3.3.10. Add a Local Windows DiskΒΆ

You can analyze a mounted drive, which most often occurs when you have a disk image that is not directly supported by Cyber Triage. This most often occurs when the disk image is encrypted with BitLocker.

Note

Admin credentials are needed for this and you will be prompted to grant those via UAC.

Watch the Cyber Triage Basics Course Local Disk video on this technique.

To import a local disk:

  1. Choose the Local Disk button from the Add New Host screen.

  2. Enter a display name (it can be a host name or more descriptive).

  3. Choose the disk from the pulldown. It will not show the C:drive or network shares.

  4. Press Continue to then configure what data types to collect (see Data Collection Types) and malware settings (see Ingest-Time Settings).

../../_images/import_add_local_disk.png

Note that you cannot queue up a Local Disk even if you have Team or Standard Pro. So, you will need to wait until other hosts are done processing before adding in a local disk.