There are many ways to read the data, depending on what you are trying to do. Check out this video on using Volatility to analyze the dump: ruclips.net/video/Cs0Gc3GtfZY/видео.html
Thank you for your great video. I have a question what is the diference between .mem and .raw memory files? Can I obtain from FTK imager the .raw memory file?
you said we should not switch off the computer and collect the data in the memory unless we have special equipments, ruclips.net/video/1OxR4KLj-4I/видео.html . Is it possible to do that , what i know if you switch it off there will be zero chance to get the data that was in the memory. could you explain me what you meant ?
Random Access Memory does looses a charge quickly once the computer has been powered off, but it is not instant in most cases. If you switch off the computer, turn it back in *immediately* any load a very small acquisition program, you may be able to recover some data. The longer the system is off, the less data will be available, and the more fragmentation/corruption you will get. I've seen studies say up to 10 minutes, but you get major data degradation way before that. Check out this paper on cold boot attacks: citp.princeton.edu/research/memory/
You teach in a way that makes it easier to understand.Thank you for sharing what you know with us.
Thanks a lot.
you should also show how to read the data dump file
There are many ways to read the data, depending on what you are trying to do. Check out this video on using Volatility to analyze the dump: ruclips.net/video/Cs0Gc3GtfZY/видео.html
Thank you for your great video. I have a question what is the diference between .mem and .raw memory files? Can I obtain from FTK imager the .raw memory file?
Very useful video, thank you sir.
why when i dump the memory from ftk my pc crashes
Thanks for an amazing tutorial it really helped me with my project. Keep going!
Very clear tutorial, thankyou.
thank you this helps alot with my computer security course homework
thanks!
Simon Wu
Is it for college???what major ???
I want to extract the "mem" file, can you help?
Can I acces file type e01 .with ftk ?
I get an error that says "Couldn't start driver"
you said we should not switch off the computer and collect the data in the memory unless we have special equipments, ruclips.net/video/1OxR4KLj-4I/видео.html . Is it possible to do that , what i know if you switch it off there will be zero chance to get the data that was in the memory. could you explain me what you meant ?
Random Access Memory does looses a charge quickly once the computer has been powered off, but it is not instant in most cases. If you switch off the computer, turn it back in *immediately* any load a very small acquisition program, you may be able to recover some data. The longer the system is off, the less data will be available, and the more fragmentation/corruption you will get. I've seen studies say up to 10 minutes, but you get major data degradation way before that. Check out this paper on cold boot attacks: citp.princeton.edu/research/memory/
Plz tell me ftk full installation
Walker Dorothy Martinez Angela Robinson Jessica