Aquitision of Digital Evidence

– Acquiring the data : Acquire the evidence without altering or damaging the original.

• Opt 1- Perform the analysis on a live system?

• » Utilities have most likely been modified by intruder.
• » Least defensible in court.
  

• Opt 2 - Examine a forensic copy of the original data.

• » Most defensible in court

• Opt 3 - Pull the plug.

• » Damage is in progress.