A cybersecurity forensics investigator is tasked with acquiring data from a suspect's drive for a civil litigation case. The suspect drive is 1TB, and due to time constraints, the investigator decides to prioritize and acquire only data of evidentiary value. The original drive cannot be retained. In this context, which of the following steps should the investigator prioritize?
In a scenario where time is limited and the investigator needs to prioritize acquiring data of evidentiary value from a large drive, executing a logical acquisition is the most suitable approach. Logical acquisition involves copying only the data that is relevant to the investigation rather than the entire drive, which is ideal given the constraints.
Computer Hacking Forensic Investigator (CHFI) v11 Page 321: In a situation with time constraints, and in which the investigator is aware of files that need to be acquired, logical acquisition may be considered ideal. Logical acquisition gathers only the files required for case investigation.
Assuming the investigator is aware of what files need to be acquired, logical acquisition may be considered ideal.