Thursday, May 21, 2009

FTK Imager can acquire RAM


FTK Imager 2.6.0 got a new functionality. Finally, it can capture RAM. There is no portable version as yet, so I can't see much use for it at this stage unless it can be used with F-response? I found FTK Imager be much slower compared to my favourite X-Ways Forensics tool. Additionally, I was unable to acquire RAM with the new FTK Imager on Win 2003 Server with 8GB RAM, the acquisition just stopped at 48%. I should mention that the new version of this popular imaging tool got a few bug fixes and 'improvements' listed here.

Speaking of RAM, VMware vSphere 4 supports a few TB of memory on the host server and up to 256GB of memory for a guest. That's a lot of RAM and perhaps this is the future of any forensic lab. Whilst the Cloud is often viewed as a "cost savings" that comes together with a loss of control of the computing infrastructure and various information security issues, the future may be in private cloud networks. These private clouds are capable of delivering flexible computer networks that are able to accelerate when and where it is needed most.

2 comments:

Tony Patrick said...

FTK Imager 2.6 can be put on a thumb drive without the need to install and capture the RAM that way.

Then you just have the usual forensic trace alterations from adding a thumb drive, and running an app on a live system to explain as usual.

eco said...

Thanks Tony,
I didn’t know you can put the ‘non-light’ version on a thumb drive. I did play with it a little bit this morning and managed to get FTK Imager (full edition) to work from my USB thumb drive. Thanks again.