# Windows Data Acquisition Guide

**Methods:** 19 | **Generated:** 2026-03-07

---

## Physical Acquisition

### FTK Imager Full Disk Image

Create a forensic bit-for-bit image of an entire physical disk using AccessData FTK Imager. Produces E01 or raw (dd) format images with built-in hashing for verification.

**Tools:** FTK Imager

**Prerequisites:**
- Hardware write blocker for powered-off acquisitions
- Destination drive with sufficient free space (>= source size + 10%)
- FTK Imager installed on examiner workstation or forensic boot media

**Steps:**
1. Boot the target system or connect the drive via a hardware write blocker.
2. Launch FTK Imager and select File > Create Disk Image.
3. Choose "Physical Drive" as the source and select the target disk.
4. Select the output format (E01 recommended for compression and metadata).
5. Configure segment size, compression, and case metadata fields.
6. Choose the destination path on a sanitized evidence drive.
7. Start the imaging process and wait for completion.
8. Verify that the generated hash matches the acquisition hash.

**Pros:** Free tool widely accepted in legal proceedings | Supports E01, SMART, AFF, and raw (dd) formats | Built-in MD5 and SHA-1 hash verification | Can image both physical drives and logical volumes
**Cons:** Graphical interface only -- no scriptable CLI mode | Slower than commercial tools on very large drives | Does not support remote acquisition natively
**Notes:** FTK Imager can also capture memory and create AD1 logical images. For BitLocker-encrypted volumes, image the raw disk and decrypt later with the recovery key.

### EnCase Forensic Full Disk Image

Acquire a forensically sound disk image using OpenText EnCase. Creates Ex01 evidence files with case metadata, hash verification, and chain of custody tracking.

**Tools:** EnCase Forensic

**Prerequisites:**
- Valid EnCase Forensic license
- Hardware write blocker
- Sufficient destination storage

**Steps:**
1. Connect the target drive through a hardware write blocker.
2. Launch EnCase and create a new case with proper metadata.
3. Add the physical device as an evidence source.
4. Configure acquisition settings (compression, segment size, hash algorithm).
5. Start the acquisition and monitor progress.
6. Verify acquisition hash upon completion.
7. Add evidence file to the case and document in chain of custody.

**Pros:** Industry standard with extensive court acceptance history | Integrated case management and chain of custody | Supports parallel hash computation during acquisition | Can acquire across network via EnCase servlet
**Cons:** Expensive commercial license required | Steeper learning curve than FTK Imager | Proprietary Ex01 format requires EnCase or compatible tools to read
**Notes:** EnCase Endpoint Security/Investigator can perform remote acquisitions across the enterprise when agents are deployed.

### dd / dc3dd Raw Disk Image

Use dd (via Windows port or forensic distro) or dc3dd to create a raw bit-for-bit disk image. dc3dd adds built-in hashing and progress reporting.

**Tools:** dd (Windows port), dc3dd

**Prerequisites:**
- Hardware write blocker
- dd or dc3dd binary available on examiner workstation
- Destination storage >= source disk size

**Steps:**
1. Connect the target drive via hardware write blocker.
2. Identify the device path (e.g., \\.\PhysicalDrive1).
3. Run: dc3dd if=\\.\PhysicalDrive1 of=evidence.dd hash=sha256 log=acquisition.log
4. Wait for the imaging process to complete.
5. Verify the output hash matches the source hash in the log.

**Pros:** Free and open-source | Raw format compatible with virtually all forensic tools | dc3dd adds hashing, logging, and error handling over standard dd
**Cons:** No compression -- output file equals source disk size | Command-line only, higher risk of operator error | No built-in metadata or case information in output
**Notes:** Always use dc3dd over standard dd for forensic work due to its built-in hashing and error handling. Consider piping to ewfacquire if E01 format is preferred.

### Guymager Full Disk Image

Open-source forensic imaging tool with a graphical interface. Supports E01, AFF, and raw formats with multi-threaded compression and hash verification.

**Tools:** Guymager

**Prerequisites:**
- Linux-based forensic workstation or boot media
- Hardware write blocker
- Sufficient destination storage

**Steps:**
1. Boot the forensic workstation with a Linux-based forensic distro (CAINE, SIFT, Paladin).
2. Connect the Windows target drive via write blocker.
3. Launch Guymager and identify the target device.
4. Right-click the device and select "Acquire image".
5. Configure format (EWF/E01 recommended), case metadata, hash algorithms, and destination.
6. Start acquisition and monitor progress.
7. Verify hashes upon completion.

