If a workstation or server is booted up and running with its OS can a physical image be acquired while the system is running.
I know that physical images can be acquired using writeblockers or a disk imager; but can FTK imager be used while the OS is running to create a physical image while the system is running? I’ve created logical images before using FTK Imager
thoughts…
To clarify a little more I'll lay out the steps.
- Source system is up and running and can't be shutdown
- External drive is connected via USB (with FTK Imager lite on the drive)
- FTK Imager is launched from the USB drive
- Click "Select Source" --> Select "Physical Drive" and Next
- Select "PhysicalDrive0" and next
- In the "Evidence Tree" select "PhysicalDrive0" and right-click selecting "Export Disk Image"
- Fill out all the other information to start the image acquisition process
Would this process truly create "Physical Disk Image" capturing slack and unallocated space? I would surmise that during this process files will be changing as the OS is running and actively writing to the disk. So, wouldn't this be called a "Live Physical" verses a true physical? Again, would this process actually capture an accurate copy of disk slack space that would allow for files to be carved?
My understanding is that files that are open and in use wouldn't necessarily be copied or fully copied allowing for some hives to be partially corrupted as they're open. But other closed static files would be copied fine.
Any thoughts on this topic would be appreciated
I reached out to Exterro Support for FTK Imager and asked the same question. They said that it's still considered as a physical image. So, in this situation you'll capture the physical structure of the drive including slack space and unallocated space.
However, files that are open or being written to won't always verify correctly and in some situations open files that are being written may be "corrupt" in the image. Files that are not in use will be acquired as you'd expect without issue.
In a situation where the system can't be shutdown it's the best option that's available.
Standard way to copy/backup live disk is to use VSS
https://learn.microsoft.com/en-us/windows-server/storage/file-server/volume-shadow-copy-service
@passmark - Interesting I've never considered using VSS as a way to get a disk image. I've used VSCs to recover data for bringing a server back up and for analysis. But, the downside of creating a VSC is that it's data being written to the disk which would bring up concerns about slack space being overwritten. I know that a VSC can be redirected to another disk. I'm intrigued by the thought and I'm interested in how it could be applied. A typical backup using a backup tool like Veeam or Backup Exec wouldn't grab slack space either.
My DMIMAGE tool can acquire an image from a volume shadow copy (VSC). This can be useful to get a snapshot of a file system at some point in the past. It is possible to do this on a live system but it will be slower.
The typical sequence of operations is:
1. Get list of volumes (file systems) on target:
DMIMAGE /LISTVOLUMES \\.\PhysicalDrive3
2. Get list of volume shadow copy snapshots on the target volume:
DMIMAGE /LISTVSS /VOLUME:1 \\.\PhysicalDrive3
3. Finally, make an image of the target file system / snapshot:
DMIMAGE /VOLUME:1 /VSS:2 /CREATE:IMAGE.E01 /MD5 /CASE:"12345" /EXAM:"Fred" \\.\PhysicalDrive3
Alternatively, to make a "whole disk" image using the desired shadow copy:
DMIMAGE /VSS:2 /CREATE:IMAGE.E01 /MD5 /CASE:"12345" /EXAM:"Fred" \\.\PhysicalDrive3
You can also use very similar syntax to serve the disk/volume for remote acquisition using DMSERVER or mount it locally using DMMOUNT. This may be useful if you plan to create a bootable virtual machine from the volume shadow copy.
Lastly, if you want to compare two volume shadow copies (points in time), you can mount them from an image or physical disk and compare with a tool such as Beyond Compare:
DMMOUNT /VOLUME:1 /VSS:2 "image.e01" DMMOUNT /VOLUME:1 /VSS:0 "image.e01"
Jim
www.forensicinternals.com
If a workstation or server is booted up and running with its OS can a physical image be acquired while the system is running.
I know that physical images can be acquired using writeblockers or a disk imager; but can FTK imager be used while the OS is running to create a physical image while the system is running? I’ve created logical images before using FTK Imager
thoughts…
Dear @b1d4n6
Yes, complete physical image can be acquired, But make sure to acquire the RAM as well incase of the running computer.
The best and optimal way to analyse the evidence is that you acquire the offline hard disk using write blocker, perform data carving/data recovery and then perform further analysis as per the scope of the investigation.
If a workstation or server is booted up and running with its OS can a physical image be acquired while the system is running.
I know that physical images can be acquired using writeblockers or a disk imager; but can FTK imager be used while the OS is running to create a physical image while the system is running? I’ve created logical images before using FTK Imager
thoughts…
Dear @b1d4n6
Yes, complete physical image can be acquired, But make sure to acquire the RAM as well incase of the running computer.
The best and optimal way to analyse the evidence is that you acquire the offline hard disk using write blocker, perform data carving/data recovery and then perform further analysis as per the scope of the investigation.
