>> After acquiring the volatile data we move on to acquire non-volatile data.

在获取易失性数据之后，我们继续获取非易失性数据。

Although it is possible to acquire drives from live system,
the most efficient disk imaging approach is using high speed forensic imagers.

虽然从实时系统获取驱动器是可能的，但最有效的磁盘成像方法是使用高速取证成像仪。

At this point, Logicube's Forensic Falcon achieves 30 gigabytes per minute imaging speed,
while Mediaclone's Superimager reached 29 to 31 gigabytes per minute.

目前，Logicube的法医猎鹰(Forensic Falcon)的成像速度达到了每分钟30g，而Mediaclone的超级成像设备达到了每分钟29至31g。

The prices of these imagers range from hundreds to thousands of dollars.

这些成像仪的价格从几百美元到几千美元不等。

The imaging process is easy.

成像过程很简单。

You simply connect your source drive to forensic imagers to start the imaging.

您只需将源驱动器连接到法医成像仪即可启动成像。

The duplicated image in the format of your choice will be stored on a target drive.

以您选择的格式复制的映像将存储在目标驱动器上。

Some target drives or destination drives are sealed within the imager unit.

一些目标驱动器或目标驱动器密封在成像单元内。

For example, FDAS by Cyanline.

例如，通过氰胺的FDAS。

Some forensic imagers, for example Falcon, can simultaneously image multiple source drives
to multiple destination drives, creating multiplications in different formats.

一些取证成像仪，例如Falcon，可以同时将多个源驱动器成像到多个目标驱动器，以不同的格式创建乘法。

These imagers will have built-in write blocker functionality to ensure
that the original drive data will not be modified.

这些映像器将具有内置的写阻塞器功能，以确保原始驱动器数据不会被修改。

Commonly the left side of the imager connects write blocker source drives
and the right side connects destination drives, if the destination drives are not sealed within
the image unit.

通常，如果目标驱动器未密封在映像单元内，则映像器的左侧连接写块源驱动器，而右侧连接目标驱动器。

This imager will also generate in a verified hash values automatically after the imaging.

该成像器还将在成像后自动生成经过验证的哈希值。

If you do not have a forensic imager, using the combination of software-based imaging
tool with a write blocker is common to create a
bitstream copy of drives.

如果您没有取证成像仪，那么使用基于软件的成像仪和写阻塞器的组合通常可以创建驱动器的位流副本。

We saw both DD and FTK imagers in previous units.

我们看到DD和FTK图像在以前的单位。

Besides these two, Encase forensic imager and Encase forensic from guidance software,
and forensic toolkit from excess data, are among the leading products in drive image
acquisition.

除此之外，从引导软件中封装的法医成像仪和法医成像仪，以及从过量数据中封装的法医工具包，都是驱动图像采集的主要产品。

Encase forensic imager is a free acquisition tool that also provides the functionality
of viewing and browsing potential evidence files.

Encase forensic imager是一个免费的取证工具，它还提供了查看和浏览潜在证据文件的功能。

However, you will need a write blocker to separate the original drives
from the imaging software, to prevent software from modifying data in original drives.

但是，您将需要一个写阻塞程序来将原始驱动器与映像软件分离，以防止软件修改原始驱动器中的数据。

Encase forensic guidance software was the first sophisticated forensic imaging
and analysis tool on the market in 1998.

Encase法医引导软件是1998年市场上第一个复杂的法医成像和分析工具。

When using Encase to acquire an image, it creates encase evidence file.

当使用Encase获取图像时，它创建Encase证据文件。

This evidence file includes headers, content of the original drive or media,
and MD5 and SHA1 hash values.

这个证据文件包括头文件、原始驱动器或媒体的内容以及MD5和SHA1散列值。

Besides hash values, encase evidence format also adds arrow detection
by storing the CRC checksum for every 64 sectors of data.

除了哈希值之外，encase evidence format还通过存储每个64扇区的CRC校验和来增加箭头检测。

If hashes do not match, CRCs will help find where the change is at the sector level.

如果散列不匹配，CRCs将帮助找到扇区级别的更改位置。

All the versions of encase image use .01 extension.

所有版本的装箱图像使用 .01扩展。

This extension is recognized as encase image file format,
also known as expert witness format, short for EWF.

该扩展名为encase图像文件格式，也称为专家证人格式，是EWF的缩写。

Since in case version 7 the extension becomes .EX01, known as EWF version 2.

因为在版本7中，扩展名变为. ex01，即众所周知的EWF版本2。

Encase can also create images for files and directories,
without including slack and deleted data.

Encase还可以为文件和目录创建图像，不包括松弛和删除的数据。

This type of image is called a logical evidence file format, with extension of LX01.

这种类型的图像称为逻辑证据文件格式，扩展名为LX01。

But both EX01 and LX01 format supports for compression and encryption of the data.

但是EX01和LX01格式都支持数据的压缩和加密。

Although there are other disk image formats, both raw DD image
and encase image are among the most common disk image formats used in forensic imaging.

尽管有其他的磁盘图像格式，但在法医成像中最常用的磁盘图像格式包括原始DD图像和装箱图像。

FTK imager can convert one type of image to another type of image format.

