Hi guys, please can someone tell me how to go about imaging a Unix Server that cannot be shutdown. Tools i have is FTK imager/lite and Encase
What exactly do you want to image?
Do you have RAID that you plan to copy logically?
Where do you plan to copy your images (attached drive, network drive)?
Are you going to logon to the server or access it remotely?
Do you have some way to trust the tools (like DD) that are likely on the system or are you concerned about malware and need to bring in your own tools? Are FTK Imager and EnCase your only approved tools?
There are so many questions that need to be answered from the very little information you have provided.
you can use dd us suggested, or command line FTK for *nix or better option would be getting yourself a copy of F-Response. Don't forget your communication tool -), speak to the server administrator and ask him about the best way of imaging the server. Your ego may suffer a bit, but you may learn a lot and get the image done without much suffering.
My assumption here
1. you have temporary ssh root access to the server (sysadmin enter the password for you)
2. you can not install any tools on the server
In that case, you can take an image using dd over ssh. I used to do that all the time to replicate servers, not for forensic, but as a sys admin. Hash will not match because it's live - files are changing constantly.