So, uh, the next part of this video will cover the forensic acquisition of data from a PC, and we will go from a powered on state for the PC, and then we will show you how to go about that process.
we can go back to our access data Forensic imager. Just close out of this. Go back into it again.
uh, the nifty thing about the F t k imager compared to the in case forensic imager
is that the F T K imager has the ability
the virtual memory from a machine. So if you were to take this and
ah forensic thumb drive, you could actually run f t k imager from your forensic,
gather the the volatile memory
from from your victim machine.
we'll go to the file menu
and weaken scroll down to the
icon that says, Capture memory,
and then we're going to browse to the destination path.
So we're going to again put this on our forensic thumb drive
I'm running this program for my desktop. However, you should be running this program from your thumb drive
to ensure you're using forensically sound principles.
But we'll click. Okay,
and then it's going to ask us to name the file
so we can name it. My computers know what ***,
so we'll call it No legate dot mem.
And then it's going to ask you if you want to create an 81 file that specifically for use for access data, we don't need any of that. So we could just click on the capture memory, and it's going to start capturing the member.
And as you can see, I have 35 gigabytes
of bottle. It'll memory
running in my ram, and it will go through the process of collecting
all of the volatile memory. So I will save you guys the wait time
and I'll click. Pause and we'll come back when this is finished.
Okay, so we're back now and we can see that the memory
capture process has finished.
It has sent the file to the e. Dr Enola *** dot meme and memory capture finished successfully.
So if we go to the drive,
we can see that it also now contains the Enola *** dot Mm file,
the size of that file
on hour and 1/2 or so. So
obviously, if time is of the essence and you have a computer that does have a very large
cache of ram, just be cognisant that it could take quite a bit of time to get that.
if the case has been ongoing for quite some time and the incident is relatively, oh, it may not be in your best interest to do a memory dump.
However, if you are interested in some of the running processes and thinks it can only be captured in the volatile memory thing, that is something that you should definitely consider doing.
And, of course, there are other ways to obtain wth e volatile memory from a system. There are programs such as Mandy. It's Red Line that combine analysis and data capture into one tool,
and I'll show you an example of that here in a couple of minutes.
used a list of trusted tools from either a CD
or a USB on the victim machine
and run a series of commands
from the command line that give you similar information a CZ running the memory dump would on Aiken. I'll demonstrate that here in a second for you.
So, as I was saying, the other thing that we could do is we could load our own trusted tools into the system,
we would be able to run similar commands.
trusted to less that we have on the
victim machine. So what I've done is that what ahead? And I've inserted,
uh, my trusted tools into the computer system and just roll down and find it
on this list is the H drive.
So, as you can see, this is a removable drive, and it has quite a bit of programs on it.
Uh, that I might want to use in my forensic examination of a system.
So if you can see, I've got my MP five program on there. Have
program that actually came with the thumb drives the sand, this secure access. I have my trusted tool kit,
the the actual presentation, and I'm working on now.
I also have dump it, which will perform pretty much the same process that the F T K imager did by clicking on dump It
ask if we want to allow the device to make changes. And when you click on the dump, it it will actually create a raw file of the volatile memory onto our removable thumb drive.
methodology that you could use
and then s stated we have the in case imager
on our victim machine, and then we also have some RAM captured tools that are also available for use.
But, uh, in this I've talked about trusted tools, and what the trusted tools are
are essentially the command line programs that you might be interested in running
on a victim machine.
You would never want to rely on the machine to use the programs that it has negatively installed
because you don't know where those programs came from. You don't know if they've been altered our even if they might be present on the system.
has a lot of the command line programs that you would want to use, including our MD five files
are some pash files.
the echo commands this maps are scroll down through here.
P s info ps last P s law gone. So all of these commands would be very valuable and useful for you to use on a system special. If you did not want to write, wait around to capture that volatile memory.