Live capture is conducted while the system is still running. This method is suitable when you need to collect volatile data, such as running processes, open network connections, and system logs. The advantages are: Captures real-time information, Useful for investigating active threats or ongoing activities, Preserves volatile data that may be lost in a static capture, and Live capture is preferred when dealing with active threats or when time-sensitive information is crucial. In some scenarios, live system analysis is necessary or preferable, such as when the system is critical for business or operational continuity, encrypted or protected by anti-forensic measures, remote or inaccessible, or dynamic or ephemeral. It can also be useful when the system changes or disappears frequently and cannot be shut down or removed for offline access or analysis (2023).

 

Static capture involves shutting down or isolating the system before acquiring the data. This method is appropriate when you want to capture a snapshot of the system's state without any active processes or changes. The advantages are: Preserves the integrity of the evidence by preventing further changes to the system, Useful for analyzing file systems, registry hives, and other non-volatile data, and Ensures a consistent state for analysis. Static capture is preferred when the system needs to be preserved in a specific state, or when investigating non-volatile data is the primary focus (S., 2022).

 

The Chain of Custody for digital evidence is the chronological documentation of its handling

from the time of collection until its disposal. The Chain of Custody can consist of signed

paper forms, photographs, investigator's notes, examination reports, automatically

generated logs and forensic hashes.

The Chain of Custody should document the following:

1. The person collecting or receiving the evidence.
2. The source of the evidence.
3. Date and time, including time zone information where applicable.
4. Unique identifiers.
5. How the evidence was collected, including the tools and methods used.
6. Any additional documentation as required by the Organization (Geeks for Geeks, 2020).

 

Examination of digital evidence should only be performed on work copies. Computers, mobile devices and original external storage media should only be examined by trained digital forensic examiners.

Forensic hashes are computed using mathematical functions, most commonly the

Forensic hashes are used to verify the integrity of all types of

digital evidence and to verify that copies are identical to the original. Message Digest (MD5) and Secure Hash (SHA) algorithms. Forensic hashes should be computed immediately when the evidence is collected or received and should be stored securely together with the original evidence.

It is recommended that digital evidence provided by third parties is authenticated. Evidence should preferably be collected directly from its native environment. If collection from the source is not possible, the investigator should attempt to verify the evidence by confirming its existence on the original device or the online account (Conference of International Investigators, 2021).

 

With any discrepancies to the original data, the best thing to do is to be as transparent about it as possible. Issues that may arise include: bad disk sectors, dynamic data changes, compression or encryption, hardware issues, file system changes, or timestamp issues.

 

 

Responce on this disscusion