Live imaging of a hard drive
In case of a live system, you will need to do the following:
Image the volatile data, such as system memory first as discussed earlier
Power the system down
Disconnect the hard drive
Image the hard drive separately
However, in some situations, you will also need to image the hard drive without switching the system off. An example is in case the system is a server that is hosting a critical service that cannot be taken down, or there is an encryption present in the system, which will be reactivated if the system is powered off. This is why live acquisition is the preferred choice all the time.
FTK imager in live hard drive acquisition
In this section, we will use the FTK imager in imaging the hard drive of the live target machine. We will use the FTK image lite ( http://accessdata.com/product-download/digital-forensics/ftk-imager-lite-version-3.1.1 ), which doesn't require any installation, to leave least traces in the live system. Navigate to File | Create Disk Image...
