From the course: Incident Response: Evidence Collection in Windows
Unlock the full course today
Join today to access over 22,600 courses taught by industry experts or purchase this course individually.
Acquiring a memory image in Windows
From the course: Incident Response: Evidence Collection in Windows
Acquiring a memory image in Windows
- [Instructor] In this lesson we're going to acquire a memory image inside of Windows because going by our order of volatility that is one of our highest priorities. Now to do this, I'm going to connect my USB drive that has my Trusted Tools on it. When I created my Trusted Tools drive, I put it on a 64GB thumb drive so I have plenty of free storage available for me to connect this thumb drive to the system and copy the memory to my thumb drive. Now to do this, I'm going to use the FTK Imager Lite 3.1.1 Tool. We're going to go to the Imager Lite, double-click it and then select FTK Imager. And we'll double-click that application in order to launch it. Now once this pops up with the User Account Control, we'll click Yes, and from here we're going to go and launch the Tool. Now once we're in the Tool, we're going to go to File and then Capture Memory. From here, you're going to select what you want to save that memory…
Practice while you learn with exercise files
Download the files the instructor uses to teach the course. Follow along and learn by watching, listening and practicing.
Contents
-
-
-
-
(Locked)
Evidence collection2m 12s
-
(Locked)
Volatile and nonvolatile data5m 45s
-
(Locked)
Acquiring a memory image in Windows2m 24s
-
(Locked)
Acquiring a memory image in Windows in DumpIt2m 8s
-
(Locked)
Using CryptCat and Tee3m 51s
-
(Locked)
Collecting the data/time of the victim2m 42s
-
(Locked)
Documenting the logged on users1m 22s
-
(Locked)
Documenting open network connections3m 11s
-
(Locked)
Documenting the running processes2m 24s
-
(Locked)
Documenting any shared files1m 11s
-
(Locked)
-
-
-
-
-