FTK imager可以将一种类型的图像转换为另一种类型的图像格式。

Encase's other great feature is that is has its own built-in software write blocker,
to provide a forensically sound write blocking software solution for all connected disks.

Encase的另一个伟大的特性是，它有自己的内置软件写阻塞器，为所有连接的磁盘提供了一个可靠的写阻塞软件解决方案。

Hardware Write Blockers use a hardware device that physically separates your evidence disk
from your forensic work station.

硬件写入拦截器使用硬件设备，物理上将证据磁盘从法医工作站分离出来。

What is a software-based write blocker?

什么是基于软件的写拦截器?

A software Write Blocking uses software application stored on your forensic work station
to prevent the work station from writing to attached disks.

软件写阻塞使用存储在法医工作站上的软件应用程序来防止工作站写入附加磁盘。

For example, Safebloc Win8, from forensic soft ink is a standalone software writing
block that can be stored and used with other forensic
acquisition tools.

例如，Safebloc Win8，来自forensic soft ink，是一个独立的软件编写块，可以存储并与其他法医获取工具一起使用。

Encase has its own software write block called Fastbloc SE
that is built into the Encase software.

Encase有自己的软件写块，称为Fastbloc SE，它内置在Encase软件中。

Here are the steps of using Encase's built-in Fastbloc SE write blocker
to acquire a subject device.

下面是使用Encase内置的Fastbloc SE write blocker获取主题设备的步骤。

First, make sure that the subject device is not connected before we turn
on the write block option.

首先，在打开写块选项之前，确保主题设备没有连接。

Launch Encase Forensic, and create a new case.

启动Encase Forensic，并创建一个新案例。

And then select tools, Fastbloc SE, select the plug and play tab with write blocked option.

然后选择tools, Fastbloc SE，选择具有write blocked选项的即插即用选项卡。

Insert a USB or other devices for imaging.

插入USB或其他设备进行成像。

Click close.

With Fastbloc SE turned on, you will have no risk
of modifying the source evidence when you acquire a device image.

打开Fastbloc SE，您在获取设备映像时就不会有修改源证据的风险。

So far we have assumed that forensic examiners always know which drives
or partitions they should acquire.

到目前为止，我们假定法医鉴定员总是知道他们应该获得哪个驱动器或分区。

However, since acquisition is a long, time-consuming process,
examiners would like to go through multiple drives to decide
which one is most likely to contain critical evidence.

然而，由于收购是一个漫长、耗时的过程，审查人员希望通过多个驱动器来决定哪一个最有可能包含关键证据。

This is called previewing the evidence.

这叫做预审证据。

Encase and FTK imager lets you preview drives before acquiring them.

Encase和FTK imager可以让您预览驱动器之前获得他们。

This means you only read data, but do not own the data.

这意味着您只读取数据，而不拥有数据。

Preview allows examiners to quickly determine whether relevant evidence exists
on a computer before going through a long acquisition process.

预览可以让审查员在经过一个漫长的获取过程之前快速确定电脑上是否存在相关证据。

Remember, you have to use the write blocker for imaging as well
to ensure you do not change a single bit on the drive when viewing the files.

请记住，您还必须使用write blocker进行映像，以确保在查看文件时不会更改驱动器上的任何位。

Finally, we will discuss remote life forensics with the capability of acquiring memory
and drive data from a remote machine in a forensic, sound manner.

最后，我们将讨论远程生命取证的能力，以取证，健全的方式从远程机器获取内存和驱动器数据。

Several commercial solutions, like Encase Enterprise, Mandiant MIR,
and F-Response are able to gather live information from a remote machine
through agent preinstalled on the remote systems.

一些商业解决方案，如Encase Enterprise、Mandiant MIR和F-Response，能够通过预先安装在远程系统上的代理从远程机器收集实时信息。

Google Rapid Response, GRR, is a powerful open source incident response framework focusing
on remote live forensic acquisition and analysis.

谷歌快速响应，GRR，是一个强大的开源事件响应框架，专注于远程现场取证采集和分析。

GRR uses a client server architecture.

GRR使用客户机服务器架构。

Agents are installed on all the clients that frequently communicate with the server
to receive tasks and send task results to the server.

代理安装在所有经常与服务器通信以接收任务并将任务结果发送到服务器的客户机上。

The servers are responsible for sending requests to the clients,
and collecting information from the clients.

服务器负责向客户机发送请求，并从客户机收集信息。

GRR includes both Sleuthkit and Rekall.

GRR包括Sleuthkit和Rekall。

Its memory acquisition and analysis functions are provided by Rekall and then its disk
in a file system analysis functions are supported by Sleuthkit.

它的内存采集和分析功能由Rekall提供，然后它的磁盘文件系统分析功能由Sleuthkit支持。

Although using GRR for remote forensic acquisition and analysis is not required
to pass this course, it is a very powerful tool for forensic investigators.

虽然使用GRR进行远程取证和分析不需要通过本课程，但它是取证调查员非常强大的工具。

In this unit, we covered Windows volatile and non-volatile data acquisition process
and technologies.

在本单元中，我们介绍了Windows volatile和非volatile数据获取过程和技术。

In the next unit, we will look at Windows File System and Registry.

在下一个单元中，我们将学习Windows文件系统和注册表。