From the course: Incident Response: Evidence Collection in Windows

Unlock the full course today

Join today to access over 22,600 courses taught by industry experts or purchase this course individually.

Acquiring a memory image in Windows

Acquiring a memory image in Windows

From the course: Incident Response: Evidence Collection in Windows

Start my 1-month free trial

Acquiring a memory image in Windows

- [Instructor] In this lesson we're going to acquire a memory image inside of Windows because going by our order of volatility that is one of our highest priorities. Now to do this, I'm going to connect my USB drive that has my Trusted Tools on it. When I created my Trusted Tools drive, I put it on a 64GB thumb drive so I have plenty of free storage available for me to connect this thumb drive to the system and copy the memory to my thumb drive. Now to do this, I'm going to use the FTK Imager Lite 3.1.1 Tool. We're going to go to the Imager Lite, double-click it and then select FTK Imager. And we'll double-click that application in order to launch it. Now once this pops up with the User Account Control, we'll click Yes, and from here we're going to go and launch the Tool. Now once we're in the Tool, we're going to go to File and then Capture Memory. From here, you're going to select what you want to save that memory…

Contents