How To Conduct A Live Forensic Scan Of A Windows Computer

Learn how to conduct a Windows live scan with ADF Solutions Digital Evidence Investigator.  Two USB ports are required to complete a scan, one for the Collection Key and one for the Authentication Key, once the scan has started the Authentication Key can be removed. A USB hub may be used in cases where the target computer only has one USB port.

When running a live scan from a Collection Key it is possible to create a RAM dump of the computer. RAM dumps can then be analyzed with appropriate software (e.g. Volatility).

Our digital forensic investigator uses a 4-port hub, Collection Key, Authentication Key, and the target computer which is up and running with only one USB port available.

  1. Start by inserting the USB Hub with the Collection Key and Authentication Key.  In this example, Autoplay is set to open the folder automatically, if this is not set you will need to open File Explorer and the CKY Device as shown.
  2. Execute the Start.bat file stored on the Collection Key by double clicking on it.
  3. From the main menu click on Create RAM Dump.  The RAM dump will be saved to the collection key within a zip file. Once complete click on the home key to return to the main menu.
  4. At the main menu, to continue with a Live Scan, click on Scan Computer.
  5. Select the Drive(s) or Partition(s) that you would like to scan.
  6. Select the Search Profile.
  7. Change the name or fill out any mandatory fields. Once all fields are completed you can now start the scan by clicking the scan button.
  8. Once the scan has started remove the key. You are able to remove the Authentication Key and utilize another Collection Key and the Authentication Key to conduct another or many other scans while onsite.
  9. Once started, the scan activity will be shown with the following: 

    Progress Bar – Current area and files being scanned (along with estimated percentage complete).

    Matches Log – Real time preview (thumbnail) of File Capture matches collected. Images and Video files are represented by thumbnail images, keyword matches will show the keyword found, all other matches will be represented by an associated icon.

    Capture Results – Cumulative count of capture results.

  10. You can view the results of the scan while the scan is running, and can also refresh/pause/or stop the results while in the viewing pane. You can also return to the scan screen.  If you need to stop a scan for any reason, everything you have collected up to that point is on the collection key and able to be analyzed. No post scan collection is required.
  11. You will now have the option to View My Results or go to the Imaging portion of Digital Evidence Investigator should you want to image the target computer.

ADF software includes support and direct access to our digital forensic specialists. Contact us for assistance creating custom search profiles, to request a demo, or to learn more about how ADF tools can help you speed your investigations and reduce forensic backlogs.

Leave a Comment

Latest Videos

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feeds settings page to add an API key after following these instructions.

Latest Articles