Live imaging

An image can be captured from a running system utilizing FTK Imager in much the same way. The one major difference in this case is that FTK Imager will be run from a USB device connected to the system. This allows the incident response analyst to image the drive without changing the system. While there will be certain files and registry settings updated, imaging in this fashion will not change system files in the same way that installing FTK Imager would on a potentially compromised system.

In terms of preparation, the analyst should have a preconfigured USB drive with separate tools and evidence partitions. As was previously discussed, the evidence partition should be wiped prior to any use. Also, the full-featured FTK Imager ...

Get Digital Forensics and Incident Response now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.