11. Collecting Data

The common and best practice for conducting a forensic examination is to create a bit-by-bit copy of the storage device that you are set to examine and then analyze the copy. Working in this manner ensures that the actual storage device is not contaminated and can even provide performance benefits. This chapter begins with a description of how to create this bit-by-bit copy, called a disk image, using the tool Forensic ToolKit (FTK) Imager on a running or turned-off computer. The chapter then describes how to collect volatile data including taking a memory dump and extracting registry hives from a Windows computer during a live examination. At times, you find a computer that is turned on and you are not able to extract any data from the computer because it is logged out or likewise. In those cases, it is possible to extract information from memory using invasive techniques. This chapter introduces two such techniques, direct memory access (DMA) attack and cold boot attack. At the end of the chapter, some constraints and considerations relating to analyzing running machines during house searches are presented.