Guide to Computer Forensics

and Investigations
Fifth Edition

Chapter 4
Data Acquisition
 Acqusition Definitions

Acquisition
• Creating a forensic copy of digital evidence from any media (e.g.,
HDD, SSD, USB, RAM).
Data Acquisition
• The process of capturing an image (bit-for-bit copy) from a digital
device for forensic analysis.
Data Volatility
• The likelihood that data will change or be lost.
It measures how easy it is for data on a medium to be:
– Altered (Modified)
– Destroyed (Deleted or Lost)

Guide to Computer Forensics and Investigations 7th Edition © Cengage Learning 2025 2
 Order of Volatility (OOV)
The priority sequence for data collection based on how quickly data is lost or
changed.

Most Volatile → Least Volatile

• CPU Registers: Fastest-changing data

• CPU Cache: Temporary storage for frequently accessed data
• RAM (Random Access Memory) Volatile working memory
• HDD / SSD (Hard Drives): Non-volatile, retains data after power loss.
• External & Secondary Storage Devices: USB drives, SD cards, external HDDs

Why It Matters:
In incident response and digital forensics, collect data in this order to preserve the most volatile and
irreplaceable evidence first.
External and
secondary
CPU's Registers CPU cache RAM HDD/SSD
storage
devices

Guide to Computer Forensics and Investigations 7th Edition © Cengage Learning 2025 3
 Acqusition Types

1. Live/ Dynamic acqusition:

– If the computer is powered on and has been logged on.
– some times it is possible to come a cross volatile data while
conducting static data acuqsiiton (memory paging feom RAM to drive)
2. Static acquisition (Powered off by investigator) :
• is used when a suspect drive is write-protected and can’t be altered.
• Limitations:
– The computer is readable if it is powered on or accessible only
over a network
3. Dead acquisition (Already powered down when discovered ):
• attempt to acqusite data from the suspect’s machine “withouyt” the OS
assistance. Done witht the help of machines’ hardware
• e.g., If OS is not trusted (e.g. rootkits that manipulates OS’s behavior)

Guide to Computer Forensics and Investigations 7th Edition © Cengage Learning 2025 4
 Storage Formats

• Data in a forensics acquisition tool is stored as

an image file
• Three storage formats
– Raw format: Linux tools dd, dcddf1, dc3dd, FTK
Imager, X-Ways Imager, OSFClone
– Proprietary formats
– Advanced Forensics Format (AFF)

Guide to Computer Forensics and Investigations 7th Edition © Cengage Learning 2025 5
 Raw Format
• Makes it possible to write bit-stream data to files
• Advantages
– Fast data transfers
– Most computer forensics tools can read raw format
– Can split an image into smaller segmented files
• Disadvantages
– Requires as much storage as original disk or data
– Tools might not collect marginal (bad) sectors
• RAW format imaging tools neglect small errors on the
source disk
– Create separate validation file.

Guide to Computer Forensics and Investigations 7th Edition © Cengage Learning 2025 6
 Raw Format

Tools:

Guide to Computer Forensics and Investigations 7th Edition © Cengage Learning 2025 7
 Proprietary Formats
• Most forensics tools have their own formats
• Features offered
– Option to compress or not compress image files
– Can split an image into smaller segmented files
– Can integrate metadata into the image file (hash value, CRC)
• Disadvantages
– Inability to share an image between different tools
– It might be slower
– File size limitation for each segmented volume

Guide to Computer Forensics and Investigations 7th Edition © Cengage Learning 2025 8
 Proprietary Formats

ILook
Encase PyFlag MD-NEXT
Investigator

IDIF
Expert
Witness
IRBF sqzip MDF
Format
(EWF)
IEIF

Guide to Computer Forensics and Investigations 7th Edition © Cengage Learning 2025 9
 Advanced Forensics Format
• Developed by Dr. Simson L. Garfinkel as an
open-source acquisition format
• Design goals
– Provide compressed or uncompressed image
files
– No size restriction for disk-to-image files
– Provide space in the image file or segmented
files for metadata
– Simple design with extensibility
– Open source for multiple platforms and Oss
Guide to Computer Forensics and Investigations 7th Edition © Cengage Learning 2025 10
 Advanced Forensics Format

• File extensions include:

