Hi all,
Has anyone used FTK 3 for a live server acquisition? I may have to image a live server, either physical or logical disk, from a laptop connected to the network and do not have access to the actual server itself i.e. cannot use FTK Imager and attached NAS.
Is the AccessData description below correct and viable for such a situation i.e.
Live Device Acquisition
— Perform network-based, secure, single-system forensic acquisition of physical devices, logical volumes and RAM .
o Image the full range of system memory
o Image entire physical device or devices
o Image an entire volume or volumes
— The agent can be quickly deployed and does not require installation of any kind.
— No painful authentication/authorization process is required.
Index
Thanks in advance
Si
Yes, the Live Device Acquisition process in FTK 3 works well for the kind of situation you are in.
However, be aware that if some services are still running on the server, you might have some problems imaging some files. I've had the issue before with Exchange servers. I ended up with empty EDB files…
Do you have the option to put FTK Imager on a network share, RDP into the server, and run that, imaging back to the network share? That will give you memory capture as well.