To obtain protected files on a live machine using FTK Imager, which evidence item should be added?

Obtaining protected files on a live machine using FTK Imager requires access to the currently booted drive, as this allows for the acquisition of data that is actively in use by the operating system. When you add the currently booted drive as an evidence item, FTK Imager can capture files that may be protected or locked since the tool can interact directly with the file system and memory of the live operating system.

This approach is particularly useful for accessing files that cannot be easily copied or recovered from external sources or static images, which might not have real-time access to locks or permissions enforced by the operating system. Thus, targeting the currently booted drive facilitates the retrieval of files that would otherwise remain inaccessible while the system is operational.

Other options, such as external hard drives, bootable media, or network storage, do not directly target the live operating system's processes and privileges in the same way the currently booted drive does. External hard drives may contain data but cannot capture the live environment or locked files actively in use, bootable media is mainly used for starting the system rather than accessing its live data, and network storage would require special configurations that may not apply in all scenarios where immediate access is needed.