The FTK Imager tool can collect forensically sound copy of hard drives and analyze those images.
What this tool can accomplish
- Dumping RAM
- Taking foresnically sound disk images
- Exports files from those images
- Generates MD5 and Sha1 hashes
- Providing read-only views of the images
How to Dump Ram in FTK Imager
- File> Capture Memory
- Enter location
- <Optional> Create AD1 file (this is the signature file type for FTK)
- Click Capture memory
Hard Drive Imaging
- Click File
- Create Disk Image
- Select your drive
- This now prompts for Evidence info (great for Chain of custody)
- Assign output destination
- Set image fragment size to 0. This means it wont be split into smaller segments
- Click Finish