Forensic Data Acquisition
Data acquisition - acquiring data for forensic analysis
In computer forensics, data acquisition is the process of collecting digital evidence from electronic media: hard drives, solid state drives (SSD), memory cards (SD, CF), mobile devices (iPhone, iPad, Android phones and tablets, Blackberry phones).
Static acquisitionStatic acquisition is performed while the media is disconnected from the host (i.e. computer is not running). This method utilizes a use of special forensic tools for sector by sector media cloning. A MD5 or SHA-1 hash is produced for validation of the forensic image.
Live acquisitionLive acquisition is a task of acquiring data while the system is running. It is used more commonly due to data encryption. Most of the time, you have only one chance to create a reliable forensic evidence with data acquisition tools. Live acquisitions are performed from suspect computer that cannot be turned off for static acquisition. In this case, data is collected either remotely over the network or from the local computer while it is still operating. Live acquisitions are dynamic, as sectors are continually being altered by the Operating System.
RAID Server acquisitionAcquiring RAID disks is a task that requires special tools and techniques. Not every tools is able to read a forensically copied RAID image, thus it is important that a proper acquisition tool is used for RAID acquisitions.
Proper forensics acquisitions must be validated with MD5 or SHA-1 hashing functions.
Computer Forensics for businesses and individuals