Live imaging of a hard drive

In case of a live system, you will need to do the following:

Image the volatile data, such as system memory first as discussed earlier
Power the system down
Disconnect the hard drive
Image the hard drive separately

However, in some situations, you will also need to image the hard drive without switching the system off. An example is in case the system is a server that is hosting a critical service that cannot be taken down, or there is an encryption present in the system, which will be reactivated if the system is powered off. This is why live acquisition is the preferred choice all the time.

FTK imager in live hard drive acquisition

In this section, we will use the FTK imager in imaging the hard drive of the live target ...

Get Practical Windows Forensics now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Practical Windows Forensics by Ayman Shaaban, Konstantin Sapronov

Live imaging of a hard drive

FTK imager in live hard drive acquisition

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly