In digital forensics analysis, live acquisition is the process of recovering data from a device which is powered up while the acquisition is occurring. This is most-frequently done when analyzing cell phones and tablets.
This differs from post-mortem acquisition which is done when power has been removed from the source.
Live acquisition must also be performed when trying to recover data stored within a computer's memory. Memory disappears when the power connection is lost, but performing a live acquisition on a running machine can be tricky.
The best practices in computer forensics say if a machine is on, leave it on, if it’s off, leave it off.
Live acquisitions are also used to recover deleted text messages, social media passwords and pictures from smartphones and tablets. Spindletop Investigation uses Cellebrite mobile forensics technology which serves as a write blocker, ensuring evidence collected from digital devices is not tampered.
If you have a case which may require live forensic acquisition from a desktop or laptop computer, please contact Spindletop Investigations in advance.
Back To Glossary