**Pros:** Free and open-source with GUI interface | Multi-threaded -- significantly faster than single-threaded tools | Supports MD5, SHA-1, and SHA-256 simultaneously | Included in most forensic Linux distributions
**Cons:** Linux-only -- requires booting from forensic distro or separate workstation | Less feature-rich than commercial tools
**Notes:** Guymager is the fastest open-source imager for large drives due to its multi-threaded architecture. Ideal for labs processing high volumes.

## Logical Acquisition

### FTK Imager Logical Image (AD1)

Create a logical image of specific files, folders, or volumes using FTK Imager. Produces AD1 format containers with selective content.

**Tools:** FTK Imager

**Prerequisites:**
- FTK Imager installed
- Identification of target files and directories

**Steps:**
1. Launch FTK Imager on the target or examiner system.
2. Select File > Create Disk Image > Logical Drive or select specific contents via Add Evidence Item.
3. Choose folders or files to include in the logical image.
4. Configure AD1 output format and destination.
5. Start the acquisition.
6. Verify hash upon completion.

**Pros:** Selective collection reduces acquisition time and storage | Useful when full disk imaging is not feasible | AD1 format maintains directory structure and metadata
**Cons:** Does not capture unallocated space or deleted files | AD1 format is proprietary to AccessData ecosystem | May miss hidden or system-protected files
**Notes:** Logical acquisition is appropriate when time is limited, the scope is narrow, or when legal authority covers only specific data. Always document what was excluded and why.

## Memory Acquisition

### WinPmem Memory Capture

Open-source memory acquisition tool from the Rekall project. Captures full physical memory to a raw dump or AFF4 format.

**Tools:** WinPmem

**Prerequisites:**
- Administrative access to the target system
- Destination storage >= installed RAM size
- WinPmem binary on removable media

**Steps:**
1. Copy winpmem executable to the target system via USB or network share.
2. Open an elevated Command Prompt or PowerShell.
3. Run: winpmem_mini_x64.exe output.raw
4. Wait for the memory dump to complete.
5. Transfer the dump file to the forensic workstation.
6. Verify file size approximately matches installed RAM.

**Pros:** Free and open-source | Lightweight single executable with no installation | Supports raw and AFF4 output formats | Works on modern Windows versions including Windows 11
**Cons:** Requires administrative privileges on target | Running the tool modifies memory (inevitable for any memory capture) | May trigger security software alerts
**Notes:** Capture memory as early as possible -- it is the most volatile evidence source. Document the time of capture and running processes before and after.

### DumpIt Memory Capture

Comae DumpIt performs a one-click memory dump by simply running the executable. Produces raw memory dumps compatible with all major analysis tools.

**Tools:** DumpIt (Comae)

**Prerequisites:**
- Administrative access to the target
- DumpIt.exe on removable media
- Sufficient storage for the raw memory dump

**Steps:**
1. Copy DumpIt.exe to the target system.
2. Run DumpIt.exe as Administrator.
3. Confirm the memory capture when prompted.
4. Wait for the dump to complete (file created in the same directory).
5. Transfer the dump to the forensic workstation.

**Pros:** Extremely simple -- single click operation | No installation required | Output compatible with Volatility, Rekall, and other frameworks
**Cons:** Free version has limited features compared to Comae commercial offering | Raw format only -- large output files | Requires admin privileges
**Notes:** DumpIt is ideal for non-technical first responders due to its simplicity. Include it in your jump bag USB drives for rapid deployment.

### Magnet RAM Capture

Free memory capture utility from Magnet Forensics. Provides a simple GUI for capturing physical memory from Windows systems.

**Tools:** Magnet RAM Capture

**Prerequisites:**
- Administrative access
- Magnet RAM Capture binary
- Sufficient destination storage

**Steps:**
1. Download and copy Magnet RAM Capture to removable media.
2. Run the tool as Administrator on the target system.
3. Select the output destination path.
4. Click "Capture Memory" and wait for completion.
5. Verify the output file and transfer to forensic workstation.

**Pros:** Free tool from reputable forensic vendor | Simple graphical interface | Small footprint on target system
**Cons:** Windows only | Raw format output only | No command-line option for scripted acquisition
**Notes:** Good alternative to DumpIt when a GUI is preferred. Output is compatible with Volatility and all standard memory analysis frameworks.

