[Vol-users] Re: FTK Imager

Thanks for posing the question. Unfortunately, this is not a simple yes or no answer. However, we will take this opportunity to share some thoughts on what we believe to be the most important factors to consider when choosing an acquisition tool. First of all, what is your use case? If you're only interested in dumping memory from a single device in your private malware analysis lab, then you have a significantly different set of requirements than consultants, law enforcement, federal agents, and IR teams. In the prior case, you may be OK if a tool crashes your box or generates garbage every now and then - you can just repeat the test later. In a professional capacity, that is never acceptable. Thus, reliability and robustness is our highest priority when selecting a tool. It has been a while since we thoroughly evaluated FTK specifically, but in general, we have spent a lot of time trying to troubleshoot opensource, freeware, and commercial tools from various vendors over the last 16 years while supporting Volatility users. If a tool has developed a poor track record and bad reputation regarding stability over the past decade, it *probably* still has issues. We mainly attribute acquisition problems to one or more of the following: * Lack of testing and support for operating system versions * Inability to handle large RAM sizes * Conflicts with other software/applications * Lack of testing for hardware connected to the system (peripherals, etc) * Lack of testing for features enabled on the OS (i.e., virtual secure memory) * Developers who lost interest in supporting their tools or treated them like hobby projects As a result, a tool may work fine on one system or on a couple of lab systems but it will start having a lot of issues when you try to use them at scale with real systems in environments that you don't control. Other factors to consider include: * Tools that require graphical user interfaces or that bundle large libraries (i.e., aff4) end up bloated and are more likely to overwrite valuable memory artifacts. * Tools with flexible output options are useful in more scenarios than those that just write back to local disk or removable media like USB or firewire. * We tend to prefer tools that collect more than just RAM. Instead of running multiple different tools, a single tool that gathers RAM, files/disks, OS APIs, and auxiliary information to help expedite memory analysis is a huge advantage. In 2016, we got tired of troubleshooting other people's tools and their lack of support, so the Volatility team built our own commercial solution, Surge Collect Pro. Given the number and types of investigations we typically work on, we needed a tool we could actually rely on and that had dedicated development/support teams for Windows, Linux, and macOS. TLDR - it checks all of the boxes above. If you are looking for a commercially supported option, you should definitely check it out. We haven't looked back! Finally, contrary to what other individuals may try to persuade, the *format* of a memory sample is less important. If a tool is not stable or lacks other required features, the format is irrelevant. Furthermore, Volatility supports raw dumps, crash dumps, hibernation files, virtual machine snapshots *and* provides the ability to easily convert between them. As long as the data is being collected, Volatility will find it and make use of it! We hope this helps! MHL On 1/26/23 12:54 PM, wd s via Vol-users wrote: > Is it still true FTK Imager does not get a complete capture?  I remember > it was a problem for years.  Some of my colleagues promote using it. > > _______________________________________________ > Vol-users mailing list -- vol-users(a)lists.volatilityfoundation.org > To unsubscribe send an email to vol-users-leave(a)lists.volatilityfoundation.org > %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s > > One-click Unsubscribe: > %(user_optionsurl)s?unsub=1&unsubconfirm=1