Live acquisition
Definition
Forensic data collection performed on a running, powered-on system. Captures volatile data and allows imaging of encrypted volumes while decryption keys are in memory. Carries a small risk of altering the system state compared to dead-box acquisition.
Related terms
- Chain of custody
- The documented chronological record of who collected, handled, transferred, and examined a piece of evidence. For digital evidence, chain of custody includes...
- Preservation order
- A legal instrument directing a service provider to retain specific data for a defined period pending receipt of a production order or...
- Triage
- The structured process of evaluating an alert to determine whether it is a genuine security incident and, if so, what severity level...
- Volatile data
- Any digital information that is lost when power is removed or the system state changes. Examples include RAM contents, CPU register values,...
- Write blocker
- A hardware or software device interposed between a digital storage medium and the forensic workstation that prevents any write commands from reaching...
Explained in
- Intake, Scoping and Evidence PreservationForensic data collection performed on a running, powered-on system. Captures volatile data and allows imaging of encrypted volumes while decryption keys are in...