SOFTWARE EXAMPLE - FTK IMAGER

DEMONSTRATION

The FTK Imager has a lot of functionalities, but the one that will be demonstrated is called live acquisition. Live acquisition or ram acquisition is the process of capturing the memory and volatile data of a running machine. This data could then be saved and analysed later on.

To start off, the first step in order to begin a memory capture is to click the 'Capture Memory' button in the ToolBar.

Then the destination should be specified and you could choose to include a pagefile and an AD1 file or not, although it is preferable to choose both. The two are basically:

• Pagefile: Temp swap files
• Ad1 file: Combination of both RAM and Swap Files

Then the memory capture will begin, this will take time depending on how large the RAM is. The one available on the laptop I performed capture on is 32GB, so it took around 26minutes for it complete.

After the capture finishes, you could head over to the file in which it was saved in and preview the capture report generated. This report would include the case information and acquisition process details along with the computed hashes to insure the evidences' integrity.

Reference:

Linkedin Learning