How to Handle Data Acquisition in Digital Forensics

How to Handle Data Acquisition in Digital Forensics

March 11, 2022
| Computer Forensics

Demand for digital forensics services is dramatically increasing. According to a recent report, the digital forensics market is expected to grow from USD 3.14 billion to USD 5.37 billion between 2017 and 2023, representing a compound annual growth rate of over 9% per year (Research Reports World, 2021). This shift is due to various factors, including ongoing adoption of digital services, failure to properly secure computer networks, and a general increase in cybercrime (Research and Markets, 2021).

As a result, businesses need to increase their awareness of the cyberthreats they face (EC-Council, 2021a). This creates an incredible opportunity for individuals interested in a career in cybersecurity. Demand for digital forensic analysts and investigators in particular is exploding: The U.S. Bureau of Labor Statistics (2022) predicts that the forensic science job market will grow by 16% between 2020 and 2030—twice the average for all occupations—with digital forensic investigators in the U.S. earning a median annual salary of $78,746 (, 2021).

A key component of digital forensics is data acquisition: the process of gathering and preserving digital evidence in a forensic investigation. Failure to adhere to appropriate legal standards in this process can tarnish any investigative effort. In this article, we’ll review the data acquisition process in the context of cybercrime investigations.

What Is a Cybercrime Investigation?

Data acquisition best practices are most important when dealing with cybercrime. The term “cybercrime” specifically refers to crimes committed using digital means, such as computers and other networked devices (EC-Council, 2021b). Cybercriminals illegally gain access to the computer or networked device of another individual or organization, which they then use for purposes such as financial theft or holding data hostage for ransom.

A cybercrime investigation generally includes two components:

  • Finding the guilty party and collecting evidence to ensure their criminal conviction
  • Ensuring that the individual or business who is the victim of the crime can recover the use of their devices and any money stolen

To preserve data integrity and ensure that guilty parties can be convicted in court, digital forensic investigations need to follow a particular procedure. Any digital forensic investigator therefore needs to fully understand appropriate data acquisition methods.

What Is Data Acquisition in Digital Forensics?

The gathering and recovery of sensitive data during a digital forensic investigation is known as data acquisition. Cybercrimes often involve the hacking or corruption of data. Digital forensic analysts need to know how to access, recover, and restore that data as well as how to protect it for future management. This involves producing a forensic image from digital devices and other computer technologies.

Digital forensic analysts must be fully trained in the process of data acquisition. However, they are not the only ones who should understand how data acquisition works. Other IT positions that require knowledge of data acquisition include data analyst, penetration tester, and ethical hacker.

Moreover, the entire organization should understand the basics of how cybercrime works, including the importance of not intruding into hacked computer systems. Just as in a real-life crime scene, a “civilian” who stumbles into a digital crime scene can inadvertently destroy evidence or otherwise corrupt the crime scene, impeding later investigation. This speaks to the need to ensure that an entire business operation has cybersecurity training that covers the basics of proper information technology use, anti-phishing techniques, and network security (EC-Council, 2020).

What Are the Most Commonly Used Data Acquisition Methods? ​

Certified computer examiners receive training in a range of data acquisition methods, as different situations may call for the use of different techniques. Digital forensic investigators need to be aware of the various types of data acquisition methods and should know when to choose one method over another. Above all, they need to make sure that the methods they choose do not damage the evidence in question. The most commonly used techniques are described below (Nelson et al., 2010). While other forms of data acquisition may also be used in some instances, this usually occurs only in highly specialized cases.

Bit-stream disk-to-image files

This is the most common data acquisition method in the event of a cybercrime. It involves cloning a disk drive, which allows for the complete preservation of all necessary evidence. Programs used to create bit-stream disk-to-image files include FTK, SMART, and ProDiscover, among others.

Bit-stream disk-to-disk files

When it is not possible to create an exact copy of a hard drive or network, different tools can be used to create a disk-to-disk copy. While certain parameters of the hard drive may be changed, the files will remain the same.

Logical acquisition

Logical acquisition involves collecting files that are specifically related to the case under investigation. This technique is typically used when an entire drive or network is too large to be copied.

Sparse acquisition

There are five steps in a digital forensics investigation, the first two of which are the most critical during data acquisition (EC-Council, 2021b):

  • Identification
  • Preservation
  • Analysis
  • Documentation
  • Presentation

The first stage involves ensuring that all files and evidence related to the ongoing investigation have been properly identified. This involves conducting an appropriate examination of the device or network in question as well as interviewing the individuals involved in the network breach. These individuals may have guidance for your investigation or other useful information and may be able to tell you how the breach in question occurred.

The second stage is preservation of evidence: maintaining the data in the state in which it is found for later examination and analysis. No one else should be able to access the information in question. After completing these steps, you can move on to copying, examining, and analyzing the evidence.

Properly identifying and preserving evidence ensures that it can be analyzed. Accurately identified and preserved evidence can help digital forensic investigators understand how the data damage occurred, what hacking methods were used, and how individuals and organizations can prevent similar cyberattacks in the future. These conclusions must be supported by the evidence, which is confirmed in the documentation step. All evidence is then placed into a presentation that can be given to others.

Proper management of data acquisition is critical in any investigation. However, it’s only the first step in properly conducting digital forensics and protecting your clients’ information. At EC-Council, we offer internationally recognized trainings and certifications, such as the Certified Hacking Forensic Investigator (C|HFI) program. By completing this course and earning your C|HFI certification, you’ll learn about a variety of aspects of the field of digital forensics, including digital data acquisition. Start your certification journey with EC-Council today!


Bureau of Labor Statistics. (2022, January 21). Forensic science technicians. In Occupational outlook handbook. U.S. Department of Labor.

EC-Council. (2020). Phishing prevention solutions.

EC-Council. (2021a, January 23). What is cybersecurity awareness? Why do you need it?

EC-Council. (2021b, September 9). Digital forensics.

Nelson, B., Phillips, A., & Steuart, C. (2010). Guide to computer forensics and investigations (4th ed.). Cengage.

Research and Markets. (2021, June 14). The worldwide digital forensics industry is expected to grow at a CAGR of 13% between 2020 to 2027 [Press release]. Globe Newswire.

Research Reports World. (2021, September 6). Digital forensics market 2021 share growing rapidly with recent trends, development, revenue, demand and forecast to 2023 [Press release]. The Express Wire. (2021, December 27). Digital forensic investigator salary in the United States.

Share this Article
You may also like
Recent Articles
Become a Certified Hacking Forensic Investigator (C|HFI)

"*" indicates required fields