Forensics Aquisition, Incident Response

Mar 22, 2023 · 1 min read · Digital Forensics Incident Response ·

Bearing in mind that in the digital investigation space a forensically acquired drive is the preferred method of evidential preservation and subsequent handling.

Digital Forensics as a skill became more frequently used during incident response. It is important to remember that digital forensic acquisition was designed to preserve the state of evidence from inadvertent or intentional modification.

Although this is important when conducting investigations as part of incident response it is important to remember that the acquisition methodology is designed at preventing disk writes or changes to the data integrity.

As a result it is a 'safe' option assuming good evidence handling process is in place. That said depending on how the image is used caution must be taken if malware is present as you would need to adopt the USB drive mentality as alot of malware only needs to be read.

This can introduce a risk to the forensic environment more so with ransomware which can cause delay or depending on how the lab is operated encrypt or infect other systems and data.

This is a consideration that needs to be made when handling any forensic image more so if malware use is anticipated.