• 1- .afd for segmented image files(d: data)
• 2- .afm for AFF metadata (m: metadata)

Guide to Computer Forensics and Investigations 7th Edition © Cengage Learning 2025 11
 Data Acquisition Methods

• Data acquisitions methods:

1. Creating a disk-to-disk (cloning)
– Tools can adjust the target disk’s geometry so that the copied data
matches the original suspect drive
– EnCase, SafeBack, SnapCopy

Guide to Computer Forensics and Investigations 7th Edition © Cengage Learning 2025 12
 Data Acquisition Methods

• Data acquisitions methods:

2. Creating a disk-to-image file (imaging)
– Most common method
– Can make more than one copy of suspect drive
– Disk or dirve can be “physical or logical”
– Copies are bit-for-bit replications of the original drive
– Many tools can read this created file: ProDiscover, EnCase, FTK,
SMART, Sleuth Kit, iLookIX

Guide to Computer Forensics and Investigations 7th Edition © Cengage Learning 2025 13
 Data Acquisition Methods

Guide to Computer Forensics and Investigations 7th Edition © Cengage Learning 2025 14
 Data Acquisition Methods

Guide to Computer Forensics and Investigations 7th Edition © Cengage Learning 2025 15
 Data Acquisition Methods

Physical Drive to image

Logical Drive to image
Make a copy of suspect drive

Guide to Computer Forensics and Investigations 7th Edition © Cengage Learning 2025 16
 Fragmented vs Unallocated vs Slack
Space
• Fragmented Data
– Parts of a file stored in non-contiguous sectors
on disk.
– Caused by lack of continuous free space.
– File is still active and accessible.
– Requires reassembly during forensic analysis.
• Unallocated Data
– Space not currently used by any file.
– Typically contains deleted or previously
existing data.
– Not visible through normal OS functions.
– Can be recovered using data carving tools.
• Slack Space
– Unused space within the last cluster of a file.
– Exists when a file is smaller than the allocated
cluster size.
– May contain residual data from previously
deleted files.
– Only visible through physical acquisition

Guide to Computer Forensics and Investigations 7th Edition 17

 Data Acquisition Types
Physical vs. Logical
• Physical Acquisition
– Refers to the capture of the entire contents of a storage device.
– Includes all sectors: active, deleted, hidden, and unallocated space.
– Provides a bit-by-bit copy of the device, including all data not accessible
through the operating system.
– Commonly used when a full forensic investigation is required.
• Logical Acquisition
– Captures files and directories visible to the operating system.
– Does not include deleted files, hidden data, or data in unallocated space.
– Useful when only specific data is needed and time or access is limited
– Examples:
• Email investigations (e.g., Outlook .pst or .ost files).
• Extracting specific records from a large RAID server.
• Data collection from a Storage Area Network (SAN).

Guide to Computer Forensics and Investigations 7th Edition 18

 Data Acquisition Types
Physical vs. Logical

Guide to Computer Forensics and Investigations 7th Edition © Cengage Learning 2025 19
 Data Acquisition Types
Logical vs Sparse
• Logical Acquisition
– Acquires only selected files or directories relevant to the
investigation.
– Faster than physical acquisition.
– Appropriate when time or storage capacity is limited.
• Sparse Acquisition
– A variation of logical acquisition.
– Collects selected files and fragments of unallocated space (e.g.,
partially deleted data).
– Allows investigators to recover some deleted content without imaging
the entire disk.

Guide to Computer Forensics and Investigations 7th Edition © Cengage Learning 2025 20
 Physical VS Logical VS Sparse
Physical Logical Sparse
Feature
Acquisition Acquisition Acquisition

Captures all data (bit-level) ✅ ❌ ❌

Captures selected files only ❌ ✅ ✅

Includes deleted/unallocated data ✅ ❌ 🟨 Partial

Requires full disk access ✅ ❌ ❌

Acquisition speed 🟥 Slow 🟩 Fast 🟩 Fast

Targeted +
Full forensic Targeted
Use case partial
analysis investigation
recovery
Guide to Computer Forensics and Investigations 7th Edition © Cengage Learning 2025 21
 Determining the Best Acquisition
Method
• When making a copy, consider:
– Size of the source disk
– how much time you have to perform the acquisition.
– Make sure that the target disk has enough space.
– You might need to reduce the size of the image:
• Older Microsoft disk compression tools, such as
DoubleSpace or DriveSpace, eliminate only slack disk
space between files.
• Lossless compression might be useful

Note: determining the best method depends on the circumstances

Guide toof the investigation
Computer Forensics and Investigations 7th Edition © Cengage Learning 2025 22
 Contingency Planning for Image
Acquisitions
• You should also make contingency plans in case software or hardware
doesn’t work or you encounter a failure during an acquisition.
• Make at least two images of digital evidence
– “Some don’t do that due to time or resources”
– Use different tools or techniques
• Copy host protected area of a disk drive as well
– Consider using a hardware acquisition tool that can access the drive
at the BIOS level
• Be prepared to deal with encrypted drives
– Whole disk encryption feature in Windows called BitLocker makes
static acquisitions more difficult
• “the user’s cooperation in providing the decryption key. ”

Guide to Computer Forensics and Investigations 7th Edition © Cengage Learning 2025 23
 What is an Host Protected Area
(HPA)?
• HPA: an area of memory on a hard drive that is not
normally visible to (OS).
• It would not be available for the user to store files on.
– A vendor can store the necessary files to install or
recover the computer’s operating system “Factory Reset”
– diagnostic programs or other utilities.
– Some malware may hide inside the HPA “rootkit”
– Users might hide data.

Guide to Computer Forensics and Investigations 7th Edition © Cengage Learning 2025 24
 Ways to Acquire Forensic Data

• There are several ways to acquire data:

– Data acquisition can vary: CLI vs GUI tools, network acquisition
vs local collection, FTK Imager Lite (commercial GUI) vs Linux
open-source utilities and handling complex RAID data vs
single-disk imaging , all followed by validation to ensure
integrity.
– Acquiring Data with a Linux
– Acquiring Data with a FTK Image Lite
– Acquiring RAID Data
– Remote Network Acquisition
• Validating Data Acquisition

Guide to Computer Forensics and Investigations 7th Edition © Cengage Learning 2025 25
 Acquiring Data with a Linux
• Acquiring data with dd command in Linux
– dd (“data dump”) command
• Creates raw format file that most forensics tools can read
– Shortcomings of dd command
• Requires more advanced skills than average user
• Does not compress data
– the target drive needs to be equal to or larger than the
suspect drive.

Guide to Computer Forensics and Investigations 7th Edition © Cengage Learning 2025 26
 Acquiring Data with a Linux

• Acquiring data with dcfldd in Linux

– The dd command is intended as a data management
tool Not designed for forensics acquisitions
– This dcfldd command, works similarly dd command
with extra features.

Guide to Computer Forensics and Investigations 7th Edition © Cengage Learning 2025 27
 Acquiring Data with a Linux
• Acquiring data with dcfldd in Linux (cont’d)
– dcfldd additional functions
• Use several hashing options (MD5, SHA-1, SHA-256, SHA-384, and SHA-512)
• Split data acquisitions into segmented volumes with numeric extensions
(unlike dd’s limit of 99).
• To acquire an entire media device in one image file, you type the following
command at the shell prompt:
– dcfldd if=/dev/sda of=[Link]
– dcfldd if=suspect_file.pdf of=evidence_suspect_file.dd \ hash=sha256
hashlog=hash_suspect_file.txt
• To split the image:
– dcfldd if=/dev/sda split=2M of=usbimg hash=sha256

Guide to Computer Forensics and Investigations 7th Edition © Cengage Learning 2025 28
 Acquiring Data with FTK Imager Lite
• Designed for viewing evidence disks and disk-to-image files
• Makes disk-to-image copies of evidence drives
• It can read:
– AccessData .ad1
– Expert Witness (EnCase) .e01
– SMART .s01
– and raw format files.
• allowing you to segment the image
• FTK Imager can image RAM on a live computer.
• Evidence drive must have a hardware write-blocking device
– Or run from a Live CD, such as Mini-WinFE
• FTK Imager can’t acquire a drive’s host protected area

Guide to Computer Forensics and Investigations 7th Edition © Cengage Learning 2025 29
 Acquiring Data with FTK Imager Lite

Guide to Computer Forensics and Investigations 7th Edition © Cengage Learning 2025 30
 Acquiring RAID Disks
• Redundant array of independent (formerly “inexpensive”) disks
(RAID)
• RAID is a technology that combines multiple physical disk drive
components into one or more logical units for the purposes of
data redundancy, performance improvement,
• Acquisition of RAID drives can be challenging and frustrating
• Size is the biggest concern
– Many RAID systems now have terabytes of data

Guide to Computer Forensics and Investigations 7th Edition © Cengage Learning 2025 31
 Acquiring RAID Disks

• Address the following concerns

– How much data storage is needed?
– What type of RAID is used?
– Do you have the right acquisition tool?
– Can the tool read a forensically copied RAID
image?
– Can the tool read split data saves of each RAID
disk?
• Copying small RAID systems to one large disk
is possible
Guide to Computer Forensics and Investigations 7th Edition 32
© Cengage Learning 2025
 Acquiring RAID Disks
• Vendors offering RAID acquisition functions
– Technology Pathways ProDiscover
– Guidance Software EnCase
– X-Ways Forensics
– AccessData FTK
– Runtime Software
– R-Tools Technologies
• Occasionally, a RAID system is too large for a
static acquisition
– Retrieve only the data relevant to the
investigation
Guide to Computer Forensics and Investigations 7th Edition © Cengage Learning 2025 33
 Remote Network Acquisition
• You can remotely connect to a suspect
computer via a network connection and copy
data from it
• Drawbacks
– Antivirus, antispyware, and firewall tools can be
configured to ignore remote access programs
– Suspects could easily install their own security
tools that trigger an alarm to notify them of
remote access intrusions

Guide to Computer Forensics and Investigations 7th Edition © Cengage Learning 2025 34
 Remote Acquisition with ProDiscover

• PDServer remote agent

– ProDiscover utility for remote access
– Needs to be loaded on the suspect

Guide to Computer Forensics and Investigations 7th Edition © Cengage Learning 2025 35
 Remote Acquisition with ProDiscover

• Remote connection security features

– Password Protection
– Encryption
– Secure Communication Protocol
– Digital Signatures

Guide to Computer Forensics and Investigations 7th Edition © Cengage Learning 2025 36
 Remote Acquisition with EnCase
Enterprise
• EnCase acquisition features
– Remote data acquisition of a computer’s media
and RAM data
– Integration with intrusion detection system (IDS)
tools
– A wide range of file system formats
– RAID support

Guide to Computer Forensics and Investigations 7th Edition © Cengage Learning 2025 37
 Using Other Forensics-Acquisition
Tools

• Other commercial acquisition tools

– PassMark Software ImageUSB
– ASRData SMART
– Runtime Software
– ILookIX Investigator IXimager
– SourceForge

Guide to Computer Forensics and Investigations 7th Edition © Cengage Learning 2025 38
 Validating Data Acquisitions

• Validating evidence may be the most critical

aspect of computer forensics
• Requires using a hashing algorithm utility
• Validation techniques
– Cyclic Redundancy Check (CRC-32)
– and Secure Hash Algorithm (SHA-512)

Guide to Computer Forensics and Investigations 7th Edition © Cengage Learning 2025 39
 Linux Validation Methods
• Validating dd acquired data
– You can use sha256sum or sha512sum utilities
– These utilities should be run on all suspect disks
and volumes or segmented volumes

Guide to Computer Forensics and Investigations 7th Edition © Cengage Learning 2025 40
 Linux Validation Methods
• Validating dd acquired data
– Example: We performed a logical acquisition and identified a file of
interest named suspect_file.pdf. Using the dd command, we created a forensic
copy of the file. To ensure data integrity, we calculated the SHA-256 hash of
both the original file and the copied image. The matching hash values
confirmed that the copy is an exact bit-for-bit duplicate, suitable for forensic
analysis.

Guide to Computer Forensics and Investigations 7th Edition © Cengage Learning 2025 41
Linux Validation Methods

© Cengage Learning 2025

 Windows Validation Methods

• Windows has no built-in hashing algorithm tools

for computer forensics
– Third-party utilities can be used
• Commercial computer forensics programs also
have built-in validation features
– Each program has its own validation technique
• Raw format image files don’t contain metadata
– Separate (manual) validation is recommended
for all raw acquisitions
Guide to Computer Forensics and Investigations 7th Edition © Cengage Learning 2025 43