proceed to Host-level Examination for an overview of the analysis techniques.

There are some special considerations of disk images:

  • Not all files will be analyzed after importing the disk image. Only the files that the Collector was interested in will be, for example, malware scanned. You will have access to all content though as long as the disk image is still accessible. Some of the files are directly imported into Cyber Triage, but most of them will be available only from the disk image.

  • During the ingest, some files will be extracted from the disk image into the temp folder in your Data Directory (see Changing Where Data is Stored). This could cause local antivirus to flag files. You should good list this folder with your AV/EDR

  • If you are using the Team version of Cyber Triage, then the client will do the parsing of the disk image and send the results to the server. The client must continue to run until the disk image has been parsed.

3.3.6.1. Process Disk Image on Server

If you have a Team deployment, you can choose to have the server parse the disk image and extract the artifacts. Typically, this is done on a client and can be time consuming if you have several queued up.

If you select to have the Server process the image, then the path supplied must also exist on the Server. That path will be sent to the server so that it can access it when scheduled.

../../_images/import_add_disk_server.png