Dead and Live box Data Acquisition
Compare and contrast dead and live box data acquisition. When would a live acquisition be preferable to a dead acquisition? Is it legal or accepted practice to copy evidence from a cloud provider during live acquisition, such as copying files from a suspect's Dropbox account before shutting off the system?
A live acquisition is where data is retrieved from a digital device directly via its normal interface when its powered; for example, switching a computer on and running programs from within the operating system well as dead-box acquisition is the methodology referred to as “pull the plug” on the computer system prior to acquiring an exact copy of the hard drive, a technique that analyzes the data at rest (MAYO, 2016).
A live acquisition be preferable When the investigator is to confiscate a live system before cutting the power. A live system refers to system that are up and running where information may be altered as data is continuously processed and Switching it off may cause loss of volatile data such as running processes, network connections and mounted file systems hence specialized tools are used to extract volatile data from the computer before shutting it down.
I wouldn’t say legal though its accepted practice to copy files from a cloud provider if you have access to the suspect account. That’s one of the challenges the investigators find to get password for the account.
References:
MAYO, K. (2016). Evidence Technology Magazine - Computer Forensics. Retrieved 20 May 2020, from http://www.evidencemagazine.com/index.php?option=com_content&task=view&id=116&Itemid=49
Comments
Post a Comment