Skip Navigation LinksHome : CBC Classes : Forensics : Acquisition

CSIA200 Digital Forensics

03 Acquisition


Remember that the first step in the Forensics process is to make sure you have permission from the correct group or organization. After receiving proper authorization, the next step is to start acquiring evidence, which you will anaylze later. In this section you'll learn about things that you should do in the acquisition phase.

What is Hashing (Video) RamCapturer64.zip ImagingPractice1.zip ImagingPractice2.zip AccessData FTK Imager_3.1.4.exe SANS Forensics Image File Formats (PDF)
  1. Introduction to Acquisition and Authorization
  2. Static Acquisition
  3. Live Acquisition
  4. Forensics Disk Images
  5. Hashing

Introduction

The items in this section will help you understand the importance of authorization, and the general steps in the acquisition phase of a Forensics investigation.

  1. Introduction to Acquisition and Authorization (Video)
  2. Justia Web Sites explanation of search warrants


Static Acquisition, Bagging and Tagging, and the Chain of Custody

In this section you will learn about static acquisition, bagging & tagging, and the Chain of Custody. In other words your going to gather up items you think should be checked to see if it helps prove or disprove the crime, add labels to the items, and take proper steps ensure that no one contaminates the evidence items.

  1. Static Acquisition, Bagging and Tagging, and the Chain of Custody (Video)
  2. Proper Tagging and Labeling of Evidence for Later Identification by Mike Byrd, a Crime Scene Investigator
  3. Properly packaging evidence - Luckily you don't worry about collecting firearms or bodily fluids!


Live Acquisition

In this section you will learn about live acquisition, memory dumps and analyzing memory dumps. You'll also learn how long data stays in computer RAM, which really surprised me.

  1. Live Acquisition (Video)
  2. Creating Memory Dumps (Video)
  3. BelkaSoft Ram Capturer
  4. Using Command Line tools to create and analyze memory dumps - this is very advanced material. Don't worry about absorbing all of the details, you won't be tested on this. I just added it because it shows the power of knowing how to use various command line tools and some of the information you can obtain from a memory dump.