regardless of the operating system, every file has a specific structure to arrange its components, those components are file name, size, signature, contents, etc. the file structure is universal and the same for any operating system.


metadata, in general, is defined as Data describing other data. file metadata is the data that describes the file itself and is used by the OS application to make an opening, recognition, and processing that the file easier.

metadata is found in a different location, but as a starting point, the three locations you need to start looking for metadata when analyzing a file…

Data Acquisition

Data Acquisition means is the process of taking an image from a suspect’s machine.

Type of Data Acquisition:

  • Static Acquisition = gathering non-volatile data, for example, gathering data from disk, USB, cd/DVD.
  • Dynamic Acquisition = gathering volatile data, for example, gathering data from memory.

important to note: imaging isn’t copying

  • imaging means take a mirroring the device’s entire storage on a file.
  • copying means take a mirroring only the useful data from the source device.

Dead Acquisition

Dead Acquisition refers to the attempt to acquire data from the suspect’s machine without the operating system. Reason: the suspect’s OS cannot be trusted.

Storage Format


Hossein Kamali

I have been in the IT industry from a young age, and have been dedicated to security since 2015. My personal skill-set lies in Security detection system.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store