Open FTK Imager and navigate to the volatile memory icon (capture memory). The following steps will show you how to do this. ThieFTK Imager tool helps investigators to collect the complete volatile memory (RAM) of a computer. This helps to maintain the integrity of the source disk.Īcquiring volatile memory using FTK Imager The write blocker prevents data being modified in the evidence source disk while providing read-only access to the investigator’s laptop. In this case the source disk should be mounted into the investigator’s laptop via write blocker. Installing FTK Imager on the investigator’s laptop.This option is most frequently used in live data acquisition where the evidence PC/laptop is switched on. ![]() Using FTK Imager portable version in a USB pen drive or HDD and opening it directly from the evidence machine.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |