There are a variety of methods that are used to not only access a potential evidence source but determine the type of acquisition that can be undertaken. To define these methods, it is important to have a clear understanding of the manner and type of acquisition that can be utilized:
- Local: Having access to the system under investigation is often a luxury for most enterprises. Even so, there are many times where incident response analysts or other personnel have direct physical access to the system.
- Remote: In a remote acquisition, incident response analysts leverage tools and network connections to acquire evidence. Remote acquisition is an obvious choice if the incident response analysts are dealing with geographical challenges. This can also be useful if incident response analysts cannot be onsite immediately.
- Live acquisition: A live acquisition of evidence...