Digital Forensic Investigation

The handling of evidence at the scene is critical to maintaining the integrity of the evidence (Bunting, 2012, p. 90). Proper tools for acquiring the evidence at the scene are essential. These tools can be categorized as discipline-specific hardware and software, and general tools and supplies. Bunting (2012), Gogolin (2013), Kral (2011) and Nelson, Phillips and Steuart (2010) provide lists of item that a digital forensics investigator should have at the scene. The table at the end of this section summarizes the suggestions of these authors.

Hardware & software
Data acquisition, particularly preserving volatile data, will be foremost in the mind of the digital forensics investigator upon arrival at the scene of the incident.

If the machines are running, and particularly if the machines must not be shut down to maintain the core business function, volatile information, such as the contents of RAM, USB drives are important for capturing information live machines. To image RAM on a Windows machine, the USB drives should contain WinEn. WinAcq should be included for a live Windows acquisition, and MacLockPick for acquiring data from live Macintosh and Linux platforms (Bunting, 2012, p. 96).
16). If resources allow, a spare response computer is suggested (Bunting, 2012, p. 96). A hardware disk imager is recommended (Gogolin, 2012, p. 16); although disk imaging capabilities are also present in certain forensic software (see below). A hardware write-blocker is recommended; although, software write-blockers are also available (see e.g., Lyle,