Acquisition

The Week 03 lecture focused on the methodology and approaches for acquisition of systems to be investigated, from covert operations to make copies, to intentionally overt operations. The key takeaway was the importance of following a strict methodology to ensure the forensic analysis remains valid (for example, following strict chain-of-custody processes, securing the scene, and using tools that prevent accidental modifications).

One interesting note was the way in which live systems should be dealt: for a workstation (providing it isn’t encrypted), pulling the power is an appropriate solution, however for server machines, it is recommended to follow the appropriate shutdown process to ensure that any databases or other data sources do not become corrupt (and thus difficult to successfully recover). The tricky thing in this situation is that you need to find out this kind of information before you start the acquisition process. This harks back to what Tim said about gathering as much intel as possible before arriving at the scene (for example, does the company use encryption on their workstations, what kind of servers are they running etc.)