FTK Imager several. 1 . 1
FTK Imager is a Windows acquisition tool and it can always be download directly from Access Info web site cost free. FTK Imager available in two types " FTK Imager” and " FTK Imager Lite”. Both the programs have same features and functions. Just difference is usually lite edition can be manage from a Pendrive or External Supply, so Set up is not required for this variation. The edition used for today Exercise is FTK Imager en aning version a few. 1 . 1 . Run FTK Imager. exe to start the tool. We will get the AccessData FTK Imager windows.
To collect RAM MEMORY (Memory Dump) from live system
To capture RAM Eliminate i. e. Volatile Memory space, go to file menu and click on Catch Memory:
We will get storage capture window:
Click on Surf Button to find the location, wherever RAM Dump will be salvaged
Note: Always choose Exterior Storage Mass media to Store any Evidence Data file like External Hard Disk.
Enter the Recollection Dump file name automatically file term will be memdump. mem. We are able to change it as per case necessity.
If we wants to have backup of Page record check on Contain Page record Box.
To begin capturing click Capture Recollection. Memory catch process begins:
If we notice this progress window we all found total memory mounted in the program. Here total memory we can see is 9GB.
Wait for a little while till the memory and page document capturing finished.
When ever memory record finished effectively click on close button.
Go to the position where memdump. mem document is kept.
To get Windows Shielded Files by live program
To capture Windows Protected documents go to get hold of protected data files in file menu:
Obtain Program Files windows will appear:
Simply click Browse Button to choose the location, where these files will be saved.
Take note: Before this process Create a folder " House windows Protected files” on Exterior Hard Disk and choose this folder to save lots of the Evidence record.
Select Password restoration and all registry files choice and press OK.
Export Files improvement windows will appear.
Following completion of Method, Go to the site where these files are saved.
To Create Picture of Suspected Hard Disk
From the Document menu, select create a Disk Image and choose the source of your graphic. In the interest of a quick demo, I am going to select a 4 GIG Pen drive, but you can choose any attached drive.
NOTE: FTK Imager does not ensure data can be not crafted to the travel, so it is vital that you use a Software or Equipment write blocker.
Click Add... to add the destination. Verify Verify images after they are manufactured so FTK Imager can calculate MD5 and SHA1 hashes in the acquired graphic.
Next, find the image type. The type you choose will usually rely upon what equipment you plan to work with on the picture. The dd format will work with more open source tools, but you might want WISE or E01 if you will primarily end up being working with ASR Expert Observe or EnCase, respectively.
If the version of FTK demands evidence information, you can offer it. In case you select uncooked (dd) structure, the image traguardo data will never be stored in the image file alone.
Select the Picture Destination folder and document name. Also you can set the ideal fragment scale image break up files. Simply click Finish to complete the wizard.
Simply click Start to start the buy:
A improvement window can look.
Once the acquisition is complete, you can view an image overview and the travel will appear inside the evidence list in the left hand side of the key FTK Imager window.
FTK Imager also provides an impressive log from the acquisition procedure and places it inside the same directory as the image, image-name. txt. This file lists evidence information, details of the travel, check amounts, and instances the image obtain started and finished:
Created By AccessData® FTK® Imager 3. 1 ) 1 . eight
Acquired using: ADI3. 1 . 1 . almost 8
Case Number: 2013-08-20/001
Facts Number: goal
Unique information: Suspected...