![]() ![]() Live acquisition can then be followed by static/dead acquisition, where the investigator shuts down the suspect machine, removes the hard disk, and then acquires its forensic image. Examination of volatile information assists in determining the logical timeline of a security incident and the users that are likely to be responsible for it. It must therefore be acquired in real time. is dynamic, and is likely to be lost if the device to be investigated is turned off. Volatile information, as present in the contents of RAM, cache, DLLs, etc. Involves the collection of volatile data from devices when they are live or powered on. We next delve into further details of these two categories of data acquisition along with the sources of data that they capture. Other sources of non-volatile data include CD-ROMs, USB thumb drives, smartphones, and PDAs. Investigators can recover such data from hard drives as well as from slack space, swap files, and unallocated drive space. In dead or static data acquisition, nonvolatile data that remains unaltered in the system even after shutdown is collected. Further, volatile data such as that in RAM are dynamic and change rapidly, and therefore must be collected in real-time. Such data reside in registries, caches, and RAM. This enables the collection of volatile data that are fragile and lost when the system loses power or is switched off. In live data acquisition, data is acquired from a computer that is already powered on (either locked or in sleep mode). From this perspective, data acquisition can be either categorized as live data acquisition or dead data acquisition. While data in some sources such hard drives remain unaltered and can be collected even after the system is shut down, data in some sources such as the RAM are highly volatile and dynamic and must therefore be collected in real-time. A fundamental factor to consider in the acquisition of forensic data is time. This enhances the admissibility of the acquired data or evidence in the court of law. Specifically, the acquisition methodology adopted must be verifiable and repeatable. However, investigators need to ensure that the acquisition methodology used is forensically sound. With the progress of technology, the process of data acquisition is becoming increasingly accurate, simple, and versatile. This information can then be analyzed to gain insight into a crime or incident. A process of imaging or collecting information using established methods from various media according to certain standards for their forensic value. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |