Forensic Acquisition Guide

Create a forensic bit-for-bit image of an entire physical disk using AccessData FTK Imager. Produces E01 or raw (dd) format images with built-in hashing for verification.

Acquire a forensically sound disk image using OpenText EnCase. Creates Ex01 evidence files with case metadata, hash verification, and chain of custody tracking.

Use dd (via Windows port or forensic distro) or dc3dd to create a raw bit-for-bit disk image. dc3dd adds built-in hashing and progress reporting.

Open-source forensic imaging tool with a graphical interface. Supports E01, AFF, and raw formats with multi-threaded compression and hash verification.

Create a bit-for-bit raw image of a Linux disk using dd or its forensic-enhanced variant dc3dd, which adds built-in hashing, progress reporting, and error handling.

DoD Computer Forensics Lab enhanced version of dd with forensic features including on-the-fly hashing, split output, and status reporting.

Use the libewf ewfacquire tool to create compressed E01 (Expert Witness Format) forensic images from Linux systems with built-in hashing and case metadata.

Multi-threaded GUI forensic imager for Linux. Creates E01, AFF, or raw images with simultaneous hash computation.

Boot an Intel Mac from external forensic media and use dd/dc3dd to create a raw disk image. This is the most forensically sound approach for Intel-based Macs without T2 chips.

Use Target Disk Mode to present an Intel Mac internal drive as an external disk to a forensic workstation connected via Thunderbolt or FireWire.

Apple Silicon Macs use Share Disk mode (replacing Target Disk Mode) accessed through DFU mode or macOS Recovery to present the internal disk to another Mac.

Physically remove the NAND/eMMC flash memory chip from the device PCB and read it directly using a chip reader. Provides a complete raw image including deleted data.

Use the JTAG (Joint Test Action Group) debug interface on the device PCB to read flash memory without removing chips. Less destructive than chip-off.

Read flash memory by connecting directly to the eMMC/UFS chip data lines on the PCB without removing the chip. Also known as in-situ chip reading.

Exploit Qualcomm Emergency Download (EDL/9008) mode to read flash memory on Qualcomm-based Android devices. EDL mode provides low-level access bypassing the Android OS.

Exploit the checkm8 bootrom vulnerability (present in Apple A5 through A11 chipsets) to obtain a full filesystem extraction bypassing the iOS passcode. Works on iPhone 5s through iPhone X.

GrayKey (Magnet Forensics/Grayshift) is a hardware device that performs passcode brute-force and full filesystem extractions from iOS devices, including newer A12+ models.

Create a logical image of specific files, folders, or volumes using FTK Imager. Produces AD1 format containers with selective content.

Use tar to create compressed archives of specific directories or files for targeted forensic collection when full disk imaging is not feasible.

Use rsync to efficiently copy specific files and directories while preserving metadata. Useful for remote collection over SSH.

SUMURI Recon ITR (Imaging, Triage, and Recovery) is a macOS-native forensic tool that performs logical acquisitions of Mac systems, including APFS volumes and FileVault-encrypted disks.

Cellebrite Digital Collector performs targeted and full logical acquisitions of macOS systems with support for APFS, FileVault, and T2/Apple Silicon platforms.

Use Android Debug Bridge (ADB) to extract accessible data from an Android device including app data (via backup), file listings, and system information.

With root access on the Android device, extract the full filesystem including app internal data, system partitions, and databases.

Cellebrite UFED is the industry-leading commercial mobile forensic tool supporting logical, filesystem, and physical extractions for thousands of Android device models.

MSAB XRY is a commercial mobile forensic tool that supports logical and physical extractions from Android devices with integrated analysis capabilities.

Oxygen Forensic Detective provides mobile device extraction with strong cloud data acquisition capabilities, supporting logical and physical Android extractions.

Create an iTunes (Windows) or Finder (macOS) backup of the iOS device. An encrypted backup contains significantly more data including Health data, Wi-Fi passwords, and keychain entries.

Use the AFC and AFC2 protocols over USB to access the iOS filesystem. Standard AFC provides access to media files; jailbroken devices with AFC2 allow full filesystem access.

Use the checkm8 exploit to obtain a full filesystem extraction (without BFU bypass) from A5-A11 devices that are in an AFU (After First Unlock) state.

Cellebrite UFED supports multiple iOS extraction methods including advanced logical (equivalent to encrypted backup), filesystem (via checkm8 or agent), and full filesystem extraction.

Elcomsoft iOS Forensic Toolkit provides checkm8-based extraction, advanced logical acquisition, and agent-based filesystem extraction for iOS devices.

Open-source memory acquisition tool from the Rekall project. Captures full physical memory to a raw dump or AFF4 format.

Comae DumpIt performs a one-click memory dump by simply running the executable. Produces raw memory dumps compatible with all major analysis tools.

Free memory capture utility from Magnet Forensics. Provides a simple GUI for capturing physical memory from Windows systems.

Free memory capture tool from Belkasoft designed to reliably dump memory even from systems with active anti-dumping protections.

LiME is a loadable kernel module (LKM) that captures full physical memory from Linux systems. The gold standard for Linux memory acquisition.

Microsoft AVML is a portable memory acquisition tool for Linux that works without kernel module compilation. Uses /dev/crash or /proc/kcore as memory sources.

Extract physical memory through the /proc/kcore pseudo-file, which presents system memory as an ELF core dump. A last-resort method when dedicated tools are unavailable.

Kroll Artifact Parser and Extractor (KAPE) rapidly collects and optionally processes forensic artifacts from Windows systems using configurable target and module definitions.

Create a standalone Velociraptor offline collector executable that captures pre-defined forensic artifacts without requiring a server deployment.

CyLR is a free, open-source tool that rapidly collects forensic artifacts from Windows, macOS, and Linux systems with minimal footprint.

Build and deploy a Velociraptor offline collector for Linux to capture targeted forensic artifacts without server infrastructure.

UAC is a free, open-source tool designed specifically for collecting forensic artifacts from Unix-like systems including Linux, macOS, and BSD.

CyLR cross-platform triage collector for rapid forensic artifact collection from Linux systems.

AutoMacTC (Automated Mac Forensic Triage Collector) is a free tool that collects key forensic artifacts from macOS systems including logs, user activity, persistence mechanisms, and system configuration.

mac_apt is a forensic tool for processing macOS and iOS artifacts. It can work on live systems, disk images, or individual artifact files to extract and parse forensic data.

Lightweight shell-based triage collection script for macOS that gathers system logs, user artifacts, persistence mechanisms, and network configuration.

Amnesty International MVT checks Android devices and ADB backups for indicators of compromise from known mobile spyware like Pegasus.

AndroidQF is a portable tool for quick forensic acquisition of Android devices via ADB, collecting packages, services, settings, and filesystem data.

Trigger and collect a sysdiagnose log bundle from iOS, which contains extensive diagnostic data including process lists, network connections, crash logs, and system statistics.

Use Velociraptor server with deployed agents to remotely collect forensic artifacts, run VQL queries, and perform live response across the enterprise.

Magnet AXIOM Cyber enables remote acquisition of Windows endpoints over the network, including targeted file collection, memory capture, and volatile data.

Google Rapid Response (GRR) is an open-source framework for remote live forensics. Agents deployed to endpoints allow analysts to collect artifacts and perform live analysis remotely.

Use Velociraptor with deployed Linux agents for remote forensic collection, live response, and threat hunting.

Create a remote forensic disk image by piping dd output over SSH to the forensic workstation. Works when physical access is not possible.

Magnet AXIOM Cyber supports remote acquisition of macOS endpoints, collecting targeted files, user artifacts, and system data over the network.

Deploy Velociraptor agents on macOS endpoints for remote forensic artifact collection, live response, and threat hunting.

Create an EBS volume snapshot of a Windows EC2 instance for forensic acquisition. The snapshot captures the full disk state at a point in time.

Create a managed disk snapshot of an Azure Windows VM for forensic acquisition using the Azure portal or CLI.

Create EBS volume snapshots of Linux EC2 instances for forensic acquisition and analysis.

Create persistent disk snapshots of GCP Compute Engine Linux instances for forensic analysis.

Acquire iCloud-synced data including iCloud Drive, Photos, Messages, Notes, and other synced content through Apple account access or legal process.

Acquire data synced to Google services including Gmail, Drive, Photos, Location History, Chrome data, and device backups through Google Account access or Takeout.

Acquire iCloud device backups which contain messages, photos, app data, and device settings. Available through Apple ID credentials, legal process, or forensic tools.

Acquire virtual machine disk files (VMDK) and memory snapshots from VMware ESXi or vSphere environments for forensic analysis.

Acquire virtual machine disk files (VHDX) and saved state from Microsoft Hyper-V environments for forensic analysis.

Export the complete filesystem of a running or stopped Docker container for forensic analysis using docker export.

Use docker cp to selectively copy specific files or directories from a container for targeted forensic collection.

Use Kubernetes checkpoint API or CRI-O checkpoint to capture a forensic snapshot of a running container including process state.