Posted by: Dan O'Connor
Forensics dd mdd
What does that mean?
Creating an image that is going to have all of the information that you are going to need and persevering as much of that information as possible.
First capture a snap shot of the memory of the target, there is a lot of tools out there to do this. I prefer mdd. If you can do that, that is great you can use tools like the volatility frame work to do your analisys. ( https://www.volatilesystems.com/default/volatility )
Once you have the memory take an image of the target disk, pull the power if you can or do the old hold the power button down for 3 seconds. Why? We want to capture everything possible, doing a shutdown will let what ever is on there clean up.
Use a tool like dd to capture the disk image, you want to make sure what ever you use will capture the slack space on the disk. Just incase something is hiding in there.