First steps

-Identify what you are looking for

-Place markers with evidence

-Take photos of the evidence in its original location

-Collect evidence in proper container

-Maintain chain of custody

FORENSIC ACUISITION IS A ONE SHOT ACTION

-Keep whatever the current power state is the same. -Digital evidence is fragile and volatile

Volatility order

1.Cache and Registers

2.ARP Cache, Routing Table, memory, Kernel Statistics, Process Table

3.Temporary Files

4.Disks

5.Monitoring Data and Remote Logging About The Computer In Question

5.Physical Configurations, Network Topology

6.Archival Media

Copy vs. Image

Copy: Provides the actual data of a file without any extra information. such as the file's metadata

Image: The capture of everything bit for bit. Gets files, slack space, swap files and unallocated space.

Clones are not images

Tips:

Get two images

Use two different tools to get images

Methods

Physical image is the entire hard drive. Every zero and one. Most common

Logical image is just certain volume(s). Doesn't get deleted data or unallocated case. Useful when a warrant restricts search area

Live acquisition/Online acquisition: Imaging a device when it is powered on. Hard to avoid contamination.

Static acquisition/Dead acquisition: When the device is powered off. You can remove the hard drive and place it into a write blocker. Also could be connected to a live forensic OS.

Local acquisition: Physical access to the device

Remote acquisition: Requires network tools to create connections for evidence acquisition.