Skip to content

Evidence Acquisition

Collect evidence before it disappears
The order of volatility determines what you collect first and forensic imaging requires specialized tools and write-blocking hardware to maintain evidentiary integrity

Memory Acquisition

RAM contains running processes , network connections , encryption keys , and credentials. Collecting it requires special tools:

# Linux memory acquisition
# LiME (Linux Memory Extractor)
insmod lime.ko "path=mem.dump format=lime"

# fmem (kernel module)
insmod fmem.ko
dd if=/dev/fmem of=mem.dump bs=1M

# avml (modern tool)
./avml mem.dump

# Windows memory acquisition
# WinPmem (recommended)
winpmem_mini_x64_rc2.exe mem.raw

# DumpIt (simple)
DumpIt.exe

# Magnet RAM Capture
MagnetRAMCapture.exe

Disk Imaging

# Linux disk imaging
# Create forensic image (dd)
sudo dd if=/dev/sda of=image.dd bs=4M status=progress

# Compressed image (dcfldd)
sudo dcfldd if=/dev/sda of=image.dd hash=sha256 hashwindow=1G

# EWF format (Guymager)
guymager

# Logical acquisition
sudo rsync -a /mnt/evidence/ /cases/case1/

# Windows disk imaging
# FTK Imager (GUI)
ftk imager.exe

# Command line (dd for Windows)
dd.exe if=\\.\C: of=C:\evidence\image.dd

Network Acquisition

# Full packet capture
tcpdump -i eth0 -s 0 -n -w capture.pcap

# NetFlow collection
softflowd -i eth0 -n collector:2055

# Remote packet capture
ssh user@target "tcpdump -i eth0 -w -" > capture.pcap

Write Blocking

Always use write-blocking hardware or software when accessing evidence:

  • Hardware write-blocker (Tableau, WiebeTech)
  • Software write-blocker (Linux: mount -o ro,noexec )
  • Forensic bridge (connects between drive and analysis machine)

Hashing and Verification

Hash everything at collection time and verify before analysis:

# Generate hash at collection
sha256sum image.dd > image.dd.sha256

# Verify integrity
sha256sum -c image.dd.sha256

# Multiple hash algorithms
sha256sum image.dd
md5sum image.dd
sha1sum image.dd

Chain of Custody

Documentation is as critical as the evidence itself:

  • Who collected the evidence
  • When and where collected
  • How collected (tools and methods)
  • Who has handled it since
  • Where it is stored
  • How access is controlled

Legal Considerations

  • Authorization: Do you have legal authority to collect?
  • Scope: Only collect within authorized boundaries
  • Privacy: May contain personal/medical data
  • Retention: Evidence retention policies
  • Testimony: May need to testify about process