What is Data Acquisition in Digital Forensics

Data Acquisition

Data Acquisition means is the process of taking an image from a suspect’s machine.

Type of Data Acquisition:

  • Static Acquisition = gathering non-volatile data, for example, gathering data from disk, USB, cd/DVD.

important to note: imaging isn’t copying

  • imaging means take a mirroring the device’s entire storage on a file.

Dead Acquisition

Dead Acquisition refers to the attempt to acquire data from the suspect’s machine without the operating system. Reason: the suspect’s OS cannot be trusted.

Storage Format

there are many disk image formats:

  • RAW: is the simplest format to save an image.

popular tools DD for Linux and RAWWrite studio for windows

dd if=[src] of=[dst]
  • EnCase Forensic Evidence File (EWF/EVF)

Besides a RAW format, there is a proprietary format such as AFF for forensics images. AFF is open and extensible and unencumbered by patents and trade secrets. Its open-source implementation is distributed under a license that allows its code to be freely integrated into other open-source and propriety programs. with AFF we can store more than one terabyte of data from imaged hard drives using less than 200 GB of storage.

AFF features:

  • Ability to store disk images with or without compression.

Acquisition Methods

  • Disk-to-Image File(imaging): Forensic investigators commonly use this data acquisition method. It is a flexible method, which allows the creation of one or more copies, or bit-for-bit replications of the suspect drive. ProDiscover, EnCase, FTK, The Sleuth Kit, X-Ways Forensics, ILook Investigator, etc. are the popular tools used to read the disk-to-image files.

an investigator must consider the following when determining data Acquisition Methods:

  1. The size of the source disk.

anyway, there is no one right method that works every time. different cases have different circumstances, and with different circumstances, different methods are needed.

Live Data Acquisition

live data Acquisition means collect data while the machine is running. when investigator needs volatile data and volatile data reside in RAM or Cache. there are the following two types of volatile data:

  1. System Information: is a generic term that describes basic system information about the machine, system profile (details about configuration), login activity, current system date and time, command history, current system uptime, running processes, open files, startup files, clipboard data, logged on users, DLLs, or shared libraries.

Forensics Tools

list of forensics tools followed by:

  • Access Data FTK Imager: FTK Imager is one of the most famous tools in the forensics world. the tool allows the investigator to acquire various type of storage device and store then in different format for analysis. it is extremely important to remember to use write blocking when acquiring images for a hard disk, so that it won’t destroy or alter important data an the disk

A curated list of awesome free (mostly open-source) forensic analysis tools and resources please visit -> https://github.com/cugu/awesome-forensics.

I have been in the IT industry from a young age, and have been dedicated to security since 2015. My personal skill-set lies in Security detection system.