Access Data's FTK Imager is a Windows software platform that performs a variety of imaging tasks, including acquiring the running memory of a system. The software can be downloaded at https://accessdata.com/product-download. Let's take a look at this platform:

1. Once downloaded, install the executable in the Tools partition of the USB drive.
2. Open the FTK Imager folder and run the executable as administrator. (FTK Imager requires the use of drivers and, as a result, requires administrator privileges.) The following window will appear:

3. Click on File and then on Capture Memory. This opens the following window:

4. Browse to the Evidence partition of the USB drive attached to the system and provide a name for the capture file. This name should be a unique identifier such as Laptop1 or Evidence Item 1. Also, check the Include Pagefile checkbox. There might not be any information of evidentiary value within the pagefile, but it may become important later on during the investigation (the pagefile will be discussed later on, in  Chapter 9, Analyzing System Storage).
5. Finally, there is the option to create an AD1 file, that is, Access Data's proprietary file format. This file is for the analysis of this image using the FTK analysis program. For the purposes of this book, the standard output is sufficient for the analysis that will be performed.
6. Once the configuration details have been set, click on Capture Memory and the following screen will appear:

After running this, FTK Imager will indicate whether the memory capture was successful or not:

Examining the evidence partition reveals the two files, as shown in the following screenshot: