Digital Evidence Acquisition Basics: A Beginner's Guide

Introduction

Before anyone can analyse a file, a hard drive or a phone, the data has to be captured properly. That capture step is called acquisition, and it is the moment where digital evidence is either protected or quietly ruined. Done well, acquisition is the defensible capture of digital evidence: a verified copy made without disturbing the original, with every action written down. Done carelessly, it can change the very data you are trying to preserve and leave you unable to prove anything at all. This beginner's guide walks through the digital evidence acquisition basics — the principles, the steps, the choices, and the simple verification check that ties it all together. It is general information to help you understand the process, not legal advice; how evidence is used depends on the facts of your matter and the law that applies.

The Core Principles

Almost every good acquisition practice flows from three plain ideas. First, do not alter the original: the source data should be treated as untouchable, because once it changes you usually cannot undo it or prove it stayed clean. Second, work on a verified copy: make an exact duplicate, confirm it matches the source, and do all your examination on that copy so the original is never at risk. Third, document everything: who did what, when, with which tools, and what the results were. If your work is ever questioned, that contemporaneous record — together with the integrity proof — is what lets a reviewer trust your findings. Keep these three principles in mind and most of the detailed steps below will feel like common sense.

The Basic Steps

A typical acquisition follows a predictable sequence. Identify and isolate the source so nothing — a sync app, an antivirus scan, a network connection — keeps writing to it while you work. Write-block where relevant, using a hardware or software write blocker so the device can be read but not modified during capture. Image or collect the data, creating a complete copy of the drive, partition or files you need. Hash to verify the copy equals the source, computing a fingerprint of both and confirming they are identical. Record the chain of custody, logging who held the evidence and when, so its handling can be traced end to end. Finally, preserve the original and the verified copy in secure storage. For a deeper look at the handling record, see our explainer on what chain of custody is, explained, and our overview of chain of custody software.

Live vs Dead Acquisition

Not every source can be powered off first. Dead acquisition captures data from a device that is switched off or a medium that is not running — the cleanest approach, because nothing on the source is changing while you copy it. Live acquisition captures from a running system, and you reach for it when you must grab volatile data that disappears at shutdown: the contents of memory, running processes, open network connections, decrypted data held only in RAM. The rule of thumb is to capture volatile data first when it is needed, because it is the most fragile, then move on to the more stable storage. Live acquisition unavoidably touches the system, so it is documented with extra care and used only when those volatile artefacts genuinely matter. A general-purpose digital forensics tool can help you record exactly what was captured and when.

Verification: The Acquisition Hash Must Match

Verification is the step that turns a copy into trusted evidence, and it is simpler than it sounds. A cryptographic hash is a fixed-length fingerprint computed over data; change a single byte and the fingerprint changes completely. So you hash the source, hash the acquired copy, and compare: the acquisition hash must match. If the two values are identical, the copy is bit-for-bit the same as the source and you can examine it with confidence. If they differ, the copy is not faithful and must not be relied on. Recording these hash values at the moment of acquisition gives you a reusable proof of integrity that anyone — months or years later — can recompute and check for themselves.

Common Beginner Mistakes

A few errors come up again and again. Examining the original instead of a copy, which puts irreplaceable data at risk. Skipping the write blocker and letting the operating system silently update timestamps or metadata on the source. Forgetting to hash at acquisition time, leaving no baseline to prove the copy is faithful later. Powering a device on or off without thinking, which can destroy volatile data or trigger changes on the disk. Thin or missing documentation, so that even a perfect technical capture cannot be explained or defended. And storing the only copy in one place, with no secure backup. Most of these are avoided simply by respecting the three core principles and slowing down at the capture stage.

Frequently Asked Questions

What is digital evidence acquisition?
Digital evidence acquisition is the defensible capture of data from a device or source so it can be examined later without changing the original. In practice you make a verified copy of the data, prove the copy is identical to the source using cryptographic hashes, and document every step. The goal is that anyone reviewing your work can trust the evidence is exactly what it was when you collected it.

Why should I work on a copy instead of the original evidence?
Working on the original risks altering it, and once altered you can rarely undo the change or prove it did not happen. The accepted practice is to preserve the original untouched, create a verified working copy, and do all examination on the copy. If the copy is ever questioned you can return to the original and re-verify, which keeps your findings defensible.

What is the difference between live and dead acquisition?
Dead acquisition captures data from a powered-off device or a storage medium that is not running, which is the cleanest approach because nothing on the source is changing. Live acquisition captures data from a running system, used when you must collect volatile data such as memory contents, active network connections or running processes that would be lost on shutdown. Live acquisition unavoidably touches the system, so it is documented carefully and used only when the volatile data matters.

How does hashing verify that a copy equals the source?
A cryptographic hash is a fixed-length fingerprint computed over data. You hash the source and hash the acquired copy; if the two hashes are identical, the copy is bit-for-bit the same as the source. If even one byte differs, the hashes differ and the copy fails verification. Recording these hash values at acquisition time gives you a reusable proof of integrity that anyone can recompute later.

Do I need an internet connection or expensive hardware to verify an acquisition?
No. Verifying that a copy matches its source is a software step: you compute hashes for both and compare them. e-Dex runs fully offline on an ordinary Windows machine, computing multiple algorithms per file and printing a plain MATCH or MISMATCH result, so your evidence files never leave your computer. Specialised write-blocking hardware is useful during the capture stage but is not required to perform the verification.

Conclusion

Acquisition is where digital evidence is won or lost. Respect the three principles — do not alter the original, work on a verified copy, document everything — follow the capture steps in order, choose live or dead acquisition deliberately, and always confirm that the acquisition hash matches. That last verification step is something you can do today, offline, on a single Windows machine with e-Dex — the free Digital Evidence Integrity Suite. Download it free and prove your copies are exactly what they should be.