Acquisition

Data acquisition is the collection of forensically sound data from any computer system (disk, external storage, memory, etc.). This data generally varies based on the operating system installed on the computer or server. Acquired data often needs to be parsed, stored, and presented in a human-readable format for further analysis and investigation.

Data acquisition is the primary activity of most digital investigations. Before data acquisition, the investigators generally identify the data they’ll need. Since data or evidence is an essential element of any investigation, investigators tend to take as much as they can in the first instance to avoid, if possible, a second acquisition. Therefore, the power of the digital investigation and DFIR solution is often proportional to the acquisition capability and the features associated with it.

Binalyze AIR provides easy-to-deploy and fast data acquisition capabilities with a wide range of operating systems supported for the collection of 350+ forensically sound data types. Binalyze AIR provides remote data acquisition for on-premise, cloud, and off-network devices. Thus investigators can investigate multiple devices remotely, at speed, and scale.

Binalyze AIR supports a growing number of operating systems including; Windows, Linux, macOS, ChromeOS, ESXi, and IBM AIX.

The results of AIR's Acquisition and Triage processes can be further analyzed using DRONE's automated Post Acquisition Analyzers. DRONE's findings, along with all collected artifacts, are then presented within the Investigation Hub.

The Binalyze AIR agent needs first to be deployed to acquire data. All data acquisition is performed according to the Data Acquisition Profile created before the acquisition is started.

Data acquisition is classified into three categories: Evidence, Artifacts, and Network Capture. Additionally, investigators have the flexibility to create custom content profiles, allowing them to collect specific files or data from designated locations.

At Binalyze, we recognize the critical importance of maintaining a strong 'chain of custody' when it comes to the collection and handling of evidence. That's why we employ SHA-256 hashing in combination with RFC3161 digital timestamp certificates. This approach serves to safeguard data content and offers assurance regarding the precise timestamp of the content's creation, as well as a guarantee that it has remained unaltered.

Read more about RFC3161 and the secure way AIR maintains a strong chain of custody here; Protect Your Chain Of Custody With Content Hashing And Timestamping