Captures volatile memory (RAM) from a live system for analysis of running processes, network connections, and malware artifacts.
Captures only active files visible to the operating system's file system structure. ftk imager 3.4.0.1