Solution Guide
20 Triage
Standard vs. Live Acquisition
The Dell Digital Forensics Solution offers two types of acquisition: Standard
and Live. During a standard acquisition procedure, the Dell ruggedized laptop
uses the SPEKTOR boot disk to capture triage data from an already powered-
down target storage device. A live acquisition triage procedure, on the other
hand, aims to capture triage data from a still powered-up target storage device,
obtaining evidence not otherwise available.
Previously, industry standards required that the investigator unplug and seize a
digital device for transport and examination back at the lab. This practice meant
the loss of potentially valuable evidence in the form of stored volatile data: any
data stored on the clipboard, currently open files, the contents of RAM, and
cached passwords, etc. Additionally, encrypted data may be lost should the
computer be shut down prior to imaging the disk. Furthermore, many computers
have BIOS and hard drive passwords that are user-determined, and removing
power from a live system with a BIOS password can cause loss of access to the
entire content of the device.
Industry best practices require the investigator to approach a suspect data
storage device with the following guidelines in mind:
• If the device is powered on, keep it on where possible until a thorough
investigation can be performed.
• If the device is powered off, leave it off.
The reason for these guidelines is that the investigator must be careful to
preserve the storage device as he finds it at the scene, and to introduce as little
change as possible to the device and its contents.
How to Perform Triage Using the Dell Digital
Forensics Solution
Turn on Your Dell Ruggedized Laptop
1
Press the power button to log on to the Dell ruggedized laptop. The laptop
automatically loads the SPEKTOR software.
2
Tap or click
Accept EULA
. The
Home
screen opens.