Data acquisition is the process of copying data. For computer forensics, it’s the task of collecting digital evidence from electronic media. There are two types of data acquisition: static acquisitions and live acquisitions.
Static Acquisitions: if you have preserved the original media, making a second static acquisition should produce the same results. The data on the original disk is not altered, no matter how many times an acquisition is done. Your goal when acquiring data for a static acquisition is to preserve the digital evidence. Many times, you have only one chance to create a reliable copy of disk evidence with a data acquisition tool.
Live acquisition: The future of data acquisitions is shifting toward live acquisitions because of the use of disk encryption with newer operating systems (OSs). In addition to encryption concerns, collecting any data that’s active in a suspect’s computer RAM is becoming more important to digital investigations. The processes and data integrity requirements for static and live acquisitions are the same. The only shortcoming with live acquisitions is not being able to perform repeatable processes, which are critical for collecting digital evidence.
Although these tools are generally dependable, you should still take steps to make sure you acquire an image that can be verified. In addition, failures can and do occur, so you should learn how to use several acquisition tools and methods.
The data a computer forensics acquisition tool collects is stored as an image file in one of three formats. Two formats are open source and the third is proprietary. Each vendor has unique features, so several different proprietary formats are available. Depending on the proprietary format, many computer forensics analysis tools can read other vendors’ formatted acquisitions.
There was only one practical way of copying data for the purpose of evidence preservation and examination. Examiners performed a bit-by-bit copy from one disk to another disk the same size or larger. As a practical way to preserve digital evidence, vendors (and some OS utilities, such as the Linux/UNIX dd command) made it possible to write bit-stream data to files. This copy technique creates simple sequential flat files of a suspect drive or data set. The output of these flat files is referred to as a raw format. This format has unique advantages and disadvantages to consider when selecting an acquisition format.
The advantages of the raw format are fast data transfers and the capability to ignore minor data read errors on the source drive. In addition, most computer forensics tools can read the raw format, making it a universal acquisition format for most tools. One disadvantage of the raw format is that it requires as much storage space as the original disk or data set. Another disadvantage is that some raw format tools, typically freeware versions, might not collect marginal (bad) sectors on the...