An organization has suffered a significant data breach and called in a Computer Hacking Forensics Investigator (CHFI) to gather evidence. The investigator has decided to use the dead acquisition technique to gather nonvolatile data from the compromised system. Which of the following would NOT typically be acquired during this type of forensic data acquisition process?
A dead acquisition technique focuses on gathering nonvolatile data from a system that is turned off or not actively processing data. Nonvolatile data refers to data stored on a device that does not depend on a power source to maintain the stored information, such as data stored on hard drives. Examples include web browser cache, unallocated drive space, and boot sectors. Active network connections, however, are volatile in nature as they exist only when the system is powered on and actively connected to a network. Therefore, active network connections would not typically be acquired during a dead acquisition process.
Examples of static data: emails, word documents, web activity, spreadsheets, slack space, unallocated drive space, and various deleted files. Static data recovered from a hard drive include the following: Temporary (temp) files System registries Event/system logs Boot sectors Web browser cache Cookies Hidden files