Evidence Acquisition
What is Evidence Acquisition?
Evidence AcquisitionThe defensible collection of digital evidence from systems, networks, and cloud services, using forensically sound tools and procedures.
Evidence acquisition is the formal step in a digital investigation where data is captured from its source for later analysis. Common targets include physical disks, virtual disks, RAM, mobile devices, cloud workloads, and network captures. Acquisitions can be physical (bit-for-bit imaging with FTK Imager, dd, or Guymager), logical (file-level using KAPE or Velociraptor), or live (volatile data collection via WinPmem, LiME, or Magnet RAM Capture). Practitioners hash images on acquisition, prefer hardware write blockers, work from copies, and document every step in a chain of custody. Guidelines in NIST SP 800-86 and ISO/IEC 27037 stress order-of-volatility and minimal impact to the source.
● Examples
- 01
Acquiring a bit-for-bit image of a 1 TB SSD with Guymager through a hardware write blocker.
- 02
Pulling Microsoft 365 Unified Audit Logs via Graph API to preserve cloud activity.
● Frequently asked questions
What is Evidence Acquisition?
The defensible collection of digital evidence from systems, networks, and cloud services, using forensically sound tools and procedures. It belongs to the Forensics & IR category of cybersecurity.
What does Evidence Acquisition mean?
The defensible collection of digital evidence from systems, networks, and cloud services, using forensically sound tools and procedures.
How do you defend against Evidence Acquisition?
Defences for Evidence Acquisition typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Evidence Acquisition?
Common alternative names include: Evidence collection, Forensic acquisition.