### Belkasoft RAM Capturer

Free memory capture tool from Belkasoft designed to reliably dump memory even from systems with active anti-dumping protections.

**Tools:** Belkasoft RAM Capturer

**Prerequisites:**
- Administrative access
- Belkasoft RAM Capturer binary

**Steps:**
1. Copy Belkasoft RAM Capturer to the target system.
2. Run the tool with administrative privileges.
3. Select the output directory and start capture.
4. Wait for the memory dump to complete.
5. Transfer the dump file to the analysis workstation.

**Pros:** Free tool designed to bypass kernel-level protections | Handles systems where other memory dumpers fail | Compatible with all major analysis tools
**Cons:** Windows only | Less widely known than WinPmem or DumpIt
**Notes:** Particularly useful on systems with aggressive anti-cheat or DRM software that interferes with standard memory acquisition tools.

## Triage Acquisition

### KAPE Triage Collection

Kroll Artifact Parser and Extractor (KAPE) rapidly collects and optionally processes forensic artifacts from Windows systems using configurable target and module definitions.

**Tools:** KAPE

**Prerequisites:**
- KAPE binaries and up-to-date target/module definitions
- Administrative access to the target system
- Destination storage for collected artifacts

**Steps:**
1. Deploy KAPE to the target system via USB, network share, or remote execution.
2. Select appropriate target collections (e.g., !SANS_Triage, KapeTriage, or custom targets).
3. Run: kape.exe --tsource C: --tdest E:\output --target !SANS_Triage --vhdx evidence
4. Optionally add --msource and --mdest for inline processing with modules.
5. Wait for collection to complete.
6. Transfer the output VHDX or ZIP to the forensic workstation.

**Pros:** Extremely fast targeted collection (minutes vs hours for full disk) | Highly customizable through community-maintained target/module definitions | Can collect and process artifacts in a single pass | VHDX output mountable natively in Windows
**Cons:** Requires understanding of which targets to collect | Does not capture unallocated space or full memory | Free for law enforcement, paid license for commercial use
**Notes:** KAPE is the de facto standard for Windows triage collection. Keep target definitions updated via the KapeFiles GitHub repository. The !SANS_Triage compound target covers the most common forensic artifacts.

### Velociraptor Offline Collector (Triage)

Create a standalone Velociraptor offline collector executable that captures pre-defined forensic artifacts without requiring a server deployment.

**Tools:** Velociraptor

**Prerequisites:**
- Velociraptor binary for building the collector
- Administrative access on target systems

**Steps:**
1. On the Velociraptor server or standalone binary, go to Server Artifacts > Build Offline Collector.
2. Select the artifact collections to include (e.g., Windows.KapeFiles.Targets).
3. Configure output format (ZIP or encrypted container).
4. Build the collector executable.
5. Deploy and run the collector on target systems.
6. Collect the output ZIP files for analysis.

**Pros:** Free and open-source | Self-contained executable with no installation | Supports encrypted output for secure transport | Leverages the extensive Velociraptor artifact library
**Cons:** Requires Velociraptor to build the collector initially | Output format differs from KAPE -- may require conversion for some tools
**Notes:** The offline collector is perfect for organizations without a full Velociraptor deployment. Build collectors in advance and include them in your IR jump bag.

### CyLR Triage Collection

CyLR is a free, open-source tool that rapidly collects forensic artifacts from Windows, macOS, and Linux systems with minimal footprint.

**Tools:** CyLR

**Prerequisites:**
- CyLR binary
- Administrative access on target system

**Steps:**
1. Download the CyLR binary for the target platform.
2. Run CyLR on the target system with administrative privileges.
3. CyLR automatically collects common forensic artifacts based on built-in definitions.
4. Output is written as a ZIP file to the specified destination.
5. Transfer the ZIP to the forensic workstation for analysis.

**Pros:** Free and open-source | Cross-platform support | Minimal configuration needed -- works out of the box | Supports SFTP upload for remote collection
**Cons:** Less configurable than KAPE | Smaller artifact coverage than specialized tools | Less active development compared to KAPE or Velociraptor
**Notes:** CyLR is a solid choice for quick triage when KAPE is not available. Its SFTP upload feature is useful for remote incident response scenarios.

## Remote Acquisition

### Velociraptor Remote Collection

Use Velociraptor server with deployed agents to remotely collect forensic artifacts, run VQL queries, and perform live response across the enterprise.

**Tools:** Velociraptor

**Prerequisites:**
- Velociraptor server deployed and accessible
- Agents installed on target endpoints
- Network connectivity between agents and server

**Steps:**
1. Ensure Velociraptor agents are deployed to target endpoints.
2. Access the Velociraptor web console.
3. Navigate to the target client and launch artifact collections.
4. Select desired artifacts (file collection, registry, event logs, etc.).
5. Monitor collection progress and download results.
6. For large-scale hunts, use the Hunt Manager to collect across multiple endpoints.

**Pros:** Free and open-source with enterprise-scale capabilities | Powerful VQL query language for custom collections | Real-time endpoint visibility and live response | Supports concurrent collection from thousands of endpoints
**Cons:** Requires pre-deployed agent infrastructure | Server setup and maintenance overhead | Steep learning curve for VQL
**Notes:** Velociraptor is the leading open-source remote forensics platform. It can replace commercial EDR for artifact collection and threat hunting in many scenarios.

### AXIOM Cyber Remote Acquisition

Magnet AXIOM Cyber enables remote acquisition of Windows endpoints over the network, including targeted file collection, memory capture, and volatile data.

**Tools:** Magnet AXIOM Cyber

**Prerequisites:**
- AXIOM Cyber license
- Administrative credentials for target systems
- Network access to target endpoints

**Steps:**
1. Launch AXIOM Cyber and create a new case.
2. Select remote computer acquisition and enter target hostname or IP.
3. Choose acquisition scope: full disk, targeted files, memory, or volatile data.
4. Deploy the AXIOM agent to the target (admin credentials required).
5. Monitor acquisition progress through the AXIOM interface.
6. Process acquired evidence with AXIOM Examine.

**Pros:** Comprehensive remote acquisition capabilities | Integrated processing and analysis in AXIOM Examine | Supports memory capture remotely | Easy-to-use interface for less technical responders
**Cons:** Expensive commercial license | Requires network connectivity and admin credentials | Agent deployment may trigger security alerts
**Notes:** AXIOM Cyber is well-suited for organizations with Magnet Forensics tooling already in place. Its strength is combining acquisition and analysis in a single workflow.

### GRR Rapid Response Remote Collection

Google Rapid Response (GRR) is an open-source framework for remote live forensics. Agents deployed to endpoints allow analysts to collect artifacts and perform live analysis remotely.

**Tools:** GRR Rapid Response

**Prerequisites:**
- GRR server infrastructure deployed
- Agents installed on endpoints
- Network connectivity

**Steps:**
1. Deploy GRR agents to target endpoints.
2. Access the GRR web interface.
3. Search for and select the target client.
4. Launch collection flows (file finder, registry, artifact collector).
5. Monitor flow progress and review results.
6. Download collected artifacts for offline analysis.

**Pros:** Free and open-source (Google) | Scales to large enterprise environments | Extensive built-in artifact collection flows | Web-based interface for collaborative investigations
**Cons:** Complex server infrastructure setup | Requires pre-deployed agents | Less actively maintained than Velociraptor
**Notes:** GRR was a pioneer in remote forensics. While Velociraptor has overtaken it in many areas, GRR remains a viable option for organizations already running it.

## Vm Acquisition

### VMware VM Acquisition

Acquire virtual machine disk files (VMDK) and memory snapshots from VMware ESXi or vSphere environments for forensic analysis.

**Tools:** vSphere Client, ESXi CLI, SCP/SFTP

**Prerequisites:**
- vSphere administrative access
- SSH access to ESXi host or vCenter API access
- Sufficient storage for VM disk and memory files

**Steps:**
1. Identify the target VM in vSphere inventory.
2. Create a snapshot of the VM to capture current memory state (include memory option).
3. SSH to the ESXi host and navigate to the VM datastore directory.
4. Copy the VMDK files and snapshot files (.vmem, .vmsn) to forensic storage.
5. Alternatively, use vSphere to export the VM as OVA.
6. Verify hashes of all copied files.
7. Mount VMDK files in forensic tools for analysis.

**Pros:** Non-intrusive -- snapshot captures state without modifying the running VM | VMDK files directly mountable in forensic tools (FTK Imager, Arsenal Image Mounter) | Memory snapshot (.vmem) analyzable with Volatility | No write blocker needed -- hypervisor provides isolation
**Cons:** Snapshot creation requires vSphere admin privileges | Large VMDK files require significant transfer bandwidth | Thick-provisioned disks consume full allocated space during export
**Notes:** Always include memory in the snapshot for a complete acquisition. The .vmem file is a raw memory dump directly analyzable with Volatility. Suspend (not power off) the VM if you need to preserve volatile state without a snapshot.

### Hyper-V VM Acquisition

Acquire virtual machine disk files (VHDX) and saved state from Microsoft Hyper-V environments for forensic analysis.

**Tools:** Hyper-V Manager, PowerShell

**Prerequisites:**
- Hyper-V administrative access
- PowerShell remoting or direct access to the Hyper-V host
- Sufficient storage for VM exports

**Steps:**
1. Identify the target VM in Hyper-V Manager.
2. Create a checkpoint (snapshot) to capture current state.
3. Locate the VHDX files in the VM storage path.
4. For memory capture, save the VM state (produces .VMRS file).
5. Copy VHDX and state files to forensic storage.
6. Alternatively, export the VM using Export-VM PowerShell cmdlet.
7. Verify hashes of all copied files.

**Pros:** VHDX natively mountable in Windows without third-party tools | Checkpoint captures point-in-time state non-destructively | PowerShell automation for scripted acquisition
**Cons:** Saved state format differs from raw memory dumps | Differencing disks from checkpoints add complexity | Requires Hyper-V admin privileges
**Notes:** Use Export-VM for a self-contained copy. For memory analysis, the saved state (.VMRS) file can be converted to raw format using vm2dmp or similar utilities for Volatility compatibility.

## Cloud Acquisition

### AWS EC2 Instance Snapshot

Create an EBS volume snapshot of a Windows EC2 instance for forensic acquisition. The snapshot captures the full disk state at a point in time.

**Tools:** AWS CLI, AWS Console

**Prerequisites:**
- AWS IAM permissions for EC2 and EBS snapshot operations
- AWS CLI configured or Console access
- Forensic analysis instance in the same or shared region

**Steps:**
1. Identify the target EC2 instance and its attached EBS volumes.
2. Create snapshots of all attached volumes: aws ec2 create-snapshot --volume-id vol-xxx --description "Forensic acquisition"
3. Tag the snapshots with case metadata.
4. Optionally, create an AMI from the instance for a complete machine image.
5. Share the snapshot with the forensic AWS account if analysis is performed separately.
6. In the forensic account, create a volume from the snapshot and attach to an analysis instance.
7. Mount the volume read-only and perform forensic analysis.

**Pros:** Non-intrusive -- does not affect the running instance | Snapshots are incremental and storage-efficient | Can be shared across AWS accounts for secure analysis | No physical access required
**Cons:** Does not capture volatile memory (requires separate memory dump from within the instance) | Snapshot consistency depends on filesystem state | AWS API access and IAM permissions required
**Notes:** For memory acquisition of cloud instances, deploy a memory capture tool (WinPmem, DumpIt) via SSM or remote access before snapshotting. Isolate the instance by modifying its security group to prevent network activity during acquisition.

### Azure VM Disk Snapshot

Create a managed disk snapshot of an Azure Windows VM for forensic acquisition using the Azure portal or CLI.

**Tools:** Azure CLI, Azure Portal

**Prerequisites:**
- Azure Contributor or custom role with disk snapshot permissions
- Azure CLI or Portal access
- Forensic analysis VM in the same region

**Steps:**
1. Identify the target VM and its managed disks in the Azure portal.
2. Create a snapshot: az snapshot create -g ResourceGroup -n forensic-snap --source /subscriptions/.../disks/osDisk
3. Tag the snapshot with investigation metadata.
4. Create a new managed disk from the snapshot.
5. Attach the disk to a forensic analysis VM as a data disk.
6. Mount the disk read-only on the forensic VM.
7. Perform analysis using standard forensic tools.

**Pros:** Non-intrusive snapshot of running VM disks | Can be copied to a separate subscription for isolation | Azure RBAC controls access to forensic evidence
**Cons:** Does not capture volatile memory | Snapshot is crash-consistent if VM is running (not application-consistent) | Requires appropriate Azure RBAC permissions
**Notes:** For application-consistent snapshots, use Azure Backup or stop the VM first. Capture memory using tools deployed via Azure Run Command or SSH before taking the disk snapshot.

---
*Generated by DFIR Assist*