FTK Imager is a Windows acquisition tool and it can be download directly from Access Data web site free of cost. FTK Imager available in two types “FTK Imager” and “FTK Imager Lite”. Both the softwares have same features and functions. Only difference is lite version can be run from a Pendrive or External Source, so Setup is not required for this version. The version used for today Exercise is FTK Imager lite version 3.1.1.
Run FTK Imager.exe to start the tool. We will get the AccessData FTK Imager window.
To collect RAM (Memory Dump) from live system
To capture RAM Dump i.e. Volatile Memory, go to file menu and click on Capture Memory:
We will get memory capture window:
Click on Browse Button to choose the location, where RAM Dump will be saved
Note: Always choose External Storage Media to Store any Evidence File like External Hard Disk.
Enter the Memory Dump file name by default file name will be memdump.mem. We can change it as per case requirement.
If we wants to take backup of Page file check on Include Page file Box.
To start capturing click on Capture Memory. Memory capture process will start:
If we observe this progress window we found total memory installed in the system. Here total memory we can see is 9GB.
Wait for some time till the memory and page file capturing finished.
When memory capture finished successfully click on close button.
Go to the location where memdump.mem file is saved.
To collect Windows Protected Files from live system
To capture Windows Protected files go to obtain protected files in file menu:
Obtain System Files window will appear:
Click on Browse Button to choose the location, where these files will be saved.
Note: Before doing this Create a folder “Windows Protected files” on External Hard Disk and choose this folder to save the Evidence file.
Click on Password recovery and all registry files option and press OK.
Export Files progress windows will appear.