Hi, I’m Rich Frawley, and I’m the Digital Forensic Specialist with ADF Solutions. Today we’re going to conduct a boot scan of a Microsoft Surface Pro with BitLocker activated.
At this point you have decided on a search profile, or search profiles, to use and prepared your collection key.
When conducting a boot scan, Digital Evidence Investigator is forensically sound. This means that no changes are made to the target media.
Prior to conducting a boot scan, establish how many USB ports are available, and determine if the four-port USB hub is required.
Two ports are required in order to complete a scan: one for the collection key and one for the authentication key. Once the scan is started, the authentication key can be removed.
The Surface Pro only has one USB port, so I have a four-port hub, the collection key connected, and the authentication key.
With the Surface Pro, in order to boot to the USB device, we’ll hold the ‘volume down’ button while pushing and releasing the power button.
When booting to the collection key, Digital Evidence Investigator will automatically launch the application to scan the computer. No user input is normally required within the Windows boot manager.
Once DEI has launched, there are two options available: Scan Computer and Image Computer. To proceed with the boot scan, click on ‘Scan Computer.’
You can see here the physical device and the BitLocker volume; the search profiles that we have on our collection key; and our scan information.
To get started, we need to enter the credentials for the BitLocker encrypted volume.
Once the volume is decrypted, we can choose the search profile that we want to run; give it a scan name; adjust our date and time if necessary; enter in any custom fields that may be present; and then start our scan.
As you can see, I have my authentication key. In order to start the scan, I present my authentication key. The scan will start. I can now remove the authentication key and move on to another computer with another collection key.
That’s all for this video; thank you for your time.
Get a free trial at www.TryADF